Windows Analysis Report
jqXe6tttFa.exe

Overview

General Information

Sample name: jqXe6tttFa.exe
renamed because original name is a hash value
Original sample name: fd32cec288cec4f16dc5430cf86dc17e1d4cf941d635979fc17a59c8d6d83d44.exe
Analysis ID: 1428504
MD5: c7cfaca6501361febe27a6b3e66a61bf
SHA1: 55a3414b9668596e120139a059db91a306281dcc
SHA256: fd32cec288cec4f16dc5430cf86dc17e1d4cf941d635979fc17a59c8d6d83d44
Infos:

Detection

Povlsomware, RansomeToad
Score: 88
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Povlsomware Ransomware
Yara detected RansomeToad Ransomware
Drops or copies MsMpEng.exe (Windows Defender, likely to bypass HIPS)
Infects executable files (exe, dll, sys, html)
Machine Learning detection for sample
May encrypt documents and pictures (Ransomware)
Modifies existing user documents (likely ransomware behavior)
Overwrites Mozilla Firefox settings
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification

Classification

Name Description Attribution Blogpost URLs Link
Povlsomware According to Trend Micro, Povlsomware (Ransom.MSIL.POVLSOM.THBAOBA) is a proof-of-concept (POC) ransomware first released in November 2020 which, according to their Github page, is used to securely test the ransomware protection capabilities of security vendor products. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.povlsomware

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: jqXe6tttFa.exe ReversingLabs: Detection: 83%
Source: jqXe6tttFa.exe Virustotal: Detection: 81% Perma Link
Machine Learning detection for sample
Source: jqXe6tttFa.exe Joe Sandbox ML: detected
Source: unknown HTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.33.134.2:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.33.134.2:443 -> 192.168.2.4:49745 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.68.123.157:443 -> 192.168.2.4:49747 version: TLS 1.2
Source: jqXe6tttFa.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: BTR.pdbGCTL source: mpengine.dll0.0.dr
Source: Binary string: KSLD.pdb source: mpengine.dll0.0.dr
Source: Binary string: MpUpdate.pdbGCTL source: MpUpdate.dll.0.dr
Source: Binary string: MpAzSubmit.pdb source: MpAzSubmit.dll.0.dr
Source: Binary string: MpCmdRun.pdbGCTL source: MpCmdRun.exe0.0.dr
Source: Binary string: C:\Users\Thomas\Desktop\Povlsomware-master\Povlsomware\obj\Debug\Povlsomware.pdb source: jqXe6tttFa.exe
Source: Binary string: MpDetoursCopyAccelerator.pdb source: MpDetoursCopyAccelerator.dll.0.dr
Source: Binary string: KSLDriver.pdbGCTL source: mpengine.dll0.0.dr
Source: Binary string: MsMpEngCP.pdb source: mpengine.dll0.0.dr
Source: Binary string: BTR.pdb source: mpengine.dll0.0.dr
Source: Binary string: MpCmdRun.pdb source: MpCmdRun.exe0.0.dr
Source: Binary string: mpengine.pdb source: mpengine.dll0.0.dr
Source: Binary string: MsMpEngCP.pdbGCTL source: mpengine.dll0.0.dr
Source: Binary string: MpDlpCmd.pdbGCTL source: MpDlpCmd.exe.0.dr
Source: Binary string: MpAzSubmit.pdbOGPS source: MpAzSubmit.dll.0.dr
Source: Binary string: mpengine.pdbOGPS source: mpengine.dll0.0.dr
Source: Binary string: KSLDriver.pdb source: mpengine.dll0.0.dr
Source: Binary string: ProtectionManagement.pdbGCTL source: ProtectionManagement.dll.0.dr
Source: Binary string: MpCommu.pdb source: MpCommu.dll.0.dr
Source: Binary string: MpDetoursCopyAccelerator.pdbGCTL source: MpDetoursCopyAccelerator.dll.0.dr
Source: Binary string: MpUxAgent.pdb source: MpUxAgent.dll.0.dr
Source: Binary string: MpCommu.pdbGCTL source: MpCommu.dll.0.dr
Source: Binary string: offreg.pdbH source: mpengine.dll0.0.dr
Source: Binary string: d:\dbs\el\omr\target\x86\ship\click2run\x-none\Integrator.pdb source: integrator.exe.0.dr
Source: Binary string: ProtectionManagement.pdb source: ProtectionManagement.dll.0.dr
Source: Binary string: MpUxAgent.pdbGCTL source: MpUxAgent.dll.0.dr
Source: Binary string: MsMpEngSvc.pdb source: mpengine.dll0.0.dr
Source: Binary string: MpDlpCmd.pdb source: MpDlpCmd.exe.0.dr
Source: Binary string: MsMpEngSvc.pdbGCTL source: mpengine.dll0.0.dr
Source: Binary string: KSLD.pdbGCTL source: mpengine.dll0.0.dr
Source: Binary string: offreg.pdb source: mpengine.dll0.0.dr
Source: Binary string: d:\dbs\el\omr\target\x86\ship\click2run\x-none\Integrator.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: integrator.exe.0.dr
Source: Binary string: MpUpdate.pdb source: MpUpdate.dll.0.dr

Spreading
barindex
Infects executable files (exe, dll, sys, html)
Source: C:\Users\user\Desktop\jqXe6tttFa.exe System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpUpdate.dll Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpSvc.dll Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCommu.dll Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpCmdRun.exe Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpAzSubmit.dll Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exe Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\endpointdlp.dll Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpEvMsg.dll Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MsMpLics.dll Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\DefenderCSP.dll Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpRtp.dll Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpAsDesc.dll Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\endpointdlp.dll Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe System file written: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe System file written: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ProtectionManagement.dll Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpUxAgent.dll Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDetoursCopyAccelerator.dll Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDetours.dll Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpClient.dll Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpSenseComm.dll Jump to behavior
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 239.255.255.250 239.255.255.250
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown TCP traffic detected without corresponding DNS query: 23.33.134.2
Source: unknown TCP traffic detected without corresponding DNS query: 23.33.134.2
Source: unknown TCP traffic detected without corresponding DNS query: 23.33.134.2
Source: unknown TCP traffic detected without corresponding DNS query: 23.33.134.2
Source: unknown TCP traffic detected without corresponding DNS query: 23.33.134.2
Source: unknown TCP traffic detected without corresponding DNS query: 23.33.134.2
Source: unknown TCP traffic detected without corresponding DNS query: 23.33.134.2
Source: unknown TCP traffic detected without corresponding DNS query: 23.33.134.2
Source: unknown TCP traffic detected without corresponding DNS query: 23.33.134.2
Source: unknown TCP traffic detected without corresponding DNS query: 23.33.134.2
Source: unknown TCP traffic detected without corresponding DNS query: 23.33.134.2
Source: unknown TCP traffic detected without corresponding DNS query: 23.33.134.2
Source: unknown TCP traffic detected without corresponding DNS query: 23.33.134.2
Source: unknown TCP traffic detected without corresponding DNS query: 23.33.134.2
Source: unknown TCP traffic detected without corresponding DNS query: 23.33.134.2
Source: unknown TCP traffic detected without corresponding DNS query: 23.33.134.2
Source: unknown TCP traffic detected without corresponding DNS query: 23.33.134.2
Source: unknown TCP traffic detected without corresponding DNS query: 23.33.134.2
Source: unknown TCP traffic detected without corresponding DNS query: 23.33.134.2
Source: unknown TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: global traffic HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=Y9Bovd3FB3pfDT2&MD=1VU9cbn4 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic HTTP traffic detected: GET /product/235093/ HTTP/1.1Host: primearea.bizConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=Y9Bovd3FB3pfDT2&MD=1VU9cbn4 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: unknown DNS traffic detected: queries for: primearea.biz
Source: integrator.exe.0.dr String found in binary or memory: http://127.0.0.1:13556/InsiderSlabBehaviorReportedBuildInsiderSlabBehaviorInsiderSlabBehaviorReporte
Source: MpCommu.dll.0.dr String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest
Source: MpCommu.dll.0.dr String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
Source: MpCommu.dll.0.dr String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: jqXe6tttFa.exe, 00000000.00000002.4137757380.000000001C812000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: jqXe6tttFa.exe, 00000000.00000002.4137757380.000000001C812000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: jqXe6tttFa.exe, 00000000.00000002.4137757380.000000001C812000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com
Source: jqXe6tttFa.exe, 00000000.00000002.4137757380.000000001C812000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: jqXe6tttFa.exe, 00000000.00000002.4137757380.000000001C812000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: jqXe6tttFa.exe, 00000000.00000002.4137757380.000000001C812000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: jqXe6tttFa.exe, 00000000.00000002.4137757380.000000001C812000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: jqXe6tttFa.exe, 00000000.00000002.4137757380.000000001C812000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: jqXe6tttFa.exe, 00000000.00000002.4137757380.000000001C812000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: jqXe6tttFa.exe, 00000000.00000002.4137757380.000000001C812000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: jqXe6tttFa.exe, 00000000.00000002.4137757380.000000001C812000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fonts.com
Source: jqXe6tttFa.exe, 00000000.00000002.4137757380.000000001C812000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: jqXe6tttFa.exe, 00000000.00000002.4137757380.000000001C812000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: jqXe6tttFa.exe, 00000000.00000002.4137757380.000000001C812000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: jqXe6tttFa.exe, 00000000.00000002.4137757380.000000001C812000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: jqXe6tttFa.exe, 00000000.00000002.4137757380.000000001C812000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: jqXe6tttFa.exe, 00000000.00000002.4137757380.000000001C812000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: mpengine.dll0.0.dr String found in binary or memory: http://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web
Source: mpengine.dll0.0.dr String found in binary or memory: http://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=webreferrercookieerr_regexperr_stringerr_error
Source: jqXe6tttFa.exe, 00000000.00000002.4137757380.000000001C812000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: jqXe6tttFa.exe, 00000000.00000002.4137757380.000000001C812000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: jqXe6tttFa.exe, 00000000.00000002.4137757380.000000001C812000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sakkal.com
Source: jqXe6tttFa.exe, 00000000.00000002.4137757380.000000001C812000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: jqXe6tttFa.exe, 00000000.00000002.4137757380.000000001C812000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.tiro.com
Source: jqXe6tttFa.exe, 00000000.00000002.4137757380.000000001C812000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.typography.netD
Source: jqXe6tttFa.exe, 00000000.00000002.4137757380.000000001C812000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: jqXe6tttFa.exe, 00000000.00000002.4137757380.000000001C812000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: prefs.js.0.dr String found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
Source: prefs.js.0.dr String found in binary or memory: https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta
Source: prefs.js.0.dr String found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
Source: prefs.js.0.dr String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: prefs.js.0.dr String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
Source: integrator.exe.0.dr String found in binary or memory: https://nexus.officeapps.live.comhttps://nexusrules.officeapps.live.com
Source: integrator.exe.0.dr String found in binary or memory: https://otelrules.azureedge.net/rules/.bundlesdxhelper.exeFailed
Source: jqXe6tttFa.exe, 00000000.00000002.4132924740.0000000002521000.00000004.00000800.00020000.00000000.sdmp, jqXe6tttFa.exe, 00000000.00000002.4136818503.000000001AF30000.00000004.00000020.00020000.00000000.sdmp, jqXe6tttFa.exe, 00000000.00000002.4136818503.000000001AF9E000.00000004.00000020.00020000.00000000.sdmp, jqXe6tttFa.exe, 00000000.00000002.4136818503.000000001AFB6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://primearea.biz/product/235093/
Source: jqXe6tttFa.exe, 00000000.00000002.4131952380.00000000006FE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://primearea.biz/product/235093/.0lnkM
Source: jqXe6tttFa.exe String found in binary or memory: https://primearea.biz/product/235093/3Decrypting...
Source: jqXe6tttFa.exe, 00000000.00000002.4136818503.000000001AF30000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://primearea.biz/product/235093/5
Source: jqXe6tttFa.exe, 00000000.00000002.4136818503.000000001AF9E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://primearea.biz/product/235093/X
Source: jqXe6tttFa.exe, 00000000.00000002.4136818503.000000001AF30000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://primearea.biz/product/235093/l
Source: jqXe6tttFa.exe, 00000000.00000002.4136818503.000000001AF30000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://primearea.biz/product/235093/o
Source: jqXe6tttFa.exe, 00000000.00000002.4136818503.000000001AF30000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://primearea.biz/product/235093/q
Source: jqXe6tttFa.exe String found in binary or memory: https://primearea.biz/product/235093/qSOFTWARE
Source: jqXe6tttFa.exe, 00000000.00000002.4136818503.000000001AF30000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://primearea.biz/product/235093/w
Source: jqXe6tttFa.exe, 00000000.00000002.4136818503.000000001AF23000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://primearea.biz/product/235093/xU
Source: prefs.js.0.dr String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94
Source: mpengine.dll0.0.dr String found in binary or memory: https://www.apple.com/appleca/0
Source: prefs.js.0.dr String found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL=a1219
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49672
Source: unknown Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown HTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.33.134.2:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.33.134.2:443 -> 192.168.2.4:49745 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.68.123.157:443 -> 192.168.2.4:49747 version: TLS 1.2
Installs a raw input device (often for capturing keystrokes)
Source: integrator.exe.0.dr Binary or memory string: RegisterRawInputDevices memstr_89d4ff78-7

Spam, unwanted Advertisements and Ransom Demands
barindex
Yara detected Povlsomware Ransomware
Source: Yara match File source: Process Memory Space: jqXe6tttFa.exe PID: 6876, type: MEMORYSTR
Yara detected RansomeToad Ransomware
Source: Yara match File source: Process Memory Space: jqXe6tttFa.exe PID: 6876, type: MEMORYSTR
May encrypt documents and pictures (Ransomware)
Source: C:\Users\user\Desktop\jqXe6tttFa.exe File created: c:\documents and settings\all users\application data\application data\application data\application data\application data\application data\application data\application data\application data\application data\microsoft\diagnosis\osver.txt.rtcrypted Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe File created: c:\documents and settings\all users\application data\application data\application data\application data\application data\application data\application data\application data\application data\application data\microsoft\user account pictures\guest.bmp.rtcrypted Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe File created: c:\documents and settings\all users\application data\application data\application data\application data\application data\application data\application data\application data\application data\application data\microsoft\user account pictures\user.bmp.rtcrypted Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe File created: c:\documents and settings\all users\application data\application data\application data\application data\application data\application data\application data\application data\application data\application data\microsoft\windows\models\sbcmodel.txt.rtcrypted Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe File created: c:\documents and settings\all users\application data\application data\application data\application data\application data\application data\application data\application data\application data\application data\microsoft\windows nt\msscan\welcomescan.jpg.rtcrypted Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe File created: c:\documents and settings\all users\application data\application data\application data\application data\application data\application data\application data\application data\microsoft\windows defender\platform\4.18.23080.2006-0\thirdpartynotices.txt.rtcrypted Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe File created: c:\documents and settings\all users\application data\application data\application data\application data\application data\application data\microsoft\windows\systemdata\s-1-5-18\readonly\lockscreen_z\lockscreen___1024_0768_notdimmed.jpg.rtcrypted Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe File created: c:\documents and settings\all users\application data\application data\application data\application data\application data\application data\microsoft\windows\systemdata\s-1-5-18\readonly\lockscreen_z\lockscreen___1280_1024_notdimmed.jpg.rtcrypted Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe File created: c:\documents and settings\user\appdata\roaming\microsoft\windows\recent\bnagmgsplo.jpg.rtcrypted Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe File created: c:\documents and settings\user\appdata\roaming\microsoft\windows\recent\curqnkvoix.docx.rtcrypted Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe File created: c:\documents and settings\user\appdata\roaming\microsoft\windows\recent\efgrwfcuws.jpg.rtcrypted Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe File created: c:\documents and settings\user\appdata\roaming\microsoft\windows\recent\jsdngycowy.jpg.rtcrypted Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe File created: c:\documents and settings\user\appdata\roaming\microsoft\windows\recent\kataxzvcps.jpg.rtcrypted Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe File created: c:\documents and settings\user\appdata\roaming\microsoft\windows\recent\nebfqqywps.docx.rtcrypted Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe File created: c:\documents and settings\user\appdata\roaming\microsoft\windows\recent\nirmekamzh.jpg.rtcrypted Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe File created: c:\documents and settings\user\appdata\roaming\microsoft\windows\recent\nwtvcdumob.jpg.rtcrypted Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe File created: c:\documents and settings\user\appdata\roaming\microsoft\windows\recent\onbqclyspu.docx.rtcrypted Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe File created: c:\documents and settings\user\appdata\roaming\microsoft\windows\recent\ummbdneqbn.docx.rtcrypted Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe File created: c:\documents and settings\user\appdata\roaming\microsoft\windows\recent\vlzdgukutz.docx.rtcrypted Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe File created: c:\documents and settings\user\appdata\roaming\microsoft\windows\recent\wutjscbcfx.docx.rtcrypted Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe File created: c:\documents and settings\user\appdata\roaming\microsoft\windows\themes\cachedfiles\cachedimage_1280_1024_pos4.jpg.rtcrypted Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe File created: c:\documents and settings\user\appdata\roaming\mozilla\firefox\profiles\fqs92o4p.default-release\alternateservices.txt.rtcrypted Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe File created: c:\documents and settings\user\appdata\roaming\mozilla\firefox\profiles\fqs92o4p.default-release\pkcs11.txt.rtcrypted Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe File created: c:\documents and settings\user\appdata\roaming\mozilla\firefox\profiles\fqs92o4p.default-release\sitesecurityservicestate.txt.rtcrypted Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe File created: c:\documents and settings\user\appdata\roaming\mozilla\firefox\profiles\fqs92o4p.default-release\telemetry.failedprofilelocks.txt.rtcrypted Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe File created: c:\documents and settings\user\desktop\jsdngycowy.jpg.rtcrypted Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe File created: c:\documents and settings\user\desktop\kataxzvcps.jpg.rtcrypted Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe File created: c:\documents and settings\user\desktop\nwtvcdumob.jpg.rtcrypted Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe File created: c:\documents and settings\user\desktop\onbqclyspu.docx.rtcrypted Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe File created: c:\documents and settings\user\desktop\ummbdneqbn.docx.rtcrypted Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe File created: c:\documents and settings\user\desktop\vlzdgukutz.docx.rtcrypted Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe File created: c:\documents and settings\user\desktop\onbqclyspu\kataxzvcps.jpg.rtcrypted Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe File created: c:\documents and settings\user\desktop\onbqclyspu\onbqclyspu.docx.rtcrypted Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe File created: c:\documents and settings\user\desktop\ummbdneqbn\jsdngycowy.jpg.rtcrypted Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe File created: c:\documents and settings\user\desktop\ummbdneqbn\ummbdneqbn.docx.rtcrypted Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe File created: c:\documents and settings\user\desktop\vlzdgukutz\nwtvcdumob.jpg.rtcrypted Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe File created: c:\documents and settings\user\desktop\vlzdgukutz\vlzdgukutz.docx.rtcrypted Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe File created: c:\documents and settings\user\documents\jsdngycowy.jpg.rtcrypted Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe File created: c:\documents and settings\user\documents\kataxzvcps.jpg.rtcrypted Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe File created: c:\documents and settings\user\documents\nwtvcdumob.jpg.rtcrypted Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe File created: c:\documents and settings\user\documents\onbqclyspu.docx.rtcrypted Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe File created: c:\documents and settings\user\documents\ummbdneqbn.docx.rtcrypted Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe File created: c:\documents and settings\user\documents\vlzdgukutz.docx.rtcrypted Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe File created: c:\documents and settings\user\documents\onbqclyspu\kataxzvcps.jpg.rtcrypted Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe File created: c:\documents and settings\user\documents\onbqclyspu\onbqclyspu.docx.rtcrypted Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe File created: c:\documents and settings\user\documents\ummbdneqbn\jsdngycowy.jpg.rtcrypted Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe File created: c:\documents and settings\user\documents\ummbdneqbn\ummbdneqbn.docx.rtcrypted Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe File created: c:\documents and settings\user\documents\vlzdgukutz\nwtvcdumob.jpg.rtcrypted Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe File created: c:\documents and settings\user\documents\vlzdgukutz\vlzdgukutz.docx.rtcrypted Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe File created: c:\documents and settings\user\downloads\jsdngycowy.jpg.rtcrypted Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe File created: c:\documents and settings\user\downloads\kataxzvcps.jpg.rtcrypted Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe File created: c:\documents and settings\user\downloads\nwtvcdumob.jpg.rtcrypted Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe File created: c:\documents and settings\user\downloads\onbqclyspu.docx.rtcrypted Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe File created: c:\documents and settings\user\downloads\ummbdneqbn.docx.rtcrypted Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe File created: c:\documents and settings\user\downloads\vlzdgukutz.docx.rtcrypted Jump to behavior
Modifies existing user documents (likely ransomware behavior)
Source: C:\Users\user\Desktop\jqXe6tttFa.exe File moved: C:\Users\user\Desktop\KATAXZVCPS.jpg Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe File deleted: C:\Users\user\Desktop\KATAXZVCPS.jpg Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe File moved: C:\Users\user\Desktop\CURQNKVOIX.mp3 Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe File deleted: C:\Users\user\Desktop\CURQNKVOIX.mp3 Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe File moved: C:\Users\user\Desktop\ONBQCLYSPU\ONBQCLYSPU.docx Jump to behavior
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Process Stats: CPU usage > 49%
Detected potential crypto function
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Code function: 0_2_00007FFD9B8738EB 0_2_00007FFD9B8738EB
PE file contains executable resources (Code or Archives)
Source: mpengine.dll.0.dr Static PE information: Resource name: PACKEDBINARY type: PE32+ executable (native) x86-64, for MS Windows
Source: mpengine.dll.0.dr Static PE information: Resource name: PACKEDBINARY type: PE32+ executable (native) x86-64, for MS Windows
Source: mpengine.dll.0.dr Static PE information: Resource name: PACKEDBINARY type: PE32+ executable (native) x86-64, for MS Windows
Source: mpengine.dll.0.dr Static PE information: Resource name: PACKEDBINARY type: PE32+ executable (GUI) x86-64, for MS Windows
Source: mpengine.dll.0.dr Static PE information: Resource name: PACKEDBINARY type: PE32+ executable (DLL) (console) x86-64, for MS Windows
Source: mpengine.dll.0.dr Static PE information: Resource name: PACKEDBINARY type: PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Source: mpengine.dll0.0.dr Static PE information: Resource name: PACKEDBINARY type: PE32+ executable (native) x86-64, for MS Windows
Source: mpengine.dll0.0.dr Static PE information: Resource name: PACKEDBINARY type: PE32+ executable (native) x86-64, for MS Windows
Source: mpengine.dll0.0.dr Static PE information: Resource name: PACKEDBINARY type: PE32+ executable (native) x86-64, for MS Windows
Source: mpengine.dll0.0.dr Static PE information: Resource name: PACKEDBINARY type: PE32+ executable (GUI) x86-64, for MS Windows
Source: mpengine.dll0.0.dr Static PE information: Resource name: PACKEDBINARY type: PE32+ executable (DLL) (console) x86-64, for MS Windows
Source: mpengine.dll0.0.dr Static PE information: Resource name: PACKEDBINARY type: PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Source: MpUxAgent.dll.0.dr Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: mpengine_etw.dll.0.dr Static PE information: Resource name: PACKEDBINARY type: PE32+ executable (native) x86-64, for MS Windows
Source: mpengine_etw.dll.0.dr Static PE information: Resource name: PACKEDBINARY type: PE32+ executable (native) x86-64, for MS Windows
Source: mpengine_etw.dll.0.dr Static PE information: Resource name: PACKEDBINARY type: PE32+ executable (native) x86-64, for MS Windows
Source: mpengine_etw.dll.0.dr Static PE information: Resource name: PACKEDBINARY type: PE32+ executable (GUI) x86-64, for MS Windows
Source: mpengine_etw.dll.0.dr Static PE information: Resource name: PACKEDBINARY type: PE32+ executable (DLL) (console) x86-64, for MS Windows
Source: mpengine_etw.dll.0.dr Static PE information: Resource name: PACKEDBINARY type: PE32+ executable (DLL) (GUI) x86-64, for MS Windows
PE file does not import any functions
Source: MsMpLics.dll.0.dr Static PE information: No import functions for PE file found
Source: MpEvMsg.dll.0.dr Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.0.dr Static PE information: No import functions for PE file found
Source: MsMpLics.dll0.0.dr Static PE information: No import functions for PE file found
Source: MpAsDesc.dll0.0.dr Static PE information: No import functions for PE file found
Sample file is different than original file name gathered from version info
Source: jqXe6tttFa.exe, 00000000.00000000.1664483406.0000000000282000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamePovlsomware.exe8 vs jqXe6tttFa.exe
Source: jqXe6tttFa.exe Binary or memory string: OriginalFilenamePovlsomware.exe8 vs jqXe6tttFa.exe
Source: mpengine.dll0.0.dr Binary string: ,PartitionEngine.BM.LegacyFileModifyDeprecationUnexpectedNotificationsDropping FileNotification of type %lu because its deprecated.37345798\Device\Harddisk7
Source: mpengine.dll0.0.dr Binary string: %\Invalid compute device.Invalid algorithm(%u).Invalid number of max gpu records(%u) specified. Max supported(%u)Algorithm(%u) not implemented.,0x) Configuration is null - using default values (device: TDT_DEVICE_GPU algo: TDT_DT_ALGO_RFC Max gpu records:%u.)dtworkloadUnknown operator type (%u), expected(%u)Feature value data type mismatch. Data type in model(%d), classifier(%d)Class value data type mismatch. Data type in model(%d), classifier(%d)Invalid number of trees(%u)/features(%u)/classes(%u)/split nodes(%u)/class values(%u).Threshold data type mismatch. Data type in model(%d), classifier(%d)Unable to compute checksum. Checksum status(%llx)Invalid blob size(%u)unsupported RFC version(%u)Unsupported header size(%u)Unsupported header version(%u)Invalid blob offset(%u)Unsupported blob type(%u)Memory allocation failure. %sFailed to get the model parameters for model handle(%u)Invalid header magic(0x%X)Failed to create a model handleInvalid model info null pointer.Failed to find the model for legacy model handle(%u)Buffer size specified for features/classes stream is size too small for the records specified.Number of CPU threads used: %zuNull input parameters.Invalid number of records.Invalid features/classes stream buffer size.Null input stream buffer parameters.model_blob_size(%u) < min model blob size(%u)Tree(%u) Num split nodes(%u)/Classes(%u)/Num leaf_class values(%u) exceeded max limit(%u).model_blob_size is too smalltree[%u]->leaf node begin offset(%u) is invalid or >= number(%u) of leaf nodestree[%u]->root node offset(%u) >= number(%u) of split nodestree[%u]->num split nodes(%u) + 1 != tree[%u]->num leaf nodes(%u) tree[%u]->first leaf node offset(%u) >= tree[%u]->first leaf node offset(%u)tree[%u]->root node offset(%u) should be 0tree[%u]->root node offset(%u) >= total split nodes(%u)tree[%u]->first leaf node offset(%u) >= max leaf node offset(%u)tree[%u]->split node right(%d) >= tree[%u]->number(%u) of split nodestree[%u]->split node right(%d) invalid or < tree[%u]->min offset(%u) for leaf nodesWeight value data type mismatch. Data type in model(%d), classifier(%d)Invalid split node data type.Failed to create a model handle.Failed to load decision tree shader.Null ptr in features/classes records.Invalid number of records(%u). Max supported value(%u)DirectX failed while setting up model.(0x%x)DirectX failed while classifying stream data.(0x%x)Invalid number of gpu max records(%u). Max supported value(%u)Invalid input model handle(%u)Error in processing tts_pmi_v2_record_t: remaining bytes (%zu) is not greater than size of tts_pmi_v2_record_t (%zu)Error in processing tts_pmi_v2_record_t: remaining bytes (%zu) is smaller than record_size (%u),/\NEAR_IND_JUMPNEAR_RETFAR_BRANCHNEAR_REL_JUMPJCCCPL_NEQ_0NEAR_IND_CALLNEAR_REL_CALLCPL_EQ_0pcin_tx_cpcountersoffcore_rspinvanyin_txcmaskumaskintedgeIRP_MJ_CREATE_NAMED_PIPEIRP_MJ_CREATEIRP_MJ_PNPIRP_MJ_SET_QUOTAIRP_MJ_MAXIMUM_FUNCTIONIRP_MJ_PNP_POWERIRP_MJ_SYSTEM_CONTROLIRP_MJ_POWERIRP_MJ_QUERY_QUOTA
Source: mpengine.dll0.0.dr Binary string: NtQuerySystemInformation\Enum\SecurityMmCopyMemoryHalGetBusDataByOffsetDeviceNameVersion\Device\\DosDevices\AllowedProcessNameImagePathExistingPageFilesPagingFiles\Session Manager\Memory Management\??\ \device\physicalmemoryKslDriver -- LPC Vendor id = 0x%0x, Device id = 0x%0x BaseClass= 0x%x status= 0x%x PhysAddr= %x PhysEnd= %x Pa2= %x PaEnd2= %x
Source: mpengine.dll0.0.dr Binary string: ValueType\\?\%c:\Device\Harddisk\\.\PHYSICALDRIVEthreatcontext//MpIsIEVScan
Source: mpengine.dll0.0.dr Binary string: FAT16ExtendedNTFSFAT32FAT12\\.\PHYSICALDRIVE%d%ls%ld\%ls%ld%ls%ls%ld%lsRecoveryDynamic DiskEFI\\.\PHYSICALDRIVE%u\Device\DiskPartitionPACKEDBINARY.%016llXd
Source: mpengine.dll0.0.dr Binary string: QIntelTDT3\Device\
Source: mpengine.dll0.0.dr Binary string: \Device\HarddiskVolume),~
Source: mpengine.dll0.0.dr Binary string: \Software\Classes\Wow6432Node\sysWOW64\syChpe32%c:\%ls%.*s%.*s%ls\Device\\SystemRoot.cmd.com.bat.EXE.LNK.BAT.CMD.PIF.COMa
Source: MpCmdRun.exe0.0.dr Binary string: IdImageFileNameFirst Resource TypeTypeScan SourceFirst Resource PathEngineIdResource CountReasonProcessMessagePIDStartStopDataIsSignedFile\Device\\\?\\FI_UNKNOWN\drivers\error: invalid data: System Windows path changed during the trace from "%ls" to "%ls"
Source: mpengine.dll0.0.dr Binary string: MmCopyMemory\device\physicalmemoryeaxebxecxedxebpesiediespcsdsesfsgssscr0cr2cr3cr4gdtridtrldtrtrdeviceeflagspcountsysentrdebugramsize
Source: mpengine.dll0.0.dr Binary string: string/function/table expected\device\harddisk*Nothing to repeat.stack overflow (%s)readu_u32 invalid type: table or string expected, got %s!__tostringmp.crc32: failed to convert this table to string!%x(null)wrong number of arguments to 'insert'=[C]nlSSlmain:%d <-. stacktrace: image_pathppidmp.ContextualExpandEnvironmentVariables() from outside sigattr
Source: mpengine.dll0.0.dr Binary string: ^\Device\HarddiskDm%ProfilesDirectory%\%SystemDrive%\Documents and Settings\S-1-5-19_ClassesS-1-5-20_Classes_Classes\REGISTRY\MACHINE\c39c7c7d-dfa1-4552-8b46-417f11519eac_%08X_0
Source: mpengine.dll0.0.dr Binary string: E\Device\Harddisk%lu\Partition0\DR\Device\Harddisk%lu\Partition%luMpDisableBootRecordCleanStoreMpBootRecordCleanStoreSimulationMode
Source: mpengine.dll0.0.dr Binary string: \device\harddiskvolume
Source: mpengine.dll0.0.dr Binary string: MpParseDetected\Device\HarddiskVolume\\.\\Device\CdRom%c:%ls%ls\%ls%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X%lld%hsFailed to grow Lua stackMpArchivePasswords=ntdllntoskrnlhalkernel32pea_genpacked#ClnFile#ClnInsthr=0x%08X
Source: mpengine.dll0.0.dr Binary string: \device\Infinite loop detected (more that %d instructions executed)"
Source: mpengine.dll0.0.dr Binary string: 'authorbinbuptimcolortblcolscommentcreatimdoccommfacingpfifonttblfooterfooterffooterlfooterrfootnoteftncnftnsepftnsepcheaderheaderfheaderlheaderrhtmltagikeywordslandscapeldblquotelimargbmarglmargrmargtobjdataoperatorpaperhpaperwparpgndecpgnlcltrpgnlcrmpgnstartpgnucltrpgnucrmpgnxpgnypictprintimprivate1qcqjqlqrrdblquoterevtimrirxesbkcolsbkevensbknonesbkoddsbkpagestylesheetsubjecttabtctitletxeuxe\Device\HarddiskVolumeinvalid capture indexSigTriggerPropagationMatchMatchMpCommon.BmTriggerSig() second can't be emptyMpCommon.BmTriggerSig() first can't be empty&
Source: mpengine.dll0.0.dr Binary string: 2A\Device\LanmanRedirector\\Device\Mup\\Device\WebDavRedirector\\Device\WinDfs\\Device\vmsmb\
Source: mpengine.dll0.0.dr Binary string: \Device\
Source: mpengine.dll0.0.dr Binary string: \Device\Harddisk%lu\\.\MountPointManager
Source: jqXe6tttFa.exe Binary or memory string: .pptx.odt.jpg.png.csv.sql.mdb.sln.php
Source: classification engine Classification label: mal88.rans.spre.phis.evad.winEXE@16/781@4/4
Source: C:\Users\user\Desktop\jqXe6tttFa.exe File created: C:\Users\user\AppData\Local\RansomeToad.txt Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Mutant created: NULL
Source: jqXe6tttFa.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: jqXe6tttFa.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: mpengine.dll0.0.dr Binary or memory string: SELECT 1 FROM SQLITE_MASTER WHERE type=? AND name=? LIMIT 1;
Source: mpengine.dll0.0.dr Binary or memory string: INSERT INTO NetworkIpFirewallRulesOutgoing(Key, FirewallRuleName, ExpiryTime) VALUES (?, ?, ?);
Source: mpengine.dll0.0.dr Binary or memory string: INSERT INTO FileLowFiAsync(Key, FileName, SigSeq, SigSha, SigIsSync, InstanceTimeStamp) VALUES(?, ? , ? , ? , ? , ?);
Source: mpengine.dll0.0.dr Binary or memory string: SELECT ID FROM ProcessBlockHistory WHERE ProcessPath = ?;
Source: mpengine.dll0.0.dr Binary or memory string: INSERT INTO AnomalyInfo(Key, UnbiasedTime) VALUES (?, ?);
Source: mpengine.dll0.0.dr Binary or memory string: SELECT Key, FilePath, Context, InsertTime, ExpireTime FROM AttributePersistContext WHERE FilePath LIKE ?;
Source: mpengine.dll0.0.dr Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(13, 1, date('now'));
Source: mpengine.dll0.0.dr Binary or memory string: SELECT Count(1) FROM AutoFeatureControl;
Source: mpengine.dll0.0.dr Binary or memory string: SELECT DISTINCT TableName FROM AnomalyTables;
Source: mpengine.dll0.0.dr Binary or memory string: SELECT Key FROM FileHashes WHERE FileHashes.Key = ?;
Source: mpengine.dll0.0.dr Binary or memory string: SELECT Count(1) FROM RansomwareDetections;
Source: mpengine.dll0.0.dr Binary or memory string: SELECT Key, VSN, FileID, USN, InstanceTimeStamp, SHA1, MD5, SHA256, LSHASH, LSHASHS, CTPH, PartialCRC1, PartialCRC2, PartialCRC3, KCRC1, KCRC2, KCRC3, KCRC3n FROM FileHashes WHERE Key = ?; _ROWID_ROWIDOIDFailed to grow the stackTagbitorMONITOR_PROCESSCREATEMONITOR_PROCESINJECTIONMONITOR_LSASSREADMEMORYRULETYPE_ENTERPRISERULETYPE_CONSUMERRULETYPE_TELEMETRY_ONLYRULE_DISABLE_AUDIT_INHERITANCERULE_DISABLE_BLOCK_INHERITANCEDEDUPE_SCOPE_EVENTLOGDEDUPE_SCOPE_UIDEDUPE_SCOPE_SENSEDEDUPE_SCOPE_ALLSILENT_EVENTLOGSILENT_UISILENT_SENSESILENT_ALLSTATE_DISABLEDSTATE_BLOCKSTATE_AUDITSTATE_NOT_CONFIGUREDSTATE_WARNSTATE_DELETEDNO_INVOLVEDDOC_EXCLREMEDIATE_PARENTMPENG_%lsD:(A;;GR;;;AU)(A;;GR;;;IU)
Source: mpengine.dll0.0.dr Binary or memory string: UPDATE %Q.%s SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: mpengine.dll0.0.dr Binary or memory string: INSERT INTO SdnEx(Key, CurrentCount) VALUES (?, ?);DELETE FROM SdnEx;DELETE FROM SdnEx WHERE SdnEx.Key = ?;SELECT Count(1) FROM SdnEx;SELECT ID FROM SdnEx WHERE SdnEx.Key = ?;SELECT Key, CurrentCount FROM SdnEx WHERE Key = ?
Source: mpengine.dll0.0.dr Binary or memory string: SELECT Count(1) FROM NetworkIpFirewallRules;
Source: mpengine.dll0.0.dr Binary or memory string: INSERT INTO RollingQueuesValues(EntryTable, EntryKey, EntryValue, InsertTime, ExpireTime) VALUES(? , ? , ? , ? , ?);
Source: mpengine.dll0.0.dr Binary or memory string: SELECT Key, VSN, FileID, USN, InstanceTimeStamp, SHA1, MD5, SHA256, LSHASH, LSHASHS, CTPH, PartialCRC1, PartialCRC2, PartialCRC3, KCRC1, KCRC2, KCRC3, KCRC3n FROM FileHashes WHERE Key = ?;
Source: integrator.exe.0.dr Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: mpengine.dll0.0.dr Binary or memory string: INSERT INTO AnomalyTables(Key, TableKey, TableName, UnbiasedTableAge, KeyName, FirstSeen, LastSeen, UnbiasedTime, Value, Order_) VALUES(? , ? , ? , ? , ? , ? , ? , ? , ? , ?);
Source: mpengine.dll0.0.dr Binary or memory string: SELECT ProcessPath, TimeStamp, TargetPath, RuleId, IsAudit, Action, ProcessTaintReason, ProcessIntegrity FROM ProcessBlockHistory WHERE ProcessPath = ? ORDER BY TimeStamp DESC;
Source: mpengine.dll0.0.dr Binary or memory string: SELECT COUNT(1) FROM FileLowFiAsync;
Source: mpengine.dll0.0.dr Binary or memory string: SELECT Count(1) FROM SystemFileCache WHERE CleanFileShaHash = ?;
Source: mpengine.dll0.0.dr Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(6, 1, date('now'));
Source: mpengine.dll0.0.dr Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(14, 1, date('now'));
Source: integrator.exe.0.dr, mpengine.dll0.0.dr Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: mpengine.dll0.0.dr Binary or memory string: SELECT ID FROM DynSigRevisions WHERE DynSigRevisions.Key = ?;
Source: mpengine.dll0.0.dr Binary or memory string: SELECT ProcessPath, TimeStamp, TargetPath, RuleId, IsAudit, Action, ProcessTaintReason, ProcessIntegrity FROM ProcessBlockHistory WHERE ProcessPath = ? AND TimeStamp = ? ORDER BY TimeStamp DESC;
Source: mpengine.dll0.0.dr Binary or memory string: SELECT ProcessPath, TimeStamp, TargetPath, RuleId, IsAudit, Action, ProcessTaintReason, ProcessIntegrity FROM ProcessBlockHistory WHERE RuleId = ? ORDER BY TimeStamp DESC;
Source: mpengine.dll0.0.dr Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(4, 1, date('now'));
Source: mpengine.dll0.0.dr Binary or memory string: INSERT INTO BmFileStartupActions(FilePathHash, FilePath, ActionFlags, ProcessStartCount, FdrFlags, FdrThreatRecordId, EvaluatorThreatRecordId, TrustedInstallerThreatRecordId, LFRThreatRecordId) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?);
Source: mpengine.dll0.0.dr Binary or memory string: INSERT INTO BmFileActions(FileInfoId, ThreatRecordId, Action) VALUES (?, ?, ?);
Source: mpengine.dll0.0.dr Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(5, 1, date('now'));
Source: integrator.exe.0.dr Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: mpengine.dll0.0.dr Binary or memory string: SELECT ID FROM FolderGuardPaths WHERE UserIdHash = ? LIMIT 1;
Source: mpengine.dll0.0.dr Binary or memory string: SELECT Key, Name, Capacity, TimeToLive, Mode, Namespace FROM RollingQueuesTables WHERE Key = ?;
Source: mpengine.dll0.0.dr Binary or memory string: INSERT INTO RansomwareDetections(Key, DetectionGuid, LkgTS, NextUSN, DetectionTS, ProvisionalRemedComplTS, RemedComplTS, ImpactedCBPNameSpaces, InstanceTimeStamp) VALUES ( ?, ?, ?, ?, ?, ?, ?, ?, ?);
Source: mpengine.dll0.0.dr Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(12, 1, date('now'));
Source: mpengine.dll0.0.dr Binary or memory string: SELECT CleanFileSha, CleanFileShaHash FROM SystemFileCache WHERE InstanceTimeStamp < ?;
Source: mpengine.dll0.0.dr Binary or memory string: SELECT PersistId, PersistIdBlob, ExpirationDate FROM AmsiFileCache WHERE ExpirationDate < DateTime(?);
Source: mpengine.dll0.0.dr Binary or memory string: INSERT INTO DynSigRevisions(Key, SdnRevision, EsuRevision, BFRevision, EntCertRevision, TamperRevision, AGBlobRevision, BFFileAllowRevision, BFFileBlockRevision, BFCertAllowRevision, BFCertBlockRevision) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?);
Source: mpengine.dll0.0.dr Binary or memory string: SELECT RuleAction, RuleId, IsAudit, IsInherited, State FROM BmHipsRuleInfo WHERE ProcessInfoId = ?;
Source: mpengine.dll0.0.dr Binary or memory string: SELECT Key, FirewallRuleName, ExpiryTime FROM NetworkIpFirewallRules WHERE ExpiryTime < ?;
Source: mpengine.dll0.0.dr Binary or memory string: SELECT Count(1) FROM SystemFileCache;
Source: mpengine.dll0.0.dr Binary or memory string: SELECT ProcessPath, TimeStamp, TargetPath, RuleId, IsAudit, Action, ProcessTaintReason, ProcessIntegrity FROM ProcessBlockHistory WHERE ProcessPath = ? ORDER BY TimeStamp DESC LIMIT 1;
Source: mpengine.dll0.0.dr Binary or memory string: INSERT INTO BmFileInfo(NormalizedPathHash, DosPathHash, StructVersion, NormalizedPath, DosPath, Wow64Context, MetaContext, IsFromWeb, IsExecutable) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?);
Source: mpengine.dll0.0.dr Binary or memory string: SELECT Count(1) FROM SdnEx;
Source: mpengine.dll0.0.dr Binary or memory string: SELECT ID FROM RansomwareDetections WHERE Key = ?;SELECT DetectionGuid, LkgTS, NextUSN, DetectionTS, ProvisionalRemedComplTS, RemedComplTS, ImpactedCBPNameSpaces FROM RansomwareDetections WHERE Key = ?;DELETE FROM RansomwareDetections WHERE InstanceTimeStamp < ?; INSERT INTO RansomwareDetections(Key, DetectionGuid, LkgTS, NextUSN, DetectionTS, ProvisionalRemedComplTS, RemedComplTS, ImpactedCBPNameSpaces, InstanceTimeStamp) VALUES ( ?, ?, ?, ?, ?, ?, ?, ?, ?);DELETE FROM RansomwareDetections WHERE Key = ?;SELECT Count(1) FROM RansomwareDetections;
Source: mpengine.dll0.0.dr Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(3, 1, date('now'));
Source: mpengine.dll0.0.dr Binary or memory string: SELECT PersistId, PersistIdBlob, ExpirationDate FROM AmsiFileCache WHERE PersistId = ?;FileCacheRemovalSELECT DateTime('now');+%llu secondsINSERT INTO AmsiFileCache(PersistId, PersistIdBlob, ExpirationDate) VALUES (?, ?, DateTime('now', ?));DELETE AmsiFileCache;DELETE FROM AmsiFileCache WHERE AmsiFileCache.PersistId = ?;SELECT Count(1) FROM AmsiFileCache;SELECT ID FROM AmsiFileCache WHERE AmsiFileCache.PersistId = ?;DELETE FROM AmsiFileCache WHERE ExpirationDate < DateTime(?);Engine.Amsi.FileCacheRemovalResultSELECT PersistId, PersistIdBlob, ExpirationDate FROM AmsiFileCache WHERE ExpirationDate < DateTime(?);
Source: mpengine.dll0.0.dr Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(36, 1, date('now'));
Source: mpengine.dll0.0.dr Binary or memory string: SELECT EntryTable, EntryKey, EntryValue, InsertTime, ExpireTime FROM RollingQueuesValues WHERE EntryTable = ?;
Source: mpengine.dll0.0.dr Binary or memory string: SELECT Version, Current, LastUpdated FROM SQLiteGlobals WHERE Current = 1 ORDER BY Version DESC ;
Source: mpengine.dll0.0.dr Binary or memory string: SELECT ID FROM AmsiFileCache WHERE AmsiFileCache.PersistId = ?;
Source: mpengine.dll0.0.dr Binary or memory string: INSERT INTO AttributeCounts(Key, Name, Count, InsertTime, ExpireTime) VALUES(? , ? , ? , ? , ?);
Source: mpengine.dll0.0.dr Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(28, 1, date('now'));
Source: mpengine.dll0.0.dr Binary or memory string: INSERT INTO AttributePersistContext(Key, FilePath, Context, InsertTime, ExpireTime) VALUES(? , ? , ? , ? , ?);
Source: mpengine.dll0.0.dr Binary or memory string: SELECT ID FROM NetworkIpFirewallRulesOutgoing WHERE NetworkIpFirewallRulesOutgoing.Key = ?;
Source: mpengine.dll0.0.dr Binary or memory string: SELECT UserId, GUID, Path FROM FolderGuardPaths WHERE UserIdHash = ?INSERT INTO FolderGuardPaths(UserIdHash, UserId, GUID, Path) VALUES ( ?, ?, ?, ? );SELECT Count(DISTINCT UserIdHash) FROM FolderGuardPaths;DELETE FROM FolderGuardPaths WHERE UserIdHash = ?;SELECT ID FROM FolderGuardPaths WHERE UserIdHash = ? LIMIT 1;
Source: mpengine.dll0.0.dr Binary or memory string: SELECT COUNT(DISTINCT ProcessPath) FROM ProcessBlockHistory;
Source: mpengine.dll0.0.dr Binary or memory string: INSERT INTO AmsiFileCache(PersistId, PersistIdBlob, ExpirationDate) VALUES (?, ?, DateTime('now', ?));
Source: mpengine.dll0.0.dr Binary or memory string: SELECT COUNT(1) FROM AttributePersistContext;
Source: mpengine.dll0.0.dr Binary or memory string: SELECT Count(1) FROM SystemRegistryCache;
Source: mpengine.dll0.0.dr Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(24, 1, date('now'));
Source: mpengine.dll0.0.dr Binary or memory string: SELECT ID, NormalizedPathHash, DosPathHash, StructVersion, NormalizedPath, DosPath, Wow64Context, MetaContext, IsFromWeb, IsExecutable FROM BmFileInfo WHERE NormalizedPathHash = ? OR DosPathHash = ?;
Source: mpengine.dll0.0.dr Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(11, 1, date('now'));
Source: mpengine.dll0.0.dr Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(31, 1, date('now'));
Source: mpengine.dll0.0.dr Binary or memory string: SELECT Key, FirewallRuleName, ExpiryTime FROM NetworkIpFirewallRulesOutgoing WHERE ExpiryTime < ?;
Source: mpengine.dll0.0.dr Binary or memory string: SELECT ID FROM BmFileInfo WHERE NormalizedPathHash = ? OR DosPathHash = ?;
Source: mpengine.dll0.0.dr Binary or memory string: SELECT InfectedFileSHA, ProcFileId, SystemFilePath, CleanFileSha FROM SystemFileCache WHERE InfectedFileSHAHash = ? OR ProcFileIDSystemFileHash = ? ORDER BY InstanceTimeStamp DESC;
Source: mpengine.dll0.0.dr Binary or memory string: SELECT t1.ProcessPath, t1.TimeStamp, t1.TargetPath, t1.RuleId, t1.IsAudit, t1.Action, t1.ProcessTaintReason, t1.ProcessIntegrity FROM ProcessBlockHistory AS t1 INNER JOIN(SELECT ID, ProcessPath, MAX(TimeStamp) AS MostRecentTime FROM ProcessBlockHistory GROUP BY ProcessPath) AS t2 ON t1.ID = t2.ID AND t1.TimeStamp = t2.MostRecentTime ORDER BY t1.TimeStamp DESC;
Source: mpengine.dll0.0.dr Binary or memory string: UPDATE AtomicCounters SET Name = ?, Count = ?, InsertTime = ?, ExpireTime = ?, UpdateTime = ?, ScalarFactor = ?, LinearFactor = ?, DecayInterval = ?, HighCount = ?, LastDecayTime = ?, Namespace = ? WHERE Key = ?;
Source: mpengine.dll0.0.dr Binary or memory string: SELECT ID FROM AutoFeatureControl WHERE AutoFeatureControl.Key = ?;
Source: mpengine.dll0.0.dr Binary or memory string: INSERT INTO SystemFileCache(InfectedFileSHAHash, InfectedFileSHA, ProcFileIDSystemFileHash, ProcFileId, SystemFilePath, CleanFileSha, CleanFileShaHash, InstanceTimeStamp) VALUES ( ?, ?, ?, ?, ?, ?, ?, ?);
Source: mpengine.dll0.0.dr Binary or memory string: SELECT ID FROM BmFileStartupActions WHERE BmFileStartupActions.FilePathHash = ?;SELECT FilePathHash, FilePath, ActionFlags, ProcessStartCount, FdrFlags, FdrThreatRecordId, EvaluatorThreatRecordId, TrustedInstallerThreatRecordId, LFRThreatRecordId FROM BmFileStartupActions WHERE FilePathHash = ?INSERT INTO BmFileStartupActions(FilePathHash, FilePath, ActionFlags, ProcessStartCount, FdrFlags, FdrThreatRecordId, EvaluatorThreatRecordId, TrustedInstallerThreatRecordId, LFRThreatRecordId) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?);DELETE FROM BmFileStartupActions WHERE BmFileStartupActions.FilePathHash = ?;SELECT Count(1) FROM BmFileStartupActions;|
Source: mpengine.dll0.0.dr Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(16, 1, date('now'));
Source: mpengine.dll0.0.dr Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(8, 1, date('now'));
Source: mpengine.dll0.0.dr Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(26, 1, date('now'));
Source: mpengine.dll0.0.dr Binary or memory string: SELECT ID FROM BmFileInfo WHERE NormalizedPathHash = ? OR DosPathHash = ?;SELECT ID, NormalizedPathHash, DosPathHash, StructVersion, NormalizedPath, DosPath, Wow64Context, MetaContext, IsFromWeb, IsExecutable FROM BmFileInfo WHERE NormalizedPathHash = ? OR DosPathHash = ?;INSERT INTO BmFileActions(FileInfoId, ThreatRecordId, Action) VALUES (?, ?, ?);INSERT INTO BmFileInfo(NormalizedPathHash, DosPathHash, StructVersion, NormalizedPath, DosPath, Wow64Context, MetaContext, IsFromWeb, IsExecutable) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?);SELECT ThreatRecordId, Action FROM BmFileActions WHERE FileInfoId == ?;DELETE FROM BmFileActions;DELETE FROM BmFileInfo;DELETE FROM BmFileInfo WHERE NormalizedPathHash = ? OR DosPathHash = ?;SELECT Count(1) FROM BmFileInfo;B
Source: mpengine.dll0.0.dr Binary or memory string: SELECT COUNT(1) FROM AnomalyTables;
Source: mpengine.dll0.0.dr Binary or memory string: SELECT Key FROM FileHashes WHERE FileHashes.Key = ?; SELECT Key FROM FileHashes ORDER BY InstanceTimeStamp ASC LIMIT 1DELETE FROM FileHashes WHERE InstanceTimeStamp < ?; INSERT INTO FileHashes(Key, VSN, FileID, USN, InstanceTimeStamp, SHA1, MD5, SHA256, LSHASH, LSHASHS, CTPH, PartialCRC1, PartialCRC2, PartialCRC3, KCRC1, KCRC2, KCRC3, KCRC3n) VALUES(?, ? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ?);SELECT COUNT(1) FROM FileHashes; DELETE FROM FileHashes WHERE FileHashes.Key = ?;
Source: mpengine.dll0.0.dr Binary or memory string: SELECT Count(DISTINCT UserIdHash) FROM FolderGuardPaths;
Source: mpengine.dll0.0.dr Binary or memory string: SELECT ID, PPIDHash, ProcessStartTime, PID, StructVersion, ImageFileName, MonitoringFlags_Flags, MonitoringFlags_VmHardenType, MonitoringFlags_ExemptVmHardenedTypes, CommandLineArgs, HipsInjectionId, FolderGuardId, Flags, LsassReadMemId, MonitoringFlags_Flags2Low, MonitoringFlags_Flags2High FROM BmProcessInfo WHERE PPIDHash = ?;
Source: mpengine.dll0.0.dr Binary or memory string: SELECT Key, FirewallRuleName, ExpiryTime FROM NetworkIpFirewallRulesOutgoing WHERE ExpiryTime < ?;INSERT INTO NetworkIpFirewallRulesOutgoing(Key, FirewallRuleName, ExpiryTime) VALUES (?, ?, ?);DELETE FROM NetworkIpFirewallRulesOutgoing;DELETE FROM NetworkIpFirewallRulesOutgoing WHERE NetworkIpFirewallRulesOutgoing.Key = ?;SELECT Count(1) FROM NetworkIpFirewallRulesOutgoing;SELECT ID FROM NetworkIpFirewallRulesOutgoing WHERE NetworkIpFirewallRulesOutgoing.Key = ?;SELECT Key, FirewallRuleName, ExpiryTime FROM NetworkIpFirewallRulesOutgoing WHERE Key = ?
Source: mpengine.dll0.0.dr Binary or memory string: INSERT INTO AutoFeatureControl(Key, CurrCount, MaxCount, InstanceTimeStamp) VALUES (?, ?, ?, ?);
Source: mpengine.dll0.0.dr Binary or memory string: SELECT Key FROM AtomicCounters ORDER BY InsertTime ASC LIMIT 1;
Source: mpengine.dll0.0.dr Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(20, 1, date('now'));
Source: mpengine.dll0.0.dr Binary or memory string: SELECT PersistId, PersistIdBlob, ExpirationDate FROM AmsiFileCache WHERE PersistId = ?;
Source: mpengine.dll0.0.dr Binary or memory string: SELECT Key, Name, Count, InsertTime, ExpireTime, UpdateTime, ScalarFactor, LinearFactor, DecayInterval, HighCount, LastDecayTime, Namespace FROM AtomicCounters WHERE Key = ?;
Source: mpengine.dll0.0.dr Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(33, 1, date('now'));
Source: mpengine.dll0.0.dr Binary or memory string: SELECT Key FROM AtomicCounters WHERE AtomicCounters.Key = ?;
Source: mpengine.dll0.0.dr Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(18, 1, date('now'));
Source: mpengine.dll0.0.dr Binary or memory string: SELECT ID FROM BmProcessInfo WHERE PPIDHash = ?;
Source: mpengine.dll0.0.dr Binary or memory string: SELECT COUNT(1) FROM AnomalyInfo;
Source: mpengine.dll0.0.dr Binary or memory string: SELECT ValueMapArrayBlob FROM ValueMapArray WHERE Key = ? AND RecordType = ?;
Source: mpengine.dll0.0.dr Binary or memory string: SELECT ID FROM SystemFileCache WHERE InfectedFileSHAHash = ? OR ProcFileIDSystemFileHash = ?;
Source: mpengine.dll0.0.dr Binary or memory string: SELECT Key, Name, Capacity, TimeToLive, Mode, Namespace FROM RollingQueuesTables WHERE Name LIKE ? AND Namespace = ?;
Source: mpengine.dll0.0.dr Binary or memory string: SELECT Key FROM AttributeCounts WHERE AttributeCounts.Key = ?;
Source: mpengine.dll0.0.dr Binary or memory string: SELECT Key FROM AttributeCounts ORDER BY InsertTime ASC LIMIT 1;
Source: mpengine.dll0.0.dr Binary or memory string: SELECT t1.ProcessPath, t1.TimeStamp, t1.TargetPath, t1.RuleId, t1.IsAudit, t1.Action, t1.ProcessTaintReason, t1.ProcessIntegrity FROM ProcessBlockHistory AS t1 INNER JOIN(SELECT ID, ProcessPath, MAX(TimeStamp) AS MostRecentTime FROM ProcessBlockHistory WHERE RuleId = ? GROUP BY ProcessPath) AS t2 ON t1.ID = t2.ID AND t1.TimeStamp = t2.MostRecentTime ORDER BY t1.TimeStamp DESC;
Source: mpengine.dll0.0.dr Binary or memory string: SELECT Key FROM ValueMapArray WHERE ValueMapArray.Key = ? AND ValueMapArray.RecordType = ?;
Source: mpengine.dll0.0.dr Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(21, 1, date('now'));
Source: mpengine.dll0.0.dr Binary or memory string: INSERT INTO RollingQueuesTables(Key, Name, Capacity, TimeToLive, Mode, Namespace) VALUES(? , ? , ? , ? , ? , ?);
Source: mpengine.dll0.0.dr Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(34, 1, date('now'));
Source: mpengine.dll0.0.dr Binary or memory string: SELECT Count(1) FROM BmFileInfo;
Source: mpengine.dll0.0.dr Binary or memory string: SELECT COUNT(1) FROM AtomicCounters;
Source: mpengine.dll0.0.dr Binary or memory string: SELECT ThreatRecordId, Action FROM BmFileActions WHERE FileInfoId == ?;
Source: mpengine.dll0.0.dr Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(17, 1, date('now'));
Source: mpengine.dll0.0.dr Binary or memory string: INSERT INTO BmHipsRuleInfo(ProcessInfoId, RuleAction, RuleId, IsAudit, IsInherited, State) VALUES (?, ?, ?, ?, ?, ?);
Source: mpengine.dll0.0.dr Binary or memory string: UPDATE AttributePersistContext SET FilePath = ?, Context = ?, InsertTime = ?, ExpireTime = ? WHERE Key = ?;
Source: mpengine.dll0.0.dr Binary or memory string: SELECT Key, Name, Capacity, TimeToLive, Mode, Namespace FROM RollingQueuesTables WHERE Name LIKE ? AND Namespace = ?; DELETE FROM RollingQueuesTables; DELETE FROM RollingQueuesValues; DELETE FROM RollingQueuesTables WHERE (Name NOT IN (SELECT DISTINCT EntryTable FROM RollingQueuesValues)); INSERT INTO RollingQueuesTables(Key, Name, Capacity, TimeToLive, Mode, Namespace) VALUES(? , ? , ? , ? , ? , ?); DELETE FROM RollingQueuesTables WHERE RollingQueuesTables.Key = ?; SELECT Key FROM RollingQueuesTables WHERE RollingQueuesTables.Key = ?; Invalid prefix for rolling queues query.DELETE FROM RollingQueuesValues WHERE ExpireTime < ?; SELECT EntryTable, EntryKey, EntryValue, InsertTime, ExpireTime FROM RollingQueuesValues WHERE EntryTable = ?; INSERT INTO RollingQueuesValues(EntryTable, EntryKey, EntryValue, InsertTime, ExpireTime) VALUES(? , ? , ? , ? , ?); SELECT COUNT(1) FROM RollingQueuesValues; Failed to get column from prepared statement.Failed to bind value to prepared statement.
Source: mpengine.dll0.0.dr Binary or memory string: SELECT Key FROM AttributePersistContext WHERE AttributePersistContext.Key = ?;
Source: mpengine.dll0.0.dr Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(19, 1, date('now'));
Source: mpengine.dll0.0.dr Binary or memory string: INSERT INTO BackupProcessInfo(Key, FilePath, FirstStartTime, NextUSN, AutomaticRemovalPolicy, ImpactedCBPNameSpaces, InstanceTimeStamp) VALUES ( ?, ?, ?, ?, ?, ?, ?);
Source: mpengine.dll0.0.dr Binary or memory string: SELECT ID FROM NetworkIpFirewallRules WHERE NetworkIpFirewallRules.Key = ?;
Source: mpengine.dll0.0.dr Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(22, 1, date('now'));
Source: mpengine.dll0.0.dr Binary or memory string: SELECT ID FROM RansomwareDetections WHERE Key = ?;
Source: mpengine.dll0.0.dr Binary or memory string: SELECT ID FROM SdnEx WHERE SdnEx.Key = ?;
Source: mpengine.dll0.0.dr Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(32, 1, date('now'));
Source: mpengine.dll0.0.dr Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(29, 1, date('now'));
Source: mpengine.dll0.0.dr Binary or memory string: SELECT ID FROM SystemRegistryCache WHERE Key = ?;
Source: mpengine.dll0.0.dr Binary or memory string: INSERT INTO AtomicCounters(Key, Name, Count, InsertTime, ExpireTime, UpdateTime, ScalarFactor, LinearFactor, DecayInterval, HighCount, LastDecayTime, Namespace) VALUES(? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ?);
Source: mpengine.dll0.0.dr Binary or memory string: SELECT Count(1) FROM AmsiFileCache;
Source: mpengine.dll0.0.dr Binary or memory string: SELECT Count(1) FROM SystemFileCache WHERE CleanFileShaHash = ?; DELETE FROM SystemFileCache WHERE InstanceTimeStamp < ?; SELECT CleanFileSha, CleanFileShaHash FROM SystemFileCache WHERE InstanceTimeStamp < ?; INSERT INTO SystemFileCache(InfectedFileSHAHash, InfectedFileSHA, ProcFileIDSystemFileHash, ProcFileId, SystemFilePath, CleanFileSha, CleanFileShaHash, InstanceTimeStamp) VALUES ( ?, ?, ?, ?, ?, ?, ?, ?);DELETE FROM SystemFileCache WHERE InfectedFileSHAHash = ? OR ProcFileIDSystemFileHash = ?;SELECT Count(1) FROM SystemFileCache;SELECT ID FROM SystemFileCache WHERE InfectedFileSHAHash = ? OR ProcFileIDSystemFileHash = ?;SELECT InfectedFileSHA, ProcFileId, SystemFilePath, CleanFileSha FROM SystemFileCache WHERE InfectedFileSHAHash = ? OR ProcFileIDSystemFileHash = ? ORDER BY InstanceTimeStamp DESC;2
Source: mpengine.dll0.0.dr Binary or memory string: SELECT Key FROM AnomalyTables WHERE AnomalyTables.TableKey = ?;
Source: mpengine.dll0.0.dr Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(30, 1, date('now'));
Source: mpengine.dll0.0.dr Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(23, 1, date('now'));
Source: mpengine.dll0.0.dr Binary or memory string: SELECT COUNT(1) FROM RollingQueuesValues;
Source: mpengine.dll0.0.dr Binary or memory string: INSERT INTO SdnEx(Key, CurrentCount) VALUES (?, ?);
Source: mpengine.dll0.0.dr Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(15, 1, date('now'));
Source: mpengine.dll0.0.dr Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(10, 1, date('now'));
Source: mpengine.dll0.0.dr Binary or memory string: INSERT INTO BmProcessInfo(PPIDHash, ProcessStartTime, PID, StructVersion, ImageFileName, MonitoringFlags_Flags, MonitoringFlags_VmHardenType, MonitoringFlags_ExemptVmHardenedTypes, CommandLineArgs, HipsInjectionId, FolderGuardId, Flags, LsassReadMemId, MonitoringFlags_Flags2Low, MonitoringFlags_Flags2High)VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?);
Source: mpengine.dll0.0.dr Binary or memory string: SELECT Count(1) FROM BackupProcessInfo;
Source: mpengine.dll0.0.dr Binary or memory string: SELECT Key, FilePath, Context, InsertTime, ExpireTime FROM AttributePersistContext WHERE Key = ?;
Source: mpengine.dll0.0.dr Binary or memory string: SELECT COUNT(1) FROM ValueMapArray WHERE RecordType = ?;
Source: mpengine.dll0.0.dr Binary or memory string: SELECT ProcessPath, TimeStamp, TargetPath, RuleId, IsAudit, Action, ProcessTaintReason, ProcessIntegrity FROM ProcessBlockHistory WHERE RuleId = ? ORDER BY TimeStamp DESC;SELECT ProcessPath, TimeStamp, TargetPath, RuleId, IsAudit, Action, ProcessTaintReason, ProcessIntegrity FROM ProcessBlockHistory WHERE ProcessPath = ? AND TimeStamp = ? ORDER BY TimeStamp DESC;SELECT ProcessPath, TimeStamp, TargetPath, RuleId, IsAudit, Action, ProcessTaintReason, ProcessIntegrity FROM ProcessBlockHistory ORDER BY TimeStamp DESC;SELECT COUNT(DISTINCT ProcessPath) FROM ProcessBlockHistory;SELECT ProcessPath, TimeStamp, TargetPath, RuleId, IsAudit, Action, ProcessTaintReason, ProcessIntegrity FROM ProcessBlockHistory WHERE ProcessPath = ? ORDER BY TimeStamp DESC LIMIT 1;SELECT t1.ProcessPath, t1.TimeStamp, t1.TargetPath, t1.RuleId, t1.IsAudit, t1.Action, t1.ProcessTaintReason, t1.ProcessIntegrity FROM ProcessBlockHistory AS t1 INNER JOIN(SELECT ID, ProcessPath, MAX(TimeStamp) AS MostRecentTime FROM ProcessBlockHistory WHERE RuleId = ? GROUP BY ProcessPath) AS t2 ON t1.ID = t2.ID AND t1.TimeStamp = t2.MostRecentTime ORDER BY t1.TimeStamp DESC;SELECT t1.ProcessPath, t1.TimeStamp, t1.TargetPath, t1.RuleId, t1.IsAudit, t1.Action, t1.ProcessTaintReason, t1.ProcessIntegrity FROM ProcessBlockHistory AS t1 INNER JOIN(SELECT ID, ProcessPath, MAX(TimeStamp) AS MostRecentTime FROM ProcessBlockHistory GROUP BY ProcessPath) AS t2 ON t1.ID = t2.ID AND t1.TimeStamp = t2.MostRecentTime ORDER BY t1.TimeStamp DESC;DELETE FROM ProcessBlockHistory WHERE ProcessPath = ? AND TimeStamp = ?;SELECT COUNT(1) FROM ProcessBlockHistory;SELECT ID FROM ProcessBlockHistory WHERE ProcessPath = ?;SELECT ProcessPath, TimeStamp, TargetPath, RuleId, IsAudit, Action, ProcessTaintReason, ProcessIntegrity FROM ProcessBlockHistory WHERE ProcessPath = ? ORDER BY TimeStamp DESC;DELETE FROM ProcessBlockHistory WHERE TimeStamp < ?;SELECT ProcessPath, TimeStamp FROM ProcessBlockHistory ORDER BY TimeStamp ASC LIMIT 1REPLACE INTO ProcessBlockHistory(ProcessPath, TimeStamp, TargetPath, RuleId, IsAudit, Action, ProcessTaintReason, ProcessIntegrity) VALUES (?, ?, ?, ?, ?, ?, ?, ?);DELETE FROM ProcessBlockHistory;[3
Source: mpengine.dll0.0.dr Binary or memory string: SELECT Key, TableKey, TableName, UnbiasedTableAge, KeyName, FirstSeen, LastSeen, UnbiasedTime, Value, Order_ FROM AnomalyTables WHERE AnomalyTables.TableKey = ?;
Source: mpengine.dll0.0.dr Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(9, 1, date('now'));
Source: mpengine.dll0.0.dr Binary or memory string: SELECT Count(1) FROM BmProcessInfo;
Source: mpengine.dll0.0.dr Binary or memory string: SELECT COUNT(1) FROM ProcessBlockHistory;
Source: mpengine.dll0.0.dr Binary or memory string: SELECT Count(1) FROM DynSigRevisions;
Source: mpengine.dll0.0.dr Binary or memory string: INSERT INTO ValueMapArray(Key, RecordType, ValueMapArrayBlob, InstanceTimeStamp) VALUES(?, ? , ? , ?);
Source: mpengine.dll0.0.dr Binary or memory string: SELECT Key, Name, Count, InsertTime, ExpireTime FROM AttributeCounts WHERE Key = ?;
Source: mpengine.dll0.0.dr Binary or memory string: SELECT Key, FileName, SigSeq, SigSha, SigIsSync, InstanceTimeStamp FROM FileLowFiAsync WHERE Key = ?;
Source: mpengine.dll0.0.dr Binary or memory string: SELECT ID FROM BmFileStartupActions WHERE BmFileStartupActions.FilePathHash = ?;
Source: mpengine.dll0.0.dr Binary or memory string: SELECT COUNT(1) FROM FileHashes;
Source: mpengine.dll0.0.dr Binary or memory string: SELECT Key FROM FileLowFiAsync WHERE FileLowFiAsync.Key = ?;
Source: mpengine.dll0.0.dr Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(27, 1, date('now'));
Source: mpengine.dll0.0.dr Binary or memory string: INSERT INTO FileHashes(Key, VSN, FileID, USN, InstanceTimeStamp, SHA1, MD5, SHA256, LSHASH, LSHASHS, CTPH, PartialCRC1, PartialCRC2, PartialCRC3, KCRC1, KCRC2, KCRC3, KCRC3n) VALUES(?, ? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ?);
Source: mpengine.dll0.0.dr Binary or memory string: SELECT DetectionGuid, LkgTS, NextUSN, DetectionTS, ProvisionalRemedComplTS, RemedComplTS, ImpactedCBPNameSpaces FROM RansomwareDetections WHERE Key = ?;
Source: mpengine.dll0.0.dr Binary or memory string: SELECT FilePath, FirstStartTime, NextUSN, AutomaticRemovalPolicy, ImpactedCBPNameSpaces FROM BackupProcessInfo WHERE Key = ?;
Source: mpengine.dll0.0.dr Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(7, 1, date('now'));
Source: mpengine.dll0.0.dr Binary or memory string: SELECT Key FROM RollingQueuesTables WHERE RollingQueuesTables.Key = ?;
Source: mpengine.dll0.0.dr Binary or memory string: SELECT Key, Name, Count, InsertTime, ExpireTime, UpdateTime, ScalarFactor, LinearFactor, DecayInterval, HighCount, LastDecayTime, Namespace FROM AtomicCounters WHERE Name LIKE ? AND Namespace = ?;
Source: mpengine.dll0.0.dr Binary or memory string: SELECT ProcessPath, TimeStamp, TargetPath, RuleId, IsAudit, Action, ProcessTaintReason, ProcessIntegrity FROM ProcessBlockHistory ORDER BY TimeStamp DESC;
Source: mpengine.dll0.0.dr Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(2, 1, date('now'));
Source: mpengine.dll0.0.dr Binary or memory string: UPDATE AttributeCounts SET Name = ?, Count = ?, InsertTime = ?, ExpireTime = ? WHERE Key = ?;
Source: mpengine.dll0.0.dr Binary or memory string: INSERT INTO FileLowFiAsync(Key, FileName, SigSeq, SigSha, SigIsSync, InstanceTimeStamp) VALUES(?, ? , ? , ? , ? , ?);SELECT COUNT(1) FROM FileLowFiAsync; DELETE FROM FileLowFiAsync WHERE FileLowFiAsync.Key = ?; SELECT Key FROM FileLowFiAsync WHERE FileLowFiAsync.Key = ?; SELECT Key, FileName, SigSeq, SigSha, SigIsSync, InstanceTimeStamp FROM FileLowFiAsync WHERE Key = ?; DELETE FROM FileLowFiAsync WHERE InstanceTimeStamp < ?;
Source: mpengine.dll0.0.dr Binary or memory string: INSERT INTO FolderGuardPaths(UserIdHash, UserId, GUID, Path) VALUES ( ?, ?, ?, ? );
Source: mpengine.dll0.0.dr Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(35, 1, date('now'));
Source: integrator.exe.0.dr Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: mpengine.dll0.0.dr Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(25, 1, date('now'));
Source: mpengine.dll0.0.dr Binary or memory string: SELECT Key FROM AttributePersistContext WHERE AttributePersistContext.Key = ?; Invalid prefix for persisted attribute context query.SELECT Key, FilePath, Context, InsertTime, ExpireTime FROM AttributePersistContext WHERE FilePath LIKE ?; DELETE FROM AttributePersistContext WHERE ExpireTime < ?; ;
Source: mpengine.dll0.0.dr Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);viewVIEWTABLEname='%q' AND type='index'sqlite_temp_masterviews may not be indexedtbl_name='%q' AND type!='trigger'UPDATE %Q.%s SET type='%s', name=%Q, tbl_name=%Q, rootpage=#%d, sql=%Q WHERE rowid=#%d-%Tdefault value of column [%s] is not constantAUTOINCREMENT not allowed on WITHOUT ROWID tablesthere is already an index named %sunknown database: %sindex '%q'ORDER BY%s clause should come after %s not beforeLIMITtable %s may not be modifiedDELETE FROM %Q.%s WHERE tbl_name=%Q and type!='trigger'table %S has no column named %sseqfromtoon_updateon_deletecidnotnulldflt_valuepkhiddenseqnocollidxwdthhghtflgsuniqueoriginparentfkidfilebusylogcheckpointedbuiltincache_sizetimeoutactivate_extensionsapplication_idautomatic_indexbusy_timeoutcache_spillcase_sensitive_likecell_size_checkcheckpoint_fullfsynccollation_listcount_changesdata_store_directorydata_versiondatabase_listempty_result_callbacksencodingfreelist_countfull_column_namesfullfsynchexrekeyignore_check_constraintsindex_infoindex_listindex_xinfointegrity_checkjournal_modejournal_size_limitlegacy_alter_tablelegacy_file_formatlocking_modemax_page_countmmap_sizeoptimizepage_countpage_sizequery_onlyquick_checkread_uncommittedrecursive_triggersrekeyreverse_unordered_selectsschema_versionsecure_deleteshort_column_namesshrink_memorysoft_heap_limitsynchronoustable_infotable_xinfotemp_storetemp_store_directorytextkeytextrekeythreadsuser_versionwal_autocheckpointwal_checkpointwritable_schema
Source: mpengine.dll0.0.dr Binary or memory string: SELECT Count(1) FROM BmFileStartupActions;
Source: mpengine.dll0.0.dr Binary or memory string: SELECT Count(1) FROM NetworkIpFirewallRulesOutgoing;
Source: mpengine.dll0.0.dr Binary or memory string: SELECT Key FROM AttributePersistContext ORDER BY InsertTime ASC LIMIT 1;
Source: mpengine.dll0.0.dr Binary or memory string: INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(36, 1, date('now'));
Source: jqXe6tttFa.exe ReversingLabs: Detection: 83%
Source: jqXe6tttFa.exe Virustotal: Detection: 81%
Source: unknown Process created: C:\Users\user\Desktop\jqXe6tttFa.exe "C:\Users\user\Desktop\jqXe6tttFa.exe"
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://primearea.biz/product/235093/
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2004 --field-trial-handle=1968,i,11388631023662119758,12511579874386185583,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://primearea.biz/product/235093/ Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2004 --field-trial-handle=1968,i,11388631023662119758,12511579874386185583,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Section loaded: windows.shell.servicehostbuilder.dll Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Section loaded: ieframe.dll Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Section loaded: mlang.dll Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1A66AEDC-93C3-4ACC-BA96-08F5716429F7}\InProcServer32 Jump to behavior
Source: Firefox.lnk.0.dr LNK file: ..\..\..\Program Files\Mozilla Firefox\firefox.exe
Source: SciTE Script Editor.lnk.0.dr LNK file: ..\..\..\..\..\..\Program Files (x86)\AutoIt3\SciTE\SciTE.exe
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\jqXe6tttFa.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\16.0\Access\Capabilities\UrlAssociations Jump to behavior
Source: jqXe6tttFa.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: jqXe6tttFa.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: jqXe6tttFa.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: BTR.pdbGCTL source: mpengine.dll0.0.dr
Source: Binary string: KSLD.pdb source: mpengine.dll0.0.dr
Source: Binary string: MpUpdate.pdbGCTL source: MpUpdate.dll.0.dr
Source: Binary string: MpAzSubmit.pdb source: MpAzSubmit.dll.0.dr
Source: Binary string: MpCmdRun.pdbGCTL source: MpCmdRun.exe0.0.dr
Source: Binary string: C:\Users\Thomas\Desktop\Povlsomware-master\Povlsomware\obj\Debug\Povlsomware.pdb source: jqXe6tttFa.exe
Source: Binary string: MpDetoursCopyAccelerator.pdb source: MpDetoursCopyAccelerator.dll.0.dr
Source: Binary string: KSLDriver.pdbGCTL source: mpengine.dll0.0.dr
Source: Binary string: MsMpEngCP.pdb source: mpengine.dll0.0.dr
Source: Binary string: BTR.pdb source: mpengine.dll0.0.dr
Source: Binary string: MpCmdRun.pdb source: MpCmdRun.exe0.0.dr
Source: Binary string: mpengine.pdb source: mpengine.dll0.0.dr
Source: Binary string: MsMpEngCP.pdbGCTL source: mpengine.dll0.0.dr
Source: Binary string: MpDlpCmd.pdbGCTL source: MpDlpCmd.exe.0.dr
Source: Binary string: MpAzSubmit.pdbOGPS source: MpAzSubmit.dll.0.dr
Source: Binary string: mpengine.pdbOGPS source: mpengine.dll0.0.dr
Source: Binary string: KSLDriver.pdb source: mpengine.dll0.0.dr
Source: Binary string: ProtectionManagement.pdbGCTL source: ProtectionManagement.dll.0.dr
Source: Binary string: MpCommu.pdb source: MpCommu.dll.0.dr
Source: Binary string: MpDetoursCopyAccelerator.pdbGCTL source: MpDetoursCopyAccelerator.dll.0.dr
Source: Binary string: MpUxAgent.pdb source: MpUxAgent.dll.0.dr
Source: Binary string: MpCommu.pdbGCTL source: MpCommu.dll.0.dr
Source: Binary string: offreg.pdbH source: mpengine.dll0.0.dr
Source: Binary string: d:\dbs\el\omr\target\x86\ship\click2run\x-none\Integrator.pdb source: integrator.exe.0.dr
Source: Binary string: ProtectionManagement.pdb source: ProtectionManagement.dll.0.dr
Source: Binary string: MpUxAgent.pdbGCTL source: MpUxAgent.dll.0.dr
Source: Binary string: MsMpEngSvc.pdb source: mpengine.dll0.0.dr
Source: Binary string: MpDlpCmd.pdb source: MpDlpCmd.exe.0.dr
Source: Binary string: MsMpEngSvc.pdbGCTL source: mpengine.dll0.0.dr
Source: Binary string: KSLD.pdbGCTL source: mpengine.dll0.0.dr
Source: Binary string: offreg.pdb source: mpengine.dll0.0.dr
Source: Binary string: d:\dbs\el\omr\target\x86\ship\click2run\x-none\Integrator.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: integrator.exe.0.dr
Source: Binary string: MpUpdate.pdb source: MpUpdate.dll.0.dr
Binary contains a suspicious time stamp
Source: mpengine.dll.0.dr Static PE information: 0xD9A34D43 [Sat Sep 15 02:06:59 2085 UTC]
PE file contains sections with non-standard names
Source: MpClient.dll.0.dr Static PE information: section name: .didat
Source: MpCmdRun.exe.0.dr Static PE information: section name: .didat
Source: MpCommu.dll.0.dr Static PE information: section name: .didat
Source: MpDetours.dll.0.dr Static PE information: section name: .detourc
Source: MpDetours.dll.0.dr Static PE information: section name: .detourd
Source: MpRtp.dll.0.dr Static PE information: section name: .didat
Source: MpSvc.dll.0.dr Static PE information: section name: .didat
Source: NisSrv.exe.0.dr Static PE information: section name: .didat
Source: MpCmdRun.exe0.0.dr Static PE information: section name: .didat
Source: VC_redist.x64.exe.0.dr Static PE information: section name: .wixburn
Source: MpDetoursCopyAccelerator.dll.0.dr Static PE information: section name: .detourc
Source: MpDetoursCopyAccelerator.dll.0.dr Static PE information: section name: .detourd
Source: ProtectionManagement.dll.0.dr Static PE information: section name: .didat
Source: MpDetoursCopyAccelerator.dll0.0.dr Static PE information: section name: .detourc
Source: MpDetoursCopyAccelerator.dll0.0.dr Static PE information: section name: .detourd

Persistence and Installation Behavior
barindex
Infects executable files (exe, dll, sys, html)
Source: C:\Users\user\Desktop\jqXe6tttFa.exe System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpUpdate.dll Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpSvc.dll Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCommu.dll Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpCmdRun.exe Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpAzSubmit.dll Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exe Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\endpointdlp.dll Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpEvMsg.dll Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MsMpLics.dll Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\DefenderCSP.dll Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpRtp.dll Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpAsDesc.dll Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\endpointdlp.dll Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe System file written: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe System file written: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ProtectionManagement.dll Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpUxAgent.dll Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDetoursCopyAccelerator.dll Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDetours.dll Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpClient.dll Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpSenseComm.dll Jump to behavior
Drops PE files
Source: C:\Users\user\Desktop\jqXe6tttFa.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpUpdate.dll Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe.rtcrypted (copy) Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpSenseComm.dll.rtcrypted (copy) Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe.rtcrypted (copy) Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCommu.dll Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe.rtcrypted (copy) Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpAzSubmit.dll Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\endpointdlp.dll Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpAsDesc.dll.rtcrypted (copy) Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpUxAgent.dll.rtcrypted (copy) Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpDetoursCopyAccelerator.dll.rtcrypted (copy) Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpAsDesc.dll.rtcrypted (copy) Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MsMpLics.dll Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\DefenderCSP.dll Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpEvMsg.dll.rtcrypted (copy) Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpRtp.dll Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpAsDesc.dll Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe File created: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{744D5067-632F-490D-A7F8-522F3DDB7ACB}\mpengine.dll Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDetours.dll.rtcrypted (copy) Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exe Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ProtectionManagement.dll Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MsMpLics.dll.rtcrypted (copy) Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpDetoursCopyAccelerator.dll Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Definition Updates\StableEngineEtwLocation\mpengine_etw.dll.rtcrypted (copy) Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpLics.dll Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDetours.dll Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpSvc.dll.rtcrypted (copy) Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\endpointdlp.dll.rtcrypted (copy) Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe.rtcrypted (copy) Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDetoursCopyAccelerator.dll.rtcrypted (copy) Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Definition Updates\{744D5067-632F-490D-A7F8-522F3DDB7ACB}\mpengine.dll.rtcrypted (copy) Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpUpdate.dll.rtcrypted (copy) Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exe.rtcrypted (copy) Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe File created: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\StableEngineEtwLocation\mpengine_etw.dll Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpSvc.dll Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpCmdRun.exe Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll.rtcrypted (copy) Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpAzSubmit.dll.rtcrypted (copy) Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe.rtcrypted (copy) Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpEvMsg.dll Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpRtp.dll.rtcrypted (copy) Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe File created: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe.rtcrypted (copy) Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpLics.dll.rtcrypted (copy) Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpCmdRun.exe.rtcrypted (copy) Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCommu.dll.rtcrypted (copy) Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpAsDesc.dll Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe File created: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpUxAgent.dll Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDetoursCopyAccelerator.dll Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpClient.dll.rtcrypted (copy) Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ProtectionManagement.dll.rtcrypted (copy) Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\DefenderCSP.dll.rtcrypted (copy) Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpClient.dll Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpSenseComm.dll Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Users\user\Desktop\jqXe6tttFa.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpUpdate.dll Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe File created: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\StableEngineEtwLocation\mpengine_etw.dll Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpSvc.dll Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCommu.dll Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpCmdRun.exe Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpAzSubmit.dll Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\endpointdlp.dll Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpEvMsg.dll Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe File created: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MsMpLics.dll Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\DefenderCSP.dll Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpRtp.dll Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpAsDesc.dll Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe File created: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{744D5067-632F-490D-A7F8-522F3DDB7ACB}\mpengine.dll Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpAsDesc.dll Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe File created: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exe Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ProtectionManagement.dll Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpUxAgent.dll Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDetoursCopyAccelerator.dll Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpDetoursCopyAccelerator.dll Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpLics.dll Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDetours.dll Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpClient.dll Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpSenseComm.dll Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Ransomtoad Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Ransomtoad Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Memory allocated: 9C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Memory allocated: 1A520000 memory reserve | memory write watch Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Window / User API: threadDelayed 2044 Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Window / User API: threadDelayed 7278 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpUpdate.dll Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Dropped PE file which has not been started: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe.rtcrypted (copy) Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Dropped PE file which has not been started: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpSenseComm.dll.rtcrypted (copy) Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Dropped PE file which has not been started: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe.rtcrypted (copy) Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Dropped PE file which has not been started: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe.rtcrypted (copy) Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCommu.dll Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpAzSubmit.dll Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\endpointdlp.dll Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Dropped PE file which has not been started: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpUxAgent.dll.rtcrypted (copy) Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Dropped PE file which has not been started: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpAsDesc.dll.rtcrypted (copy) Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Dropped PE file which has not been started: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpDetoursCopyAccelerator.dll.rtcrypted (copy) Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Dropped PE file which has not been started: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpAsDesc.dll.rtcrypted (copy) Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MsMpLics.dll Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Dropped PE file which has not been started: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpEvMsg.dll.rtcrypted (copy) Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\DefenderCSP.dll Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpRtp.dll Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpAsDesc.dll Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{744D5067-632F-490D-A7F8-522F3DDB7ACB}\mpengine.dll Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Dropped PE file which has not been started: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDetours.dll.rtcrypted (copy) Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ProtectionManagement.dll Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exe Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Dropped PE file which has not been started: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MsMpLics.dll.rtcrypted (copy) Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpDetoursCopyAccelerator.dll Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Dropped PE file which has not been started: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Definition Updates\StableEngineEtwLocation\mpengine_etw.dll.rtcrypted (copy) Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpLics.dll Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDetours.dll Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Dropped PE file which has not been started: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpSvc.dll.rtcrypted (copy) Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Dropped PE file which has not been started: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe.rtcrypted (copy) Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Dropped PE file which has not been started: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDetoursCopyAccelerator.dll.rtcrypted (copy) Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Dropped PE file which has not been started: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\endpointdlp.dll.rtcrypted (copy) Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Dropped PE file which has not been started: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Definition Updates\{744D5067-632F-490D-A7F8-522F3DDB7ACB}\mpengine.dll.rtcrypted (copy) Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Dropped PE file which has not been started: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpUpdate.dll.rtcrypted (copy) Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Dropped PE file which has not been started: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exe.rtcrypted (copy) Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\StableEngineEtwLocation\mpengine_etw.dll Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpSvc.dll Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpCmdRun.exe Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Dropped PE file which has not been started: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll.rtcrypted (copy) Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Dropped PE file which has not been started: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpAzSubmit.dll.rtcrypted (copy) Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Dropped PE file which has not been started: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe.rtcrypted (copy) Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpEvMsg.dll Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Dropped PE file which has not been started: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpRtp.dll.rtcrypted (copy) Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Dropped PE file which has not been started: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Dropped PE file which has not been started: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe.rtcrypted (copy) Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Dropped PE file which has not been started: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpLics.dll.rtcrypted (copy) Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Dropped PE file which has not been started: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpCmdRun.exe.rtcrypted (copy) Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Dropped PE file which has not been started: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCommu.dll.rtcrypted (copy) Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpAsDesc.dll Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpUxAgent.dll Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Dropped PE file which has not been started: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpClient.dll.rtcrypted (copy) Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDetoursCopyAccelerator.dll Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Dropped PE file which has not been started: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ProtectionManagement.dll.rtcrypted (copy) Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Dropped PE file which has not been started: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\DefenderCSP.dll.rtcrypted (copy) Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpClient.dll Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpSenseComm.dll Jump to dropped file
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\jqXe6tttFa.exe TID: 6956 Thread sleep time: -1226400s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe TID: 6956 Thread sleep time: -4366800s >= -30000s Jump to behavior
Source: mpengine.dll0.0.dr Binary or memory string: detects_vmware
Source: jqXe6tttFa.exe, 00000000.00000002.4136818503.000000001AFB6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\MM
Source: jqXe6tttFa.exe, 00000000.00000002.4136818503.000000001AF30000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: ProtectionManagement.dll.0.dr Binary or memory string: Microsoft HvVMwareVMware
Source: mpengine.dll0.0.dr Binary or memory string: azurevirtualmachinename_scrubbed
Source: ProtectionManagement.dll.0.dr Binary or memory string: VMwareVMware
Source: jqXe6tttFa.exe, 00000000.00000002.4136818503.000000001AF9E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:
Source: mpengine.dll0.0.dr Binary or memory string: SendWDOReportHasTelemetryPath????????-????-????-????-????????????.telemEngine.Maps.SendWdoReport%ls.telemdetectScanOfflineTelemetryPathInitUserDbCleanuputctimeerr%lu-%lu-%lu %lu:%lu:%luHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\ResultsLastSuccessTimeLastErrordownloadinstall%program_files%\internet explorer\iexplore.exeBuildLabExSoftware\Microsoft\Office\15.0\ClickToRun\ConfigurationSoftware\Microsoft\OfficePassiveModeAllowCommercialDataPipelineSOFTWARE\Microsoft\Microsoft Antimalware\FeaturesSOFTWARE\Microsoft\Windows Azure\CurrentVersionSOFTWARE\Microsoft\Windows AzureSOFTWARE\Microsoft\Virtual Machine\Guest\ParametersNodeIdSoftware\Policies\Microsoft\Windows\DataCollectionSOFTWARE\AzureHL\NodePropertiesPolicyManager_GetPolicyPolicyManager_FreeGetPolicyDataMicrosoft HvVMwareVMwareVMTypeVirtualMachineName\\IdentHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Media CenterRtpStatenameenabledwscserviceAVProductclean%08llXstateuptodateproductamsiuacstreamfilterdriverslistbootrpfsamplesubmission_lockingprocesses&%ls-%lsrpfcleaningstatusamsistreamieprotectstreamsenseremediationetwMd5ThreatTrackingStartTimeRemediationCheckpointReport/AmsiUacInfo skippedThreatTrackingScanSourceThreatTrackingScanTyperuleidexpirytimeNamedAttributesSigNameWebFileBrowserAmsiAppIdWebFileUrlWin32ActionStatusActionTimeAmsiContentNameContentSizeRtpProcessNameAmsiSessionIdRtpDesiredAccessRtpNewFileHintAllSigNamesRtpScanReasonPropertyBagThreatTrackingIdIsRuntimePackedDetectionTimePeAttributesLsHashCollectReasonsSigattrEventsSigAgeInheritedResourceOriginalSizeOriginalSha1OriginalSha256ActiveReasonError sending sense remediation reportParentSha1FromSyncLofiBMContextRichDataOriginalReportTypeBMSigContextRichInformationAgentException: Failed to create json for etw eventError allocated user/usersidHeartbeatTypeAutoSampleSubmissionOptInValueBlockAtFirstSightOnAccessProtectionRealTimeProtectionNetworkProtectionBloomFilterTimeAmsiEnabledEdgeBloomFilterTimeAnaheimBloomFilterTimeSmartScreenAppRepSmartScreenEdgeUrlRepIsSxSPassiveModeLastFullScanEndTimeLastFullScanDurationCurrentThreatInfoLastFullScanResultIoavEnabledSignatureFallbackOrderSenseDLPEnabledPassiveRemediationOnboardedInforeporttypesenseheartbeatetwError creating json for sense heartbeat reportLastQuickScanDurationError sending sense heartbeat reportLastQuickScanResultLastQuickScanEndTimetelemetryonlycmdsha1ThreatTrackingScanFlagsThreatTrackingIdListconsolidatedthreattrackingidsmftshadowfilecreationtimethreattrackingidfirstfiletimelastfiletimenotfoundcounttotalfilecountcollectiontypeexpensivefilecountoriginalnameissuerpublisherdeschashedpathselectionratereportlimitsignerhashauthenticodehash256issuerhashsignerpetypepearchnewfiletypecontentsha1contentsha256controlguidcontrolversionframeurlclassificationstreamurltargetpathruletypeinheritanceflagsparentpathisauditdeepscaninvolvedfilepathtargetprocesscmdlineparentprocesscmdlineistargetrtpscanreasonThreatTrackingThreatNamethreatnameresourceschemaThreatTracki
Source: mpengine.dll0.0.dr Binary or memory string: azurevirtualmachinename
Source: jqXe6tttFa.exe, 00000000.00000002.4136818503.000000001AFB6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: w-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}D
Source: mpengine.dll0.0.dr Binary or memory string: dynmem_detects_vmware
Source: mpengine.dll0.0.dr Binary or memory string: pea_dynmem_detects_vmware
Source: mpengine.dll0.0.dr Binary or memory string: pea_detects_vmware
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Process information queried: ProcessInformation Jump to behavior
Enables debug privileges
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Drops or copies MsMpEng.exe (Windows Defender, likely to bypass HIPS)
Source: C:\Users\user\Desktop\jqXe6tttFa.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe.rtcrypted (copy) Jump to dropped file
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://primearea.biz/product/235093/ Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Queries volume information: C:\Users\user\Desktop\jqXe6tttFa.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings
barindex
Overwrites Mozilla Firefox settings
Source: C:\Users\user\Desktop\jqXe6tttFa.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\AlternateServices.txt Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\pkcs11.txt Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\SiteSecurityServiceState.txt Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\Telemetry.FailedProfileLocks.txt Jump to behavior
AV process strings found (often used to terminate AV products)
Source: jqXe6tttFa.exe, 00000000.00000002.4132924740.0000000002521000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe
Source: jqXe6tttFa.exe, 00000000.00000002.4132924740.0000000002521000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vC:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe
Source: jqXe6tttFa.exe, 00000000.00000002.4132924740.0000000002521000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vC:\Users\All Users\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe
Source: jqXe6tttFa.exe, 00000000.00000002.4132924740.0000000002521000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe
Source: jqXe6tttFa.exe, 00000000.00000002.4132924740.0000000002521000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: C:\Users\All Users\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe
Source: jqXe6tttFa.exe, 00000000.00000002.4132924740.0000000002521000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe
Source: jqXe6tttFa.exe, 00000000.00000002.4132924740.0000000002521000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: eC:\Users\All Users\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe
Source: jqXe6tttFa.exe, 00000000.00000002.4132924740.0000000002521000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe
Source: jqXe6tttFa.exe, 00000000.00000002.4132924740.0000000002521000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe
Source: jqXe6tttFa.exe, 00000000.00000002.4132924740.0000000002521000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe
Source: jqXe6tttFa.exe, 00000000.00000002.4132924740.0000000002521000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe
Source: jqXe6tttFa.exe, 00000000.00000002.4132924740.0000000002521000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe
Source: jqXe6tttFa.exe, 00000000.00000002.4132924740.0000000002521000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe
Source: jqXe6tttFa.exe, 00000000.00000002.4132924740.0000000002521000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe
Source: jqXe6tttFa.exe, 00000000.00000002.4132924740.0000000002521000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe
Source: jqXe6tttFa.exe, 00000000.00000002.4132924740.0000000002521000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe
Source: jqXe6tttFa.exe, 00000000.00000002.4132924740.0000000002521000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe
Source: jqXe6tttFa.exe, 00000000.00000002.4132924740.0000000002521000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: C:\Documents and Settings\All Users\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe
Source: jqXe6tttFa.exe, 00000000.00000002.4132924740.0000000002521000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1428504 Sample: jqXe6tttFa.exe Startdate: 19/04/2024 Architecture: WINDOWS Score: 88 33 Multi AV Scanner detection for submitted file 2->33 35 Yara detected Povlsomware Ransomware 2->35 37 Yara detected RansomeToad Ransomware 2->37 39 Machine Learning detection for sample 2->39 7 jqXe6tttFa.exe 1 15 2->7         started        process3 file4 17 C:\ProgramData\Microsoft\...\mpextms.exe, PE32+ 7->17 dropped 19 C:\ProgramData\Microsoft\...\endpointdlp.dll, PE32+ 7->19 dropped 21 C:\ProgramData\Microsoft\...\MsMpLics.dll, PE32 7->21 dropped 23 67 other files (30 malicious) 7->23 dropped 41 May encrypt documents and pictures (Ransomware) 7->41 43 Overwrites Mozilla Firefox settings 7->43 45 Drops or copies MsMpEng.exe (Windows Defender, likely to bypass HIPS) 7->45 47 2 other signatures 7->47 11 chrome.exe 1 7->11         started        signatures5 process6 dnsIp7 25 192.168.2.4, 138, 443, 49672 unknown unknown 11->25 27 239.255.255.250 unknown Reserved 11->27 14 chrome.exe 11->14         started        process8 dnsIp9 29 primearea.biz 67.225.218.22, 443, 49741, 49742 LIQUIDWEBUS United States 14->29 31 www.google.com 64.233.177.104, 443, 49746, 49749 GOOGLEUS United States 14->31
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
64.233.177.104
 www.google.com United States
15169 GOOGLEUS false
239.255.255.250
 unknown Reserved
unknown unknown false
67.225.218.22
 primearea.biz United States
32244 LIQUIDWEBUS false

Private

IP
192.168.2.4

Contacted Domains

Name IP Active
www.google.com 64.233.177.104 true
primearea.biz 67.225.218.22 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://primearea.biz/product/235093/ false
    		high