Edit tour

Windows Analysis Report
jqXe6tttFa.exe

Overview

General Information

Sample name:	jqXe6tttFa.exe renamed because original name is a hash value
Original sample name:	fd32cec288cec4f16dc5430cf86dc17e1d4cf941d635979fc17a59c8d6d83d44.exe
Analysis ID:	1428504
MD5:	c7cfaca6501361febe27a6b3e66a61bf
SHA1:	55a3414b9668596e120139a059db91a306281dcc
SHA256:	fd32cec288cec4f16dc5430cf86dc17e1d4cf941d635979fc17a59c8d6d83d44
Infos:

Detection

Povlsomware, RansomeToad

Score:	88
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Povlsomware Ransomware

Yara detected RansomeToad Ransomware

Drops or copies MsMpEng.exe (Windows Defender, likely to bypass HIPS)

Infects executable files (exe, dll, sys, html)

Machine Learning detection for sample

May encrypt documents and pictures (Ransomware)

Modifies existing user documents (likely ransomware behavior)

Overwrites Mozilla Firefox settings

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

IP address seen in connection with other malware

Installs a raw input device (often for capturing keystrokes)

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

PE file does not import any functions

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Classification

Process Tree

System is w10x64

jqXe6tttFa.exe (PID: 6876 cmdline: "C:\Users\user\Desktop\jqXe6tttFa.exe" MD5: C7CFACA6501361FEBE27A6B3E66A61BF)

chrome.exe (PID: 2696 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://primearea.biz/product/235093/ MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 4904 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2004 --field-trial-handle=1968,i,11388631023662119758,12511579874386185583,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Povlsomware	According to Trend Micro, Povlsomware (Ransom.MSIL.POVLSOM.THBAOBA) is a proof-of-concept (POC) ransomware first released in November 2020 which, according to their Github page, is used to securely test the ransomware protection capabilities of security vendor products.	No Attribution	https://www.trendmicro.com/en_us/research/21/c/povlsomware-ransomware-features-cobalt-strike-compatibility.html https://youtu.be/oYLs6wuoOfg	https://malpedia.caad.fkie.fraunhofer.de/details/win.povlsomware

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: jqXe6tttFa.exe PID: 6876	JoeSecurity_Povlsomware	Yara detected Povlsomware Ransomware	Joe Security
Process Memory Space: jqXe6tttFa.exe PID: 6876	JoeSecurity_RansomeToad	Yara detected RansomeToad Ransomware	Joe Security

Sigma Signatures

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Users\user\Desktop\jqXe6tttFa.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\jqXe6tttFa.exe, ProcessId: 6876, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ransomtoad

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: jqXe6tttFa.exe	ReversingLabs: Detection: 83%
Source: jqXe6tttFa.exe	Virustotal: Detection: 81%			Perma Link

Machine Learning detection for sample

Source: jqXe6tttFa.exe

Joe Sandbox ML: detected

Source: unknown	HTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.33.134.2:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.33.134.2:443 -> 192.168.2.4:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.68.123.157:443 -> 192.168.2.4:49747 version: TLS 1.2

Source: jqXe6tttFa.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: BTR.pdbGCTL source: mpengine.dll0.0.dr
Source:	Binary string: KSLD.pdb source: mpengine.dll0.0.dr
Source:	Binary string: MpUpdate.pdbGCTL source: MpUpdate.dll.0.dr
Source:	Binary string: MpAzSubmit.pdb source: MpAzSubmit.dll.0.dr
Source:	Binary string: MpCmdRun.pdbGCTL source: MpCmdRun.exe0.0.dr
Source:	Binary string: C:\Users\Thomas\Desktop\Povlsomware-master\Povlsomware\obj\Debug\Povlsomware.pdb source: jqXe6tttFa.exe
Source:	Binary string: MpDetoursCopyAccelerator.pdb source: MpDetoursCopyAccelerator.dll.0.dr
Source:	Binary string: KSLDriver.pdbGCTL source: mpengine.dll0.0.dr
Source:	Binary string: MsMpEngCP.pdb source: mpengine.dll0.0.dr
Source:	Binary string: BTR.pdb source: mpengine.dll0.0.dr
Source:	Binary string: MpCmdRun.pdb source: MpCmdRun.exe0.0.dr
Source:	Binary string: mpengine.pdb source: mpengine.dll0.0.dr
Source:	Binary string: MsMpEngCP.pdbGCTL source: mpengine.dll0.0.dr
Source:	Binary string: MpDlpCmd.pdbGCTL source: MpDlpCmd.exe.0.dr
Source:	Binary string: MpAzSubmit.pdbOGPS source: MpAzSubmit.dll.0.dr
Source:	Binary string: mpengine.pdbOGPS source: mpengine.dll0.0.dr
Source:	Binary string: KSLDriver.pdb source: mpengine.dll0.0.dr
Source:	Binary string: ProtectionManagement.pdbGCTL source: ProtectionManagement.dll.0.dr
Source:	Binary string: MpCommu.pdb source: MpCommu.dll.0.dr
Source:	Binary string: MpDetoursCopyAccelerator.pdbGCTL source: MpDetoursCopyAccelerator.dll.0.dr
Source:	Binary string: MpUxAgent.pdb source: MpUxAgent.dll.0.dr
Source:	Binary string: MpCommu.pdbGCTL source: MpCommu.dll.0.dr
Source:	Binary string: offreg.pdbH source: mpengine.dll0.0.dr
Source:	Binary string: d:\dbs\el\omr\target\x86\ship\click2run\x-none\Integrator.pdb source: integrator.exe.0.dr
Source:	Binary string: ProtectionManagement.pdb source: ProtectionManagement.dll.0.dr
Source:	Binary string: MpUxAgent.pdbGCTL source: MpUxAgent.dll.0.dr
Source:	Binary string: MsMpEngSvc.pdb source: mpengine.dll0.0.dr
Source:	Binary string: MpDlpCmd.pdb source: MpDlpCmd.exe.0.dr
Source:	Binary string: MsMpEngSvc.pdbGCTL source: mpengine.dll0.0.dr
Source:	Binary string: KSLD.pdbGCTL source: mpengine.dll0.0.dr
Source:	Binary string: offreg.pdb source: mpengine.dll0.0.dr
Source:	Binary string: d:\dbs\el\omr\target\x86\ship\click2run\x-none\Integrator.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: integrator.exe.0.dr
Source:	Binary string: MpUpdate.pdb source: MpUpdate.dll.0.dr

Spreading

Infects executable files (exe, dll, sys, html)

Source: C:\Users\user\Desktop\jqXe6tttFa.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpUpdate.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpSvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCommu.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpCmdRun.exe	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpAzSubmit.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exe	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\endpointdlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpEvMsg.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MsMpLics.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\DefenderCSP.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpRtp.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpAsDesc.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\endpointdlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	System file written: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ProtectionManagement.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpUxAgent.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDetoursCopyAccelerator.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDetours.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpClient.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpSenseComm.dll	Jump to behavior

Source: Joe Sandbox View

IP Address: 239.255.255.250 239.255.255.250

Source: Joe Sandbox View

JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 23.33.134.2
Source: unknown	TCP traffic detected without corresponding DNS query: 23.33.134.2
Source: unknown	TCP traffic detected without corresponding DNS query: 23.33.134.2
Source: unknown	TCP traffic detected without corresponding DNS query: 23.33.134.2
Source: unknown	TCP traffic detected without corresponding DNS query: 23.33.134.2
Source: unknown	TCP traffic detected without corresponding DNS query: 23.33.134.2
Source: unknown	TCP traffic detected without corresponding DNS query: 23.33.134.2
Source: unknown	TCP traffic detected without corresponding DNS query: 23.33.134.2
Source: unknown	TCP traffic detected without corresponding DNS query: 23.33.134.2
Source: unknown	TCP traffic detected without corresponding DNS query: 23.33.134.2
Source: unknown	TCP traffic detected without corresponding DNS query: 23.33.134.2
Source: unknown	TCP traffic detected without corresponding DNS query: 23.33.134.2
Source: unknown	TCP traffic detected without corresponding DNS query: 23.33.134.2
Source: unknown	TCP traffic detected without corresponding DNS query: 23.33.134.2
Source: unknown	TCP traffic detected without corresponding DNS query: 23.33.134.2
Source: unknown	TCP traffic detected without corresponding DNS query: 23.33.134.2
Source: unknown	TCP traffic detected without corresponding DNS query: 23.33.134.2
Source: unknown	TCP traffic detected without corresponding DNS query: 23.33.134.2
Source: unknown	TCP traffic detected without corresponding DNS query: 23.33.134.2
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157

Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=Y9Bovd3FB3pfDT2&MD=1VU9cbn4 HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /product/235093/ HTTP/1.1Host: primearea.bizConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=Y9Bovd3FB3pfDT2&MD=1VU9cbn4 HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com

Source: unknown

DNS traffic detected: queries for: primearea.biz

Source: integrator.exe.0.dr	String found in binary or memory: http://127.0.0.1:13556/InsiderSlabBehaviorReportedBuildInsiderSlabBehaviorInsiderSlabBehaviorReporte
Source: MpCommu.dll.0.dr	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest
Source: MpCommu.dll.0.dr	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
Source: MpCommu.dll.0.dr	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: jqXe6tttFa.exe, 00000000.00000002.4137757380.000000001C812000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: jqXe6tttFa.exe, 00000000.00000002.4137757380.000000001C812000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: jqXe6tttFa.exe, 00000000.00000002.4137757380.000000001C812000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: jqXe6tttFa.exe, 00000000.00000002.4137757380.000000001C812000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: jqXe6tttFa.exe, 00000000.00000002.4137757380.000000001C812000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: jqXe6tttFa.exe, 00000000.00000002.4137757380.000000001C812000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: jqXe6tttFa.exe, 00000000.00000002.4137757380.000000001C812000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: jqXe6tttFa.exe, 00000000.00000002.4137757380.000000001C812000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: jqXe6tttFa.exe, 00000000.00000002.4137757380.000000001C812000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: jqXe6tttFa.exe, 00000000.00000002.4137757380.000000001C812000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: jqXe6tttFa.exe, 00000000.00000002.4137757380.000000001C812000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: jqXe6tttFa.exe, 00000000.00000002.4137757380.000000001C812000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: jqXe6tttFa.exe, 00000000.00000002.4137757380.000000001C812000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: jqXe6tttFa.exe, 00000000.00000002.4137757380.000000001C812000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: jqXe6tttFa.exe, 00000000.00000002.4137757380.000000001C812000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: jqXe6tttFa.exe, 00000000.00000002.4137757380.000000001C812000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: jqXe6tttFa.exe, 00000000.00000002.4137757380.000000001C812000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: mpengine.dll0.0.dr	String found in binary or memory: http://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web
Source: mpengine.dll0.0.dr	String found in binary or memory: http://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=webreferrercookieerr_regexperr_stringerr_error
Source: jqXe6tttFa.exe, 00000000.00000002.4137757380.000000001C812000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: jqXe6tttFa.exe, 00000000.00000002.4137757380.000000001C812000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: jqXe6tttFa.exe, 00000000.00000002.4137757380.000000001C812000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: jqXe6tttFa.exe, 00000000.00000002.4137757380.000000001C812000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: jqXe6tttFa.exe, 00000000.00000002.4137757380.000000001C812000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: jqXe6tttFa.exe, 00000000.00000002.4137757380.000000001C812000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: jqXe6tttFa.exe, 00000000.00000002.4137757380.000000001C812000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: jqXe6tttFa.exe, 00000000.00000002.4137757380.000000001C812000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: prefs.js.0.dr	String found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
Source: prefs.js.0.dr	String found in binary or memory: https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta
Source: prefs.js.0.dr	String found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
Source: prefs.js.0.dr	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: prefs.js.0.dr	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
Source: integrator.exe.0.dr	String found in binary or memory: https://nexus.officeapps.live.comhttps://nexusrules.officeapps.live.com
Source: integrator.exe.0.dr	String found in binary or memory: https://otelrules.azureedge.net/rules/.bundlesdxhelper.exeFailed
Source: jqXe6tttFa.exe, 00000000.00000002.4132924740.0000000002521000.00000004.00000800.00020000.00000000.sdmp, jqXe6tttFa.exe, 00000000.00000002.4136818503.000000001AF30000.00000004.00000020.00020000.00000000.sdmp, jqXe6tttFa.exe, 00000000.00000002.4136818503.000000001AF9E000.00000004.00000020.00020000.00000000.sdmp, jqXe6tttFa.exe, 00000000.00000002.4136818503.000000001AFB6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://primearea.biz/product/235093/
Source: jqXe6tttFa.exe, 00000000.00000002.4131952380.00000000006FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://primearea.biz/product/235093/.0lnkM
Source: jqXe6tttFa.exe	String found in binary or memory: https://primearea.biz/product/235093/3Decrypting...
Source: jqXe6tttFa.exe, 00000000.00000002.4136818503.000000001AF30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://primearea.biz/product/235093/5
Source: jqXe6tttFa.exe, 00000000.00000002.4136818503.000000001AF9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://primearea.biz/product/235093/X
Source: jqXe6tttFa.exe, 00000000.00000002.4136818503.000000001AF30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://primearea.biz/product/235093/l
Source: jqXe6tttFa.exe, 00000000.00000002.4136818503.000000001AF30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://primearea.biz/product/235093/o
Source: jqXe6tttFa.exe, 00000000.00000002.4136818503.000000001AF30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://primearea.biz/product/235093/q
Source: jqXe6tttFa.exe	String found in binary or memory: https://primearea.biz/product/235093/qSOFTWARE
Source: jqXe6tttFa.exe, 00000000.00000002.4136818503.000000001AF30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://primearea.biz/product/235093/w
Source: jqXe6tttFa.exe, 00000000.00000002.4136818503.000000001AF23000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://primearea.biz/product/235093/xU
Source: prefs.js.0.dr	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94
Source: mpengine.dll0.0.dr	String found in binary or memory: https://www.apple.com/appleca/0
Source: prefs.js.0.dr	String found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL=a1219

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49672
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown	HTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.33.134.2:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.33.134.2:443 -> 192.168.2.4:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.68.123.157:443 -> 192.168.2.4:49747 version: TLS 1.2

Source: integrator.exe.0.dr

Binary or memory string: RegisterRawInputDevices

memstr_89d4ff78-7

Spam, unwanted Advertisements and Ransom Demands

Yara detected Povlsomware Ransomware

Source: Yara match

File source: Process Memory Space: jqXe6tttFa.exe PID: 6876, type: MEMORYSTR

Yara detected RansomeToad Ransomware

Source: Yara match

File source: Process Memory Space: jqXe6tttFa.exe PID: 6876, type: MEMORYSTR

May encrypt documents and pictures (Ransomware)

Source: C:\Users\user\Desktop\jqXe6tttFa.exe	File created: c:\documents and settings\all users\application data\application data\application data\application data\application data\application data\application data\application data\application data\application data\microsoft\diagnosis\osver.txt.rtcrypted	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	File created: c:\documents and settings\all users\application data\application data\application data\application data\application data\application data\application data\application data\application data\application data\microsoft\user account pictures\guest.bmp.rtcrypted	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	File created: c:\documents and settings\all users\application data\application data\application data\application data\application data\application data\application data\application data\application data\application data\microsoft\user account pictures\user.bmp.rtcrypted	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	File created: c:\documents and settings\all users\application data\application data\application data\application data\application data\application data\application data\application data\application data\application data\microsoft\windows\models\sbcmodel.txt.rtcrypted	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	File created: c:\documents and settings\all users\application data\application data\application data\application data\application data\application data\application data\application data\application data\application data\microsoft\windows nt\msscan\welcomescan.jpg.rtcrypted	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	File created: c:\documents and settings\all users\application data\application data\application data\application data\application data\application data\application data\application data\microsoft\windows defender\platform\4.18.23080.2006-0\thirdpartynotices.txt.rtcrypted	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	File created: c:\documents and settings\all users\application data\application data\application data\application data\application data\application data\microsoft\windows\systemdata\s-1-5-18\readonly\lockscreen_z\lockscreen___1024_0768_notdimmed.jpg.rtcrypted	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	File created: c:\documents and settings\all users\application data\application data\application data\application data\application data\application data\microsoft\windows\systemdata\s-1-5-18\readonly\lockscreen_z\lockscreen___1280_1024_notdimmed.jpg.rtcrypted	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	File created: c:\documents and settings\user\appdata\roaming\microsoft\windows\recent\bnagmgsplo.jpg.rtcrypted	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	File created: c:\documents and settings\user\appdata\roaming\microsoft\windows\recent\curqnkvoix.docx.rtcrypted	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	File created: c:\documents and settings\user\appdata\roaming\microsoft\windows\recent\efgrwfcuws.jpg.rtcrypted	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	File created: c:\documents and settings\user\appdata\roaming\microsoft\windows\recent\jsdngycowy.jpg.rtcrypted	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	File created: c:\documents and settings\user\appdata\roaming\microsoft\windows\recent\kataxzvcps.jpg.rtcrypted	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	File created: c:\documents and settings\user\appdata\roaming\microsoft\windows\recent\nebfqqywps.docx.rtcrypted	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	File created: c:\documents and settings\user\appdata\roaming\microsoft\windows\recent\nirmekamzh.jpg.rtcrypted	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	File created: c:\documents and settings\user\appdata\roaming\microsoft\windows\recent\nwtvcdumob.jpg.rtcrypted	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	File created: c:\documents and settings\user\appdata\roaming\microsoft\windows\recent\onbqclyspu.docx.rtcrypted	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	File created: c:\documents and settings\user\appdata\roaming\microsoft\windows\recent\ummbdneqbn.docx.rtcrypted	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	File created: c:\documents and settings\user\appdata\roaming\microsoft\windows\recent\vlzdgukutz.docx.rtcrypted	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	File created: c:\documents and settings\user\appdata\roaming\microsoft\windows\recent\wutjscbcfx.docx.rtcrypted	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	File created: c:\documents and settings\user\appdata\roaming\microsoft\windows\themes\cachedfiles\cachedimage_1280_1024_pos4.jpg.rtcrypted	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	File created: c:\documents and settings\user\appdata\roaming\mozilla\firefox\profiles\fqs92o4p.default-release\alternateservices.txt.rtcrypted	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	File created: c:\documents and settings\user\appdata\roaming\mozilla\firefox\profiles\fqs92o4p.default-release\pkcs11.txt.rtcrypted	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	File created: c:\documents and settings\user\appdata\roaming\mozilla\firefox\profiles\fqs92o4p.default-release\sitesecurityservicestate.txt.rtcrypted	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	File created: c:\documents and settings\user\appdata\roaming\mozilla\firefox\profiles\fqs92o4p.default-release\telemetry.failedprofilelocks.txt.rtcrypted	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	File created: c:\documents and settings\user\desktop\jsdngycowy.jpg.rtcrypted	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	File created: c:\documents and settings\user\desktop\kataxzvcps.jpg.rtcrypted	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	File created: c:\documents and settings\user\desktop\nwtvcdumob.jpg.rtcrypted	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	File created: c:\documents and settings\user\desktop\onbqclyspu.docx.rtcrypted	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	File created: c:\documents and settings\user\desktop\ummbdneqbn.docx.rtcrypted	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	File created: c:\documents and settings\user\desktop\vlzdgukutz.docx.rtcrypted	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	File created: c:\documents and settings\user\desktop\onbqclyspu\kataxzvcps.jpg.rtcrypted	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	File created: c:\documents and settings\user\desktop\onbqclyspu\onbqclyspu.docx.rtcrypted	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	File created: c:\documents and settings\user\desktop\ummbdneqbn\jsdngycowy.jpg.rtcrypted	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	File created: c:\documents and settings\user\desktop\ummbdneqbn\ummbdneqbn.docx.rtcrypted	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	File created: c:\documents and settings\user\desktop\vlzdgukutz\nwtvcdumob.jpg.rtcrypted	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	File created: c:\documents and settings\user\desktop\vlzdgukutz\vlzdgukutz.docx.rtcrypted	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	File created: c:\documents and settings\user\documents\jsdngycowy.jpg.rtcrypted	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	File created: c:\documents and settings\user\documents\kataxzvcps.jpg.rtcrypted	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	File created: c:\documents and settings\user\documents\nwtvcdumob.jpg.rtcrypted	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	File created: c:\documents and settings\user\documents\onbqclyspu.docx.rtcrypted	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	File created: c:\documents and settings\user\documents\ummbdneqbn.docx.rtcrypted	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	File created: c:\documents and settings\user\documents\vlzdgukutz.docx.rtcrypted	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	File created: c:\documents and settings\user\documents\onbqclyspu\kataxzvcps.jpg.rtcrypted	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	File created: c:\documents and settings\user\documents\onbqclyspu\onbqclyspu.docx.rtcrypted	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	File created: c:\documents and settings\user\documents\ummbdneqbn\jsdngycowy.jpg.rtcrypted	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	File created: c:\documents and settings\user\documents\ummbdneqbn\ummbdneqbn.docx.rtcrypted	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	File created: c:\documents and settings\user\documents\vlzdgukutz\nwtvcdumob.jpg.rtcrypted	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	File created: c:\documents and settings\user\documents\vlzdgukutz\vlzdgukutz.docx.rtcrypted	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	File created: c:\documents and settings\user\downloads\jsdngycowy.jpg.rtcrypted	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	File created: c:\documents and settings\user\downloads\kataxzvcps.jpg.rtcrypted	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	File created: c:\documents and settings\user\downloads\nwtvcdumob.jpg.rtcrypted	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	File created: c:\documents and settings\user\downloads\onbqclyspu.docx.rtcrypted	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	File created: c:\documents and settings\user\downloads\ummbdneqbn.docx.rtcrypted	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	File created: c:\documents and settings\user\downloads\vlzdgukutz.docx.rtcrypted	Jump to behavior

Modifies existing user documents (likely ransomware behavior)

Source: C:\Users\user\Desktop\jqXe6tttFa.exe	File moved: C:\Users\user\Desktop\KATAXZVCPS.jpg	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	File deleted: C:\Users\user\Desktop\KATAXZVCPS.jpg	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	File moved: C:\Users\user\Desktop\CURQNKVOIX.mp3	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	File deleted: C:\Users\user\Desktop\CURQNKVOIX.mp3	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	File moved: C:\Users\user\Desktop\ONBQCLYSPU\ONBQCLYSPU.docx	Jump to behavior

Source: C:\Users\user\Desktop\jqXe6tttFa.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\jqXe6tttFa.exe

Code function: 0_2_00007FFD9B8738EB

0_2_00007FFD9B8738EB

Source: mpengine.dll.0.dr	Static PE information: Resource name: PACKEDBINARY type: PE32+ executable (native) x86-64, for MS Windows
Source: mpengine.dll.0.dr	Static PE information: Resource name: PACKEDBINARY type: PE32+ executable (native) x86-64, for MS Windows
Source: mpengine.dll.0.dr	Static PE information: Resource name: PACKEDBINARY type: PE32+ executable (native) x86-64, for MS Windows
Source: mpengine.dll.0.dr	Static PE information: Resource name: PACKEDBINARY type: PE32+ executable (GUI) x86-64, for MS Windows
Source: mpengine.dll.0.dr	Static PE information: Resource name: PACKEDBINARY type: PE32+ executable (DLL) (console) x86-64, for MS Windows
Source: mpengine.dll.0.dr	Static PE information: Resource name: PACKEDBINARY type: PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Source: mpengine.dll0.0.dr	Static PE information: Resource name: PACKEDBINARY type: PE32+ executable (native) x86-64, for MS Windows
Source: mpengine.dll0.0.dr	Static PE information: Resource name: PACKEDBINARY type: PE32+ executable (native) x86-64, for MS Windows
Source: mpengine.dll0.0.dr	Static PE information: Resource name: PACKEDBINARY type: PE32+ executable (native) x86-64, for MS Windows
Source: mpengine.dll0.0.dr	Static PE information: Resource name: PACKEDBINARY type: PE32+ executable (GUI) x86-64, for MS Windows
Source: mpengine.dll0.0.dr	Static PE information: Resource name: PACKEDBINARY type: PE32+ executable (DLL) (console) x86-64, for MS Windows
Source: mpengine.dll0.0.dr	Static PE information: Resource name: PACKEDBINARY type: PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Source: MpUxAgent.dll.0.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: mpengine_etw.dll.0.dr	Static PE information: Resource name: PACKEDBINARY type: PE32+ executable (native) x86-64, for MS Windows
Source: mpengine_etw.dll.0.dr	Static PE information: Resource name: PACKEDBINARY type: PE32+ executable (native) x86-64, for MS Windows
Source: mpengine_etw.dll.0.dr	Static PE information: Resource name: PACKEDBINARY type: PE32+ executable (native) x86-64, for MS Windows
Source: mpengine_etw.dll.0.dr	Static PE information: Resource name: PACKEDBINARY type: PE32+ executable (GUI) x86-64, for MS Windows
Source: mpengine_etw.dll.0.dr	Static PE information: Resource name: PACKEDBINARY type: PE32+ executable (DLL) (console) x86-64, for MS Windows
Source: mpengine_etw.dll.0.dr	Static PE information: Resource name: PACKEDBINARY type: PE32+ executable (DLL) (GUI) x86-64, for MS Windows

Source: MsMpLics.dll.0.dr	Static PE information: No import functions for PE file found
Source: MpEvMsg.dll.0.dr	Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.0.dr	Static PE information: No import functions for PE file found
Source: MsMpLics.dll0.0.dr	Static PE information: No import functions for PE file found
Source: MpAsDesc.dll0.0.dr	Static PE information: No import functions for PE file found

Source: jqXe6tttFa.exe, 00000000.00000000.1664483406.0000000000282000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamePovlsomware.exe8 vs jqXe6tttFa.exe
Source: jqXe6tttFa.exe	Binary or memory string: OriginalFilenamePovlsomware.exe8 vs jqXe6tttFa.exe

Source: mpengine.dll0.0.dr	Binary string: ,PartitionEngine.BM.LegacyFileModifyDeprecationUnexpectedNotificationsDropping FileNotification of type %lu because its deprecated.37345798\Device\Harddisk7
Source: mpengine.dll0.0.dr	Binary string: %\Invalid compute device.Invalid algorithm(%u).Invalid number of max gpu records(%u) specified. Max supported(%u)Algorithm(%u) not implemented.,0x) Configuration is null - using default values (device: TDT_DEVICE_GPU algo: TDT_DT_ALGO_RFC Max gpu records:%u.)dtworkloadUnknown operator type (%u), expected(%u)Feature value data type mismatch. Data type in model(%d), classifier(%d)Class value data type mismatch. Data type in model(%d), classifier(%d)Invalid number of trees(%u)/features(%u)/classes(%u)/split nodes(%u)/class values(%u).Threshold data type mismatch. Data type in model(%d), classifier(%d)Unable to compute checksum. Checksum status(%llx)Invalid blob size(%u)unsupported RFC version(%u)Unsupported header size(%u)Unsupported header version(%u)Invalid blob offset(%u)Unsupported blob type(%u)Memory allocation failure. %sFailed to get the model parameters for model handle(%u)Invalid header magic(0x%X)Failed to create a model handleInvalid model info null pointer.Failed to find the model for legacy model handle(%u)Buffer size specified for features/classes stream is size too small for the records specified.Number of CPU threads used: %zuNull input parameters.Invalid number of records.Invalid features/classes stream buffer size.Null input stream buffer parameters.model_blob_size(%u) < min model blob size(%u)Tree(%u) Num split nodes(%u)/Classes(%u)/Num leaf_class values(%u) exceeded max limit(%u).model_blob_size is too smalltree[%u]->leaf node begin offset(%u) is invalid or >= number(%u) of leaf nodestree[%u]->root node offset(%u) >= number(%u) of split nodestree[%u]->num split nodes(%u) + 1 != tree[%u]->num leaf nodes(%u) tree[%u]->first leaf node offset(%u) >= tree[%u]->first leaf node offset(%u)tree[%u]->root node offset(%u) should be 0tree[%u]->root node offset(%u) >= total split nodes(%u)tree[%u]->first leaf node offset(%u) >= max leaf node offset(%u)tree[%u]->split node right(%d) >= tree[%u]->number(%u) of split nodestree[%u]->split node right(%d) invalid or < tree[%u]->min offset(%u) for leaf nodesWeight value data type mismatch. Data type in model(%d), classifier(%d)Invalid split node data type.Failed to create a model handle.Failed to load decision tree shader.Null ptr in features/classes records.Invalid number of records(%u). Max supported value(%u)DirectX failed while setting up model.(0x%x)DirectX failed while classifying stream data.(0x%x)Invalid number of gpu max records(%u). Max supported value(%u)Invalid input model handle(%u)Error in processing tts_pmi_v2_record_t: remaining bytes (%zu) is not greater than size of tts_pmi_v2_record_t (%zu)Error in processing tts_pmi_v2_record_t: remaining bytes (%zu) is smaller than record_size (%u),/\NEAR_IND_JUMPNEAR_RETFAR_BRANCHNEAR_REL_JUMPJCCCPL_NEQ_0NEAR_IND_CALLNEAR_REL_CALLCPL_EQ_0pcin_tx_cpcountersoffcore_rspinvanyin_txcmaskumaskintedgeIRP_MJ_CREATE_NAMED_PIPEIRP_MJ_CREATEIRP_MJ_PNPIRP_MJ_SET_QUOTAIRP_MJ_MAXIMUM_FUNCTIONIRP_MJ_PNP_POWERIRP_MJ_SYSTEM_CONTROLIRP_MJ_POWERIRP_MJ_QUERY_QUOTA
Source: mpengine.dll0.0.dr	Binary string: NtQuerySystemInformation\Enum\SecurityMmCopyMemoryHalGetBusDataByOffsetDeviceNameVersion\Device\\DosDevices\AllowedProcessNameImagePathExistingPageFilesPagingFiles\Session Manager\Memory Management\??\ \device\physicalmemoryKslDriver -- LPC Vendor id = 0x%0x, Device id = 0x%0x BaseClass= 0x%x status= 0x%x PhysAddr= %x PhysEnd= %x Pa2= %x PaEnd2= %x
Source: mpengine.dll0.0.dr	Binary string: ValueType\\?\%c:\Device\Harddisk\\.\PHYSICALDRIVEthreatcontext//MpIsIEVScan
Source: mpengine.dll0.0.dr	Binary string: FAT16ExtendedNTFSFAT32FAT12\\.\PHYSICALDRIVE%d%ls%ld\%ls%ld%ls%ls%ld%lsRecoveryDynamic DiskEFI\\.\PHYSICALDRIVE%u\Device\DiskPartitionPACKEDBINARY.%016llXd
Source: mpengine.dll0.0.dr	Binary string: QIntelTDT3\Device\
Source: mpengine.dll0.0.dr	Binary string: \Device\HarddiskVolume),~
Source: mpengine.dll0.0.dr	Binary string: \Software\Classes\Wow6432Node\sysWOW64\syChpe32%c:\%ls%.s%.s%ls\Device\\SystemRoot.cmd.com.bat.EXE.LNK.BAT.CMD.PIF.COMa
Source: MpCmdRun.exe0.0.dr	Binary string: IdImageFileNameFirst Resource TypeTypeScan SourceFirst Resource PathEngineIdResource CountReasonProcessMessagePIDStartStopDataIsSignedFile\Device\\\?\\FI_UNKNOWN\drivers\error: invalid data: System Windows path changed during the trace from "%ls" to "%ls"
Source: mpengine.dll0.0.dr	Binary string: MmCopyMemory\device\physicalmemoryeaxebxecxedxebpesiediespcsdsesfsgssscr0cr2cr3cr4gdtridtrldtrtrdeviceeflagspcountsysentrdebugramsize
Source: mpengine.dll0.0.dr	Binary string: string/function/table expected\device\harddisk*Nothing to repeat.stack overflow (%s)readu_u32 invalid type: table or string expected, got %s!__tostringmp.crc32: failed to convert this table to string!%x(null)wrong number of arguments to 'insert'=[C]nlSSlmain:%d <-. stacktrace: image_pathppidmp.ContextualExpandEnvironmentVariables() from outside sigattr
Source: mpengine.dll0.0.dr	Binary string: ^\Device\HarddiskDm%ProfilesDirectory%\%SystemDrive%\Documents and Settings\S-1-5-19_ClassesS-1-5-20_Classes_Classes\REGISTRY\MACHINE\c39c7c7d-dfa1-4552-8b46-417f11519eac_%08X_0
Source: mpengine.dll0.0.dr	Binary string: E\Device\Harddisk%lu\Partition0\DR\Device\Harddisk%lu\Partition%luMpDisableBootRecordCleanStoreMpBootRecordCleanStoreSimulationMode
Source: mpengine.dll0.0.dr	Binary string: \device\harddiskvolume
Source: mpengine.dll0.0.dr	Binary string: MpParseDetected\Device\HarddiskVolume\\.\\Device\CdRom%c:%ls%ls\%ls%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X%lld%hsFailed to grow Lua stackMpArchivePasswords=ntdllntoskrnlhalkernel32pea_genpacked#ClnFile#ClnInsthr=0x%08X
Source: mpengine.dll0.0.dr	Binary string: \device\Infinite loop detected (more that %d instructions executed)"
Source: mpengine.dll0.0.dr	Binary string: 'authorbinbuptimcolortblcolscommentcreatimdoccommfacingpfifonttblfooterfooterffooterlfooterrfootnoteftncnftnsepftnsepcheaderheaderfheaderlheaderrhtmltagikeywordslandscapeldblquotelimargbmarglmargrmargtobjdataoperatorpaperhpaperwparpgndecpgnlcltrpgnlcrmpgnstartpgnucltrpgnucrmpgnxpgnypictprintimprivate1qcqjqlqrrdblquoterevtimrirxesbkcolsbkevensbknonesbkoddsbkpagestylesheetsubjecttabtctitletxeuxe\Device\HarddiskVolumeinvalid capture indexSigTriggerPropagationMatchMatchMpCommon.BmTriggerSig() second can't be emptyMpCommon.BmTriggerSig() first can't be empty&
Source: mpengine.dll0.0.dr	Binary string: 2A\Device\LanmanRedirector\\Device\Mup\\Device\WebDavRedirector\\Device\WinDfs\\Device\vmsmb\
Source: mpengine.dll0.0.dr	Binary string: \Device\
Source: mpengine.dll0.0.dr	Binary string: \Device\Harddisk%lu\\.\MountPointManager

Source: jqXe6tttFa.exe

Binary or memory string: .pptx.odt.jpg.png.csv.sql.mdb.sln.php

Source: classification engine

Classification label: mal88.rans.spre.phis.evad.winEXE@16/781@4/4

Source: C:\Users\user\Desktop\jqXe6tttFa.exe

File created: C:\Users\user\AppData\Local\RansomeToad.txt

Jump to behavior

Source: C:\Users\user\Desktop\jqXe6tttFa.exe

Mutant created: NULL

Source: jqXe6tttFa.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: jqXe6tttFa.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\jqXe6tttFa.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: mpengine.dll0.0.dr	Binary or memory string: SELECT 1 FROM SQLITE_MASTER WHERE type=? AND name=? LIMIT 1;
Source: mpengine.dll0.0.dr	Binary or memory string: INSERT INTO NetworkIpFirewallRulesOutgoing(Key, FirewallRuleName, ExpiryTime) VALUES (?, ?, ?);
Source: mpengine.dll0.0.dr	Binary or memory string: INSERT INTO FileLowFiAsync(Key, FileName, SigSeq, SigSha, SigIsSync, InstanceTimeStamp) VALUES(?, ? , ? , ? , ? , ?);
Source: mpengine.dll0.0.dr	Binary or memory string: SELECT ID FROM ProcessBlockHistory WHERE ProcessPath = ?;
Source: mpengine.dll0.0.dr	Binary or memory string: INSERT INTO AnomalyInfo(Key, UnbiasedTime) VALUES (?, ?);
Source: mpengine.dll0.0.dr	Binary or memory string: SELECT Key, FilePath, Context, InsertTime, ExpireTime FROM AttributePersistContext WHERE FilePath LIKE ?;
Source: mpengine.dll0.0.dr	Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(13, 1, date('now'));
Source: mpengine.dll0.0.dr	Binary or memory string: SELECT Count(1) FROM AutoFeatureControl;
Source: mpengine.dll0.0.dr	Binary or memory string: SELECT DISTINCT TableName FROM AnomalyTables;
Source: mpengine.dll0.0.dr	Binary or memory string: SELECT Key FROM FileHashes WHERE FileHashes.Key = ?;
Source: mpengine.dll0.0.dr	Binary or memory string: SELECT Count(1) FROM RansomwareDetections;
Source: mpengine.dll0.0.dr	Binary or memory string: SELECT Key, VSN, FileID, USN, InstanceTimeStamp, SHA1, MD5, SHA256, LSHASH, LSHASHS, CTPH, PartialCRC1, PartialCRC2, PartialCRC3, KCRC1, KCRC2, KCRC3, KCRC3n FROM FileHashes WHERE Key = ?; _ROWID_ROWIDOIDFailed to grow the stackTagbitorMONITOR_PROCESSCREATEMONITOR_PROCESINJECTIONMONITOR_LSASSREADMEMORYRULETYPE_ENTERPRISERULETYPE_CONSUMERRULETYPE_TELEMETRY_ONLYRULE_DISABLE_AUDIT_INHERITANCERULE_DISABLE_BLOCK_INHERITANCEDEDUPE_SCOPE_EVENTLOGDEDUPE_SCOPE_UIDEDUPE_SCOPE_SENSEDEDUPE_SCOPE_ALLSILENT_EVENTLOGSILENT_UISILENT_SENSESILENT_ALLSTATE_DISABLEDSTATE_BLOCKSTATE_AUDITSTATE_NOT_CONFIGUREDSTATE_WARNSTATE_DELETEDNO_INVOLVEDDOC_EXCLREMEDIATE_PARENTMPENG_%lsD:(A;;GR;;;AU)(A;;GR;;;IU)
Source: mpengine.dll0.0.dr	Binary or memory string: UPDATE %Q.%s SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: mpengine.dll0.0.dr	Binary or memory string: INSERT INTO SdnEx(Key, CurrentCount) VALUES (?, ?);DELETE FROM SdnEx;DELETE FROM SdnEx WHERE SdnEx.Key = ?;SELECT Count(1) FROM SdnEx;SELECT ID FROM SdnEx WHERE SdnEx.Key = ?;SELECT Key, CurrentCount FROM SdnEx WHERE Key = ?
Source: mpengine.dll0.0.dr	Binary or memory string: SELECT Count(1) FROM NetworkIpFirewallRules;
Source: mpengine.dll0.0.dr	Binary or memory string: INSERT INTO RollingQueuesValues(EntryTable, EntryKey, EntryValue, InsertTime, ExpireTime) VALUES(? , ? , ? , ? , ?);
Source: mpengine.dll0.0.dr	Binary or memory string: SELECT Key, VSN, FileID, USN, InstanceTimeStamp, SHA1, MD5, SHA256, LSHASH, LSHASHS, CTPH, PartialCRC1, PartialCRC2, PartialCRC3, KCRC1, KCRC2, KCRC3, KCRC3n FROM FileHashes WHERE Key = ?;
Source: integrator.exe.0.dr	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: mpengine.dll0.0.dr	Binary or memory string: INSERT INTO AnomalyTables(Key, TableKey, TableName, UnbiasedTableAge, KeyName, FirstSeen, LastSeen, UnbiasedTime, Value, Order_) VALUES(? , ? , ? , ? , ? , ? , ? , ? , ? , ?);
Source: mpengine.dll0.0.dr	Binary or memory string: SELECT ProcessPath, TimeStamp, TargetPath, RuleId, IsAudit, Action, ProcessTaintReason, ProcessIntegrity FROM ProcessBlockHistory WHERE ProcessPath = ? ORDER BY TimeStamp DESC;
Source: mpengine.dll0.0.dr	Binary or memory string: SELECT COUNT(1) FROM FileLowFiAsync;
Source: mpengine.dll0.0.dr	Binary or memory string: SELECT Count(1) FROM SystemFileCache WHERE CleanFileShaHash = ?;
Source: mpengine.dll0.0.dr	Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(6, 1, date('now'));
Source: mpengine.dll0.0.dr	Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(14, 1, date('now'));
Source: integrator.exe.0.dr, mpengine.dll0.0.dr	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: mpengine.dll0.0.dr	Binary or memory string: SELECT ID FROM DynSigRevisions WHERE DynSigRevisions.Key = ?;
Source: mpengine.dll0.0.dr	Binary or memory string: SELECT ProcessPath, TimeStamp, TargetPath, RuleId, IsAudit, Action, ProcessTaintReason, ProcessIntegrity FROM ProcessBlockHistory WHERE ProcessPath = ? AND TimeStamp = ? ORDER BY TimeStamp DESC;
Source: mpengine.dll0.0.dr	Binary or memory string: SELECT ProcessPath, TimeStamp, TargetPath, RuleId, IsAudit, Action, ProcessTaintReason, ProcessIntegrity FROM ProcessBlockHistory WHERE RuleId = ? ORDER BY TimeStamp DESC;
Source: mpengine.dll0.0.dr	Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(4, 1, date('now'));
Source: mpengine.dll0.0.dr	Binary or memory string: INSERT INTO BmFileStartupActions(FilePathHash, FilePath, ActionFlags, ProcessStartCount, FdrFlags, FdrThreatRecordId, EvaluatorThreatRecordId, TrustedInstallerThreatRecordId, LFRThreatRecordId) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?);
Source: mpengine.dll0.0.dr	Binary or memory string: INSERT INTO BmFileActions(FileInfoId, ThreatRecordId, Action) VALUES (?, ?, ?);
Source: mpengine.dll0.0.dr	Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(5, 1, date('now'));
Source: integrator.exe.0.dr	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: mpengine.dll0.0.dr	Binary or memory string: SELECT ID FROM FolderGuardPaths WHERE UserIdHash = ? LIMIT 1;
Source: mpengine.dll0.0.dr	Binary or memory string: SELECT Key, Name, Capacity, TimeToLive, Mode, Namespace FROM RollingQueuesTables WHERE Key = ?;
Source: mpengine.dll0.0.dr	Binary or memory string: INSERT INTO RansomwareDetections(Key, DetectionGuid, LkgTS, NextUSN, DetectionTS, ProvisionalRemedComplTS, RemedComplTS, ImpactedCBPNameSpaces, InstanceTimeStamp) VALUES ( ?, ?, ?, ?, ?, ?, ?, ?, ?);
Source: mpengine.dll0.0.dr	Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(12, 1, date('now'));
Source: mpengine.dll0.0.dr	Binary or memory string: SELECT CleanFileSha, CleanFileShaHash FROM SystemFileCache WHERE InstanceTimeStamp < ?;
Source: mpengine.dll0.0.dr	Binary or memory string: SELECT PersistId, PersistIdBlob, ExpirationDate FROM AmsiFileCache WHERE ExpirationDate < DateTime(?);
Source: mpengine.dll0.0.dr	Binary or memory string: INSERT INTO DynSigRevisions(Key, SdnRevision, EsuRevision, BFRevision, EntCertRevision, TamperRevision, AGBlobRevision, BFFileAllowRevision, BFFileBlockRevision, BFCertAllowRevision, BFCertBlockRevision) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?);
Source: mpengine.dll0.0.dr	Binary or memory string: SELECT RuleAction, RuleId, IsAudit, IsInherited, State FROM BmHipsRuleInfo WHERE ProcessInfoId = ?;
Source: mpengine.dll0.0.dr	Binary or memory string: SELECT Key, FirewallRuleName, ExpiryTime FROM NetworkIpFirewallRules WHERE ExpiryTime < ?;
Source: mpengine.dll0.0.dr	Binary or memory string: SELECT Count(1) FROM SystemFileCache;
Source: mpengine.dll0.0.dr	Binary or memory string: SELECT ProcessPath, TimeStamp, TargetPath, RuleId, IsAudit, Action, ProcessTaintReason, ProcessIntegrity FROM ProcessBlockHistory WHERE ProcessPath = ? ORDER BY TimeStamp DESC LIMIT 1;
Source: mpengine.dll0.0.dr	Binary or memory string: INSERT INTO BmFileInfo(NormalizedPathHash, DosPathHash, StructVersion, NormalizedPath, DosPath, Wow64Context, MetaContext, IsFromWeb, IsExecutable) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?);
Source: mpengine.dll0.0.dr	Binary or memory string: SELECT Count(1) FROM SdnEx;
Source: mpengine.dll0.0.dr	Binary or memory string: SELECT ID FROM RansomwareDetections WHERE Key = ?;SELECT DetectionGuid, LkgTS, NextUSN, DetectionTS, ProvisionalRemedComplTS, RemedComplTS, ImpactedCBPNameSpaces FROM RansomwareDetections WHERE Key = ?;DELETE FROM RansomwareDetections WHERE InstanceTimeStamp < ?; INSERT INTO RansomwareDetections(Key, DetectionGuid, LkgTS, NextUSN, DetectionTS, ProvisionalRemedComplTS, RemedComplTS, ImpactedCBPNameSpaces, InstanceTimeStamp) VALUES ( ?, ?, ?, ?, ?, ?, ?, ?, ?);DELETE FROM RansomwareDetections WHERE Key = ?;SELECT Count(1) FROM RansomwareDetections;
Source: mpengine.dll0.0.dr	Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(3, 1, date('now'));
Source: mpengine.dll0.0.dr	Binary or memory string: SELECT PersistId, PersistIdBlob, ExpirationDate FROM AmsiFileCache WHERE PersistId = ?;FileCacheRemovalSELECT DateTime('now');+%llu secondsINSERT INTO AmsiFileCache(PersistId, PersistIdBlob, ExpirationDate) VALUES (?, ?, DateTime('now', ?));DELETE AmsiFileCache;DELETE FROM AmsiFileCache WHERE AmsiFileCache.PersistId = ?;SELECT Count(1) FROM AmsiFileCache;SELECT ID FROM AmsiFileCache WHERE AmsiFileCache.PersistId = ?;DELETE FROM AmsiFileCache WHERE ExpirationDate < DateTime(?);Engine.Amsi.FileCacheRemovalResultSELECT PersistId, PersistIdBlob, ExpirationDate FROM AmsiFileCache WHERE ExpirationDate < DateTime(?);
Source: mpengine.dll0.0.dr	Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(36, 1, date('now'));
Source: mpengine.dll0.0.dr	Binary or memory string: SELECT EntryTable, EntryKey, EntryValue, InsertTime, ExpireTime FROM RollingQueuesValues WHERE EntryTable = ?;
Source: mpengine.dll0.0.dr	Binary or memory string: SELECT Version, Current, LastUpdated FROM SQLiteGlobals WHERE Current = 1 ORDER BY Version DESC ;
Source: mpengine.dll0.0.dr	Binary or memory string: SELECT ID FROM AmsiFileCache WHERE AmsiFileCache.PersistId = ?;
Source: mpengine.dll0.0.dr	Binary or memory string: INSERT INTO AttributeCounts(Key, Name, Count, InsertTime, ExpireTime) VALUES(? , ? , ? , ? , ?);
Source: mpengine.dll0.0.dr	Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(28, 1, date('now'));
Source: mpengine.dll0.0.dr	Binary or memory string: INSERT INTO AttributePersistContext(Key, FilePath, Context, InsertTime, ExpireTime) VALUES(? , ? , ? , ? , ?);
Source: mpengine.dll0.0.dr	Binary or memory string: SELECT ID FROM NetworkIpFirewallRulesOutgoing WHERE NetworkIpFirewallRulesOutgoing.Key = ?;
Source: mpengine.dll0.0.dr	Binary or memory string: SELECT UserId, GUID, Path FROM FolderGuardPaths WHERE UserIdHash = ?INSERT INTO FolderGuardPaths(UserIdHash, UserId, GUID, Path) VALUES ( ?, ?, ?, ? );SELECT Count(DISTINCT UserIdHash) FROM FolderGuardPaths;DELETE FROM FolderGuardPaths WHERE UserIdHash = ?;SELECT ID FROM FolderGuardPaths WHERE UserIdHash = ? LIMIT 1;
Source: mpengine.dll0.0.dr	Binary or memory string: SELECT COUNT(DISTINCT ProcessPath) FROM ProcessBlockHistory;
Source: mpengine.dll0.0.dr	Binary or memory string: INSERT INTO AmsiFileCache(PersistId, PersistIdBlob, ExpirationDate) VALUES (?, ?, DateTime('now', ?));
Source: mpengine.dll0.0.dr	Binary or memory string: SELECT COUNT(1) FROM AttributePersistContext;
Source: mpengine.dll0.0.dr	Binary or memory string: SELECT Count(1) FROM SystemRegistryCache;
Source: mpengine.dll0.0.dr	Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(24, 1, date('now'));
Source: mpengine.dll0.0.dr	Binary or memory string: SELECT ID, NormalizedPathHash, DosPathHash, StructVersion, NormalizedPath, DosPath, Wow64Context, MetaContext, IsFromWeb, IsExecutable FROM BmFileInfo WHERE NormalizedPathHash = ? OR DosPathHash = ?;
Source: mpengine.dll0.0.dr	Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(11, 1, date('now'));
Source: mpengine.dll0.0.dr	Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(31, 1, date('now'));
Source: mpengine.dll0.0.dr	Binary or memory string: SELECT Key, FirewallRuleName, ExpiryTime FROM NetworkIpFirewallRulesOutgoing WHERE ExpiryTime < ?;
Source: mpengine.dll0.0.dr	Binary or memory string: SELECT ID FROM BmFileInfo WHERE NormalizedPathHash = ? OR DosPathHash = ?;
Source: mpengine.dll0.0.dr	Binary or memory string: SELECT InfectedFileSHA, ProcFileId, SystemFilePath, CleanFileSha FROM SystemFileCache WHERE InfectedFileSHAHash = ? OR ProcFileIDSystemFileHash = ? ORDER BY InstanceTimeStamp DESC;
Source: mpengine.dll0.0.dr	Binary or memory string: SELECT t1.ProcessPath, t1.TimeStamp, t1.TargetPath, t1.RuleId, t1.IsAudit, t1.Action, t1.ProcessTaintReason, t1.ProcessIntegrity FROM ProcessBlockHistory AS t1 INNER JOIN(SELECT ID, ProcessPath, MAX(TimeStamp) AS MostRecentTime FROM ProcessBlockHistory GROUP BY ProcessPath) AS t2 ON t1.ID = t2.ID AND t1.TimeStamp = t2.MostRecentTime ORDER BY t1.TimeStamp DESC;
Source: mpengine.dll0.0.dr	Binary or memory string: UPDATE AtomicCounters SET Name = ?, Count = ?, InsertTime = ?, ExpireTime = ?, UpdateTime = ?, ScalarFactor = ?, LinearFactor = ?, DecayInterval = ?, HighCount = ?, LastDecayTime = ?, Namespace = ? WHERE Key = ?;
Source: mpengine.dll0.0.dr	Binary or memory string: SELECT ID FROM AutoFeatureControl WHERE AutoFeatureControl.Key = ?;
Source: mpengine.dll0.0.dr	Binary or memory string: INSERT INTO SystemFileCache(InfectedFileSHAHash, InfectedFileSHA, ProcFileIDSystemFileHash, ProcFileId, SystemFilePath, CleanFileSha, CleanFileShaHash, InstanceTimeStamp) VALUES ( ?, ?, ?, ?, ?, ?, ?, ?);
Source: mpengine.dll0.0.dr	Binary or memory string: SELECT ID FROM BmFileStartupActions WHERE BmFileStartupActions.FilePathHash = ?;SELECT FilePathHash, FilePath, ActionFlags, ProcessStartCount, FdrFlags, FdrThreatRecordId, EvaluatorThreatRecordId, TrustedInstallerThreatRecordId, LFRThreatRecordId FROM BmFileStartupActions WHERE FilePathHash = ?INSERT INTO BmFileStartupActions(FilePathHash, FilePath, ActionFlags, ProcessStartCount, FdrFlags, FdrThreatRecordId, EvaluatorThreatRecordId, TrustedInstallerThreatRecordId, LFRThreatRecordId) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?);DELETE FROM BmFileStartupActions WHERE BmFileStartupActions.FilePathHash = ?;SELECT Count(1) FROM BmFileStartupActions;\|
Source: mpengine.dll0.0.dr	Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(16, 1, date('now'));
Source: mpengine.dll0.0.dr	Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(8, 1, date('now'));
Source: mpengine.dll0.0.dr	Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(26, 1, date('now'));
Source: mpengine.dll0.0.dr	Binary or memory string: SELECT ID FROM BmFileInfo WHERE NormalizedPathHash = ? OR DosPathHash = ?;SELECT ID, NormalizedPathHash, DosPathHash, StructVersion, NormalizedPath, DosPath, Wow64Context, MetaContext, IsFromWeb, IsExecutable FROM BmFileInfo WHERE NormalizedPathHash = ? OR DosPathHash = ?;INSERT INTO BmFileActions(FileInfoId, ThreatRecordId, Action) VALUES (?, ?, ?);INSERT INTO BmFileInfo(NormalizedPathHash, DosPathHash, StructVersion, NormalizedPath, DosPath, Wow64Context, MetaContext, IsFromWeb, IsExecutable) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?);SELECT ThreatRecordId, Action FROM BmFileActions WHERE FileInfoId == ?;DELETE FROM BmFileActions;DELETE FROM BmFileInfo;DELETE FROM BmFileInfo WHERE NormalizedPathHash = ? OR DosPathHash = ?;SELECT Count(1) FROM BmFileInfo;B
Source: mpengine.dll0.0.dr	Binary or memory string: SELECT COUNT(1) FROM AnomalyTables;
Source: mpengine.dll0.0.dr	Binary or memory string: SELECT Key FROM FileHashes WHERE FileHashes.Key = ?; SELECT Key FROM FileHashes ORDER BY InstanceTimeStamp ASC LIMIT 1DELETE FROM FileHashes WHERE InstanceTimeStamp < ?; INSERT INTO FileHashes(Key, VSN, FileID, USN, InstanceTimeStamp, SHA1, MD5, SHA256, LSHASH, LSHASHS, CTPH, PartialCRC1, PartialCRC2, PartialCRC3, KCRC1, KCRC2, KCRC3, KCRC3n) VALUES(?, ? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ?);SELECT COUNT(1) FROM FileHashes; DELETE FROM FileHashes WHERE FileHashes.Key = ?;
Source: mpengine.dll0.0.dr	Binary or memory string: SELECT Count(DISTINCT UserIdHash) FROM FolderGuardPaths;
Source: mpengine.dll0.0.dr	Binary or memory string: SELECT ID, PPIDHash, ProcessStartTime, PID, StructVersion, ImageFileName, MonitoringFlags_Flags, MonitoringFlags_VmHardenType, MonitoringFlags_ExemptVmHardenedTypes, CommandLineArgs, HipsInjectionId, FolderGuardId, Flags, LsassReadMemId, MonitoringFlags_Flags2Low, MonitoringFlags_Flags2High FROM BmProcessInfo WHERE PPIDHash = ?;
Source: mpengine.dll0.0.dr	Binary or memory string: SELECT Key, FirewallRuleName, ExpiryTime FROM NetworkIpFirewallRulesOutgoing WHERE ExpiryTime < ?;INSERT INTO NetworkIpFirewallRulesOutgoing(Key, FirewallRuleName, ExpiryTime) VALUES (?, ?, ?);DELETE FROM NetworkIpFirewallRulesOutgoing;DELETE FROM NetworkIpFirewallRulesOutgoing WHERE NetworkIpFirewallRulesOutgoing.Key = ?;SELECT Count(1) FROM NetworkIpFirewallRulesOutgoing;SELECT ID FROM NetworkIpFirewallRulesOutgoing WHERE NetworkIpFirewallRulesOutgoing.Key = ?;SELECT Key, FirewallRuleName, ExpiryTime FROM NetworkIpFirewallRulesOutgoing WHERE Key = ?
Source: mpengine.dll0.0.dr	Binary or memory string: INSERT INTO AutoFeatureControl(Key, CurrCount, MaxCount, InstanceTimeStamp) VALUES (?, ?, ?, ?);
Source: mpengine.dll0.0.dr	Binary or memory string: SELECT Key FROM AtomicCounters ORDER BY InsertTime ASC LIMIT 1;
Source: mpengine.dll0.0.dr	Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(20, 1, date('now'));
Source: mpengine.dll0.0.dr	Binary or memory string: SELECT PersistId, PersistIdBlob, ExpirationDate FROM AmsiFileCache WHERE PersistId = ?;
Source: mpengine.dll0.0.dr	Binary or memory string: SELECT Key, Name, Count, InsertTime, ExpireTime, UpdateTime, ScalarFactor, LinearFactor, DecayInterval, HighCount, LastDecayTime, Namespace FROM AtomicCounters WHERE Key = ?;
Source: mpengine.dll0.0.dr	Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(33, 1, date('now'));
Source: mpengine.dll0.0.dr	Binary or memory string: SELECT Key FROM AtomicCounters WHERE AtomicCounters.Key = ?;
Source: mpengine.dll0.0.dr	Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(18, 1, date('now'));
Source: mpengine.dll0.0.dr	Binary or memory string: SELECT ID FROM BmProcessInfo WHERE PPIDHash = ?;
Source: mpengine.dll0.0.dr	Binary or memory string: SELECT COUNT(1) FROM AnomalyInfo;
Source: mpengine.dll0.0.dr	Binary or memory string: SELECT ValueMapArrayBlob FROM ValueMapArray WHERE Key = ? AND RecordType = ?;
Source: mpengine.dll0.0.dr	Binary or memory string: SELECT ID FROM SystemFileCache WHERE InfectedFileSHAHash = ? OR ProcFileIDSystemFileHash = ?;
Source: mpengine.dll0.0.dr	Binary or memory string: SELECT Key, Name, Capacity, TimeToLive, Mode, Namespace FROM RollingQueuesTables WHERE Name LIKE ? AND Namespace = ?;
Source: mpengine.dll0.0.dr	Binary or memory string: SELECT Key FROM AttributeCounts WHERE AttributeCounts.Key = ?;
Source: mpengine.dll0.0.dr	Binary or memory string: SELECT Key FROM AttributeCounts ORDER BY InsertTime ASC LIMIT 1;
Source: mpengine.dll0.0.dr	Binary or memory string: SELECT t1.ProcessPath, t1.TimeStamp, t1.TargetPath, t1.RuleId, t1.IsAudit, t1.Action, t1.ProcessTaintReason, t1.ProcessIntegrity FROM ProcessBlockHistory AS t1 INNER JOIN(SELECT ID, ProcessPath, MAX(TimeStamp) AS MostRecentTime FROM ProcessBlockHistory WHERE RuleId = ? GROUP BY ProcessPath) AS t2 ON t1.ID = t2.ID AND t1.TimeStamp = t2.MostRecentTime ORDER BY t1.TimeStamp DESC;
Source: mpengine.dll0.0.dr	Binary or memory string: SELECT Key FROM ValueMapArray WHERE ValueMapArray.Key = ? AND ValueMapArray.RecordType = ?;
Source: mpengine.dll0.0.dr	Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(21, 1, date('now'));
Source: mpengine.dll0.0.dr	Binary or memory string: INSERT INTO RollingQueuesTables(Key, Name, Capacity, TimeToLive, Mode, Namespace) VALUES(? , ? , ? , ? , ? , ?);
Source: mpengine.dll0.0.dr	Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(34, 1, date('now'));
Source: mpengine.dll0.0.dr	Binary or memory string: SELECT Count(1) FROM BmFileInfo;
Source: mpengine.dll0.0.dr	Binary or memory string: SELECT COUNT(1) FROM AtomicCounters;
Source: mpengine.dll0.0.dr	Binary or memory string: SELECT ThreatRecordId, Action FROM BmFileActions WHERE FileInfoId == ?;
Source: mpengine.dll0.0.dr	Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(17, 1, date('now'));
Source: mpengine.dll0.0.dr	Binary or memory string: INSERT INTO BmHipsRuleInfo(ProcessInfoId, RuleAction, RuleId, IsAudit, IsInherited, State) VALUES (?, ?, ?, ?, ?, ?);
Source: mpengine.dll0.0.dr	Binary or memory string: UPDATE AttributePersistContext SET FilePath = ?, Context = ?, InsertTime = ?, ExpireTime = ? WHERE Key = ?;
Source: mpengine.dll0.0.dr	Binary or memory string: SELECT Key, Name, Capacity, TimeToLive, Mode, Namespace FROM RollingQueuesTables WHERE Name LIKE ? AND Namespace = ?; DELETE FROM RollingQueuesTables; DELETE FROM RollingQueuesValues; DELETE FROM RollingQueuesTables WHERE (Name NOT IN (SELECT DISTINCT EntryTable FROM RollingQueuesValues)); INSERT INTO RollingQueuesTables(Key, Name, Capacity, TimeToLive, Mode, Namespace) VALUES(? , ? , ? , ? , ? , ?); DELETE FROM RollingQueuesTables WHERE RollingQueuesTables.Key = ?; SELECT Key FROM RollingQueuesTables WHERE RollingQueuesTables.Key = ?; Invalid prefix for rolling queues query.DELETE FROM RollingQueuesValues WHERE ExpireTime < ?; SELECT EntryTable, EntryKey, EntryValue, InsertTime, ExpireTime FROM RollingQueuesValues WHERE EntryTable = ?; INSERT INTO RollingQueuesValues(EntryTable, EntryKey, EntryValue, InsertTime, ExpireTime) VALUES(? , ? , ? , ? , ?); SELECT COUNT(1) FROM RollingQueuesValues; Failed to get column from prepared statement.Failed to bind value to prepared statement.
Source: mpengine.dll0.0.dr	Binary or memory string: SELECT Key FROM AttributePersistContext WHERE AttributePersistContext.Key = ?;
Source: mpengine.dll0.0.dr	Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(19, 1, date('now'));
Source: mpengine.dll0.0.dr	Binary or memory string: INSERT INTO BackupProcessInfo(Key, FilePath, FirstStartTime, NextUSN, AutomaticRemovalPolicy, ImpactedCBPNameSpaces, InstanceTimeStamp) VALUES ( ?, ?, ?, ?, ?, ?, ?);
Source: mpengine.dll0.0.dr	Binary or memory string: SELECT ID FROM NetworkIpFirewallRules WHERE NetworkIpFirewallRules.Key = ?;
Source: mpengine.dll0.0.dr	Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(22, 1, date('now'));
Source: mpengine.dll0.0.dr	Binary or memory string: SELECT ID FROM RansomwareDetections WHERE Key = ?;
Source: mpengine.dll0.0.dr	Binary or memory string: SELECT ID FROM SdnEx WHERE SdnEx.Key = ?;
Source: mpengine.dll0.0.dr	Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(32, 1, date('now'));
Source: mpengine.dll0.0.dr	Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(29, 1, date('now'));
Source: mpengine.dll0.0.dr	Binary or memory string: SELECT ID FROM SystemRegistryCache WHERE Key = ?;
Source: mpengine.dll0.0.dr	Binary or memory string: INSERT INTO AtomicCounters(Key, Name, Count, InsertTime, ExpireTime, UpdateTime, ScalarFactor, LinearFactor, DecayInterval, HighCount, LastDecayTime, Namespace) VALUES(? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ?);
Source: mpengine.dll0.0.dr	Binary or memory string: SELECT Count(1) FROM AmsiFileCache;
Source: mpengine.dll0.0.dr	Binary or memory string: SELECT Count(1) FROM SystemFileCache WHERE CleanFileShaHash = ?; DELETE FROM SystemFileCache WHERE InstanceTimeStamp < ?; SELECT CleanFileSha, CleanFileShaHash FROM SystemFileCache WHERE InstanceTimeStamp < ?; INSERT INTO SystemFileCache(InfectedFileSHAHash, InfectedFileSHA, ProcFileIDSystemFileHash, ProcFileId, SystemFilePath, CleanFileSha, CleanFileShaHash, InstanceTimeStamp) VALUES ( ?, ?, ?, ?, ?, ?, ?, ?);DELETE FROM SystemFileCache WHERE InfectedFileSHAHash = ? OR ProcFileIDSystemFileHash = ?;SELECT Count(1) FROM SystemFileCache;SELECT ID FROM SystemFileCache WHERE InfectedFileSHAHash = ? OR ProcFileIDSystemFileHash = ?;SELECT InfectedFileSHA, ProcFileId, SystemFilePath, CleanFileSha FROM SystemFileCache WHERE InfectedFileSHAHash = ? OR ProcFileIDSystemFileHash = ? ORDER BY InstanceTimeStamp DESC;2
Source: mpengine.dll0.0.dr	Binary or memory string: SELECT Key FROM AnomalyTables WHERE AnomalyTables.TableKey = ?;
Source: mpengine.dll0.0.dr	Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(30, 1, date('now'));
Source: mpengine.dll0.0.dr	Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(23, 1, date('now'));
Source: mpengine.dll0.0.dr	Binary or memory string: SELECT COUNT(1) FROM RollingQueuesValues;
Source: mpengine.dll0.0.dr	Binary or memory string: INSERT INTO SdnEx(Key, CurrentCount) VALUES (?, ?);
Source: mpengine.dll0.0.dr	Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(15, 1, date('now'));
Source: mpengine.dll0.0.dr	Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(10, 1, date('now'));
Source: mpengine.dll0.0.dr	Binary or memory string: INSERT INTO BmProcessInfo(PPIDHash, ProcessStartTime, PID, StructVersion, ImageFileName, MonitoringFlags_Flags, MonitoringFlags_VmHardenType, MonitoringFlags_ExemptVmHardenedTypes, CommandLineArgs, HipsInjectionId, FolderGuardId, Flags, LsassReadMemId, MonitoringFlags_Flags2Low, MonitoringFlags_Flags2High)VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?);
Source: mpengine.dll0.0.dr	Binary or memory string: SELECT Count(1) FROM BackupProcessInfo;
Source: mpengine.dll0.0.dr	Binary or memory string: SELECT Key, FilePath, Context, InsertTime, ExpireTime FROM AttributePersistContext WHERE Key = ?;
Source: mpengine.dll0.0.dr	Binary or memory string: SELECT COUNT(1) FROM ValueMapArray WHERE RecordType = ?;
Source: mpengine.dll0.0.dr	Binary or memory string: SELECT ProcessPath, TimeStamp, TargetPath, RuleId, IsAudit, Action, ProcessTaintReason, ProcessIntegrity FROM ProcessBlockHistory WHERE RuleId = ? ORDER BY TimeStamp DESC;SELECT ProcessPath, TimeStamp, TargetPath, RuleId, IsAudit, Action, ProcessTaintReason, ProcessIntegrity FROM ProcessBlockHistory WHERE ProcessPath = ? AND TimeStamp = ? ORDER BY TimeStamp DESC;SELECT ProcessPath, TimeStamp, TargetPath, RuleId, IsAudit, Action, ProcessTaintReason, ProcessIntegrity FROM ProcessBlockHistory ORDER BY TimeStamp DESC;SELECT COUNT(DISTINCT ProcessPath) FROM ProcessBlockHistory;SELECT ProcessPath, TimeStamp, TargetPath, RuleId, IsAudit, Action, ProcessTaintReason, ProcessIntegrity FROM ProcessBlockHistory WHERE ProcessPath = ? ORDER BY TimeStamp DESC LIMIT 1;SELECT t1.ProcessPath, t1.TimeStamp, t1.TargetPath, t1.RuleId, t1.IsAudit, t1.Action, t1.ProcessTaintReason, t1.ProcessIntegrity FROM ProcessBlockHistory AS t1 INNER JOIN(SELECT ID, ProcessPath, MAX(TimeStamp) AS MostRecentTime FROM ProcessBlockHistory WHERE RuleId = ? GROUP BY ProcessPath) AS t2 ON t1.ID = t2.ID AND t1.TimeStamp = t2.MostRecentTime ORDER BY t1.TimeStamp DESC;SELECT t1.ProcessPath, t1.TimeStamp, t1.TargetPath, t1.RuleId, t1.IsAudit, t1.Action, t1.ProcessTaintReason, t1.ProcessIntegrity FROM ProcessBlockHistory AS t1 INNER JOIN(SELECT ID, ProcessPath, MAX(TimeStamp) AS MostRecentTime FROM ProcessBlockHistory GROUP BY ProcessPath) AS t2 ON t1.ID = t2.ID AND t1.TimeStamp = t2.MostRecentTime ORDER BY t1.TimeStamp DESC;DELETE FROM ProcessBlockHistory WHERE ProcessPath = ? AND TimeStamp = ?;SELECT COUNT(1) FROM ProcessBlockHistory;SELECT ID FROM ProcessBlockHistory WHERE ProcessPath = ?;SELECT ProcessPath, TimeStamp, TargetPath, RuleId, IsAudit, Action, ProcessTaintReason, ProcessIntegrity FROM ProcessBlockHistory WHERE ProcessPath = ? ORDER BY TimeStamp DESC;DELETE FROM ProcessBlockHistory WHERE TimeStamp < ?;SELECT ProcessPath, TimeStamp FROM ProcessBlockHistory ORDER BY TimeStamp ASC LIMIT 1REPLACE INTO ProcessBlockHistory(ProcessPath, TimeStamp, TargetPath, RuleId, IsAudit, Action, ProcessTaintReason, ProcessIntegrity) VALUES (?, ?, ?, ?, ?, ?, ?, ?);DELETE FROM ProcessBlockHistory;[3
Source: mpengine.dll0.0.dr	Binary or memory string: SELECT Key, TableKey, TableName, UnbiasedTableAge, KeyName, FirstSeen, LastSeen, UnbiasedTime, Value, Order_ FROM AnomalyTables WHERE AnomalyTables.TableKey = ?;
Source: mpengine.dll0.0.dr	Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(9, 1, date('now'));
Source: mpengine.dll0.0.dr	Binary or memory string: SELECT Count(1) FROM BmProcessInfo;
Source: mpengine.dll0.0.dr	Binary or memory string: SELECT COUNT(1) FROM ProcessBlockHistory;
Source: mpengine.dll0.0.dr	Binary or memory string: SELECT Count(1) FROM DynSigRevisions;
Source: mpengine.dll0.0.dr	Binary or memory string: INSERT INTO ValueMapArray(Key, RecordType, ValueMapArrayBlob, InstanceTimeStamp) VALUES(?, ? , ? , ?);
Source: mpengine.dll0.0.dr	Binary or memory string: SELECT Key, Name, Count, InsertTime, ExpireTime FROM AttributeCounts WHERE Key = ?;
Source: mpengine.dll0.0.dr	Binary or memory string: SELECT Key, FileName, SigSeq, SigSha, SigIsSync, InstanceTimeStamp FROM FileLowFiAsync WHERE Key = ?;
Source: mpengine.dll0.0.dr	Binary or memory string: SELECT ID FROM BmFileStartupActions WHERE BmFileStartupActions.FilePathHash = ?;
Source: mpengine.dll0.0.dr	Binary or memory string: SELECT COUNT(1) FROM FileHashes;
Source: mpengine.dll0.0.dr	Binary or memory string: SELECT Key FROM FileLowFiAsync WHERE FileLowFiAsync.Key = ?;
Source: mpengine.dll0.0.dr	Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(27, 1, date('now'));
Source: mpengine.dll0.0.dr	Binary or memory string: INSERT INTO FileHashes(Key, VSN, FileID, USN, InstanceTimeStamp, SHA1, MD5, SHA256, LSHASH, LSHASHS, CTPH, PartialCRC1, PartialCRC2, PartialCRC3, KCRC1, KCRC2, KCRC3, KCRC3n) VALUES(?, ? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ?);
Source: mpengine.dll0.0.dr	Binary or memory string: SELECT DetectionGuid, LkgTS, NextUSN, DetectionTS, ProvisionalRemedComplTS, RemedComplTS, ImpactedCBPNameSpaces FROM RansomwareDetections WHERE Key = ?;
Source: mpengine.dll0.0.dr	Binary or memory string: SELECT FilePath, FirstStartTime, NextUSN, AutomaticRemovalPolicy, ImpactedCBPNameSpaces FROM BackupProcessInfo WHERE Key = ?;
Source: mpengine.dll0.0.dr	Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(7, 1, date('now'));
Source: mpengine.dll0.0.dr	Binary or memory string: SELECT Key FROM RollingQueuesTables WHERE RollingQueuesTables.Key = ?;
Source: mpengine.dll0.0.dr	Binary or memory string: SELECT Key, Name, Count, InsertTime, ExpireTime, UpdateTime, ScalarFactor, LinearFactor, DecayInterval, HighCount, LastDecayTime, Namespace FROM AtomicCounters WHERE Name LIKE ? AND Namespace = ?;
Source: mpengine.dll0.0.dr	Binary or memory string: SELECT ProcessPath, TimeStamp, TargetPath, RuleId, IsAudit, Action, ProcessTaintReason, ProcessIntegrity FROM ProcessBlockHistory ORDER BY TimeStamp DESC;
Source: mpengine.dll0.0.dr	Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(2, 1, date('now'));
Source: mpengine.dll0.0.dr	Binary or memory string: UPDATE AttributeCounts SET Name = ?, Count = ?, InsertTime = ?, ExpireTime = ? WHERE Key = ?;
Source: mpengine.dll0.0.dr	Binary or memory string: INSERT INTO FileLowFiAsync(Key, FileName, SigSeq, SigSha, SigIsSync, InstanceTimeStamp) VALUES(?, ? , ? , ? , ? , ?);SELECT COUNT(1) FROM FileLowFiAsync; DELETE FROM FileLowFiAsync WHERE FileLowFiAsync.Key = ?; SELECT Key FROM FileLowFiAsync WHERE FileLowFiAsync.Key = ?; SELECT Key, FileName, SigSeq, SigSha, SigIsSync, InstanceTimeStamp FROM FileLowFiAsync WHERE Key = ?; DELETE FROM FileLowFiAsync WHERE InstanceTimeStamp < ?;
Source: mpengine.dll0.0.dr	Binary or memory string: INSERT INTO FolderGuardPaths(UserIdHash, UserId, GUID, Path) VALUES ( ?, ?, ?, ? );
Source: mpengine.dll0.0.dr	Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(35, 1, date('now'));
Source: integrator.exe.0.dr	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: mpengine.dll0.0.dr	Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(25, 1, date('now'));
Source: mpengine.dll0.0.dr	Binary or memory string: SELECT Key FROM AttributePersistContext WHERE AttributePersistContext.Key = ?; Invalid prefix for persisted attribute context query.SELECT Key, FilePath, Context, InsertTime, ExpireTime FROM AttributePersistContext WHERE FilePath LIKE ?; DELETE FROM AttributePersistContext WHERE ExpireTime < ?; ;
Source: mpengine.dll0.0.dr	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);viewVIEWTABLEname='%q' AND type='index'sqlite_temp_masterviews may not be indexedtbl_name='%q' AND type!='trigger'UPDATE %Q.%s SET type='%s', name=%Q, tbl_name=%Q, rootpage=#%d, sql=%Q WHERE rowid=#%d-%Tdefault value of column [%s] is not constantAUTOINCREMENT not allowed on WITHOUT ROWID tablesthere is already an index named %sunknown database: %sindex '%q'ORDER BY%s clause should come after %s not beforeLIMITtable %s may not be modifiedDELETE FROM %Q.%s WHERE tbl_name=%Q and type!='trigger'table %S has no column named %sseqfromtoon_updateon_deletecidnotnulldflt_valuepkhiddenseqnocollidxwdthhghtflgsuniqueoriginparentfkidfilebusylogcheckpointedbuiltincache_sizetimeoutactivate_extensionsapplication_idautomatic_indexbusy_timeoutcache_spillcase_sensitive_likecell_size_checkcheckpoint_fullfsynccollation_listcount_changesdata_store_directorydata_versiondatabase_listempty_result_callbacksencodingfreelist_countfull_column_namesfullfsynchexrekeyignore_check_constraintsindex_infoindex_listindex_xinfointegrity_checkjournal_modejournal_size_limitlegacy_alter_tablelegacy_file_formatlocking_modemax_page_countmmap_sizeoptimizepage_countpage_sizequery_onlyquick_checkread_uncommittedrecursive_triggersrekeyreverse_unordered_selectsschema_versionsecure_deleteshort_column_namesshrink_memorysoft_heap_limitsynchronoustable_infotable_xinfotemp_storetemp_store_directorytextkeytextrekeythreadsuser_versionwal_autocheckpointwal_checkpointwritable_schema
Source: mpengine.dll0.0.dr	Binary or memory string: SELECT Count(1) FROM BmFileStartupActions;
Source: mpengine.dll0.0.dr	Binary or memory string: SELECT Count(1) FROM NetworkIpFirewallRulesOutgoing;
Source: mpengine.dll0.0.dr	Binary or memory string: SELECT Key FROM AttributePersistContext ORDER BY InsertTime ASC LIMIT 1;
Source: mpengine.dll0.0.dr	Binary or memory string: INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(36, 1, date('now'));

Source: jqXe6tttFa.exe	ReversingLabs: Detection: 83%
Source: jqXe6tttFa.exe	Virustotal: Detection: 81%

Source: unknown	Process created: C:\Users\user\Desktop\jqXe6tttFa.exe "C:\Users\user\Desktop\jqXe6tttFa.exe"
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://primearea.biz/product/235093/
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2004 --field-trial-handle=1968,i,11388631023662119758,12511579874386185583,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://primearea.biz/product/235093/	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2004 --field-trial-handle=1968,i,11388631023662119758,12511579874386185583,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\jqXe6tttFa.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	Section loaded: windows.shell.servicehostbuilder.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior

Source: C:\Users\user\Desktop\jqXe6tttFa.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1A66AEDC-93C3-4ACC-BA96-08F5716429F7}\InProcServer32

Jump to behavior

Source: Firefox.lnk.0.dr	LNK file: ..\..\..\Program Files\Mozilla Firefox\firefox.exe
Source: SciTE Script Editor.lnk.0.dr	LNK file: ..\..\..\..\..\..\Program Files (x86)\AutoIt3\SciTE\SciTE.exe

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\jqXe6tttFa.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\jqXe6tttFa.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\16.0\Access\Capabilities\UrlAssociations

Jump to behavior

Source: jqXe6tttFa.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: jqXe6tttFa.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: jqXe6tttFa.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: BTR.pdbGCTL source: mpengine.dll0.0.dr
Source:	Binary string: KSLD.pdb source: mpengine.dll0.0.dr
Source:	Binary string: MpUpdate.pdbGCTL source: MpUpdate.dll.0.dr
Source:	Binary string: MpAzSubmit.pdb source: MpAzSubmit.dll.0.dr
Source:	Binary string: MpCmdRun.pdbGCTL source: MpCmdRun.exe0.0.dr
Source:	Binary string: C:\Users\Thomas\Desktop\Povlsomware-master\Povlsomware\obj\Debug\Povlsomware.pdb source: jqXe6tttFa.exe
Source:	Binary string: MpDetoursCopyAccelerator.pdb source: MpDetoursCopyAccelerator.dll.0.dr
Source:	Binary string: KSLDriver.pdbGCTL source: mpengine.dll0.0.dr
Source:	Binary string: MsMpEngCP.pdb source: mpengine.dll0.0.dr
Source:	Binary string: BTR.pdb source: mpengine.dll0.0.dr
Source:	Binary string: MpCmdRun.pdb source: MpCmdRun.exe0.0.dr
Source:	Binary string: mpengine.pdb source: mpengine.dll0.0.dr
Source:	Binary string: MsMpEngCP.pdbGCTL source: mpengine.dll0.0.dr
Source:	Binary string: MpDlpCmd.pdbGCTL source: MpDlpCmd.exe.0.dr
Source:	Binary string: MpAzSubmit.pdbOGPS source: MpAzSubmit.dll.0.dr
Source:	Binary string: mpengine.pdbOGPS source: mpengine.dll0.0.dr
Source:	Binary string: KSLDriver.pdb source: mpengine.dll0.0.dr
Source:	Binary string: ProtectionManagement.pdbGCTL source: ProtectionManagement.dll.0.dr
Source:	Binary string: MpCommu.pdb source: MpCommu.dll.0.dr
Source:	Binary string: MpDetoursCopyAccelerator.pdbGCTL source: MpDetoursCopyAccelerator.dll.0.dr
Source:	Binary string: MpUxAgent.pdb source: MpUxAgent.dll.0.dr
Source:	Binary string: MpCommu.pdbGCTL source: MpCommu.dll.0.dr
Source:	Binary string: offreg.pdbH source: mpengine.dll0.0.dr
Source:	Binary string: d:\dbs\el\omr\target\x86\ship\click2run\x-none\Integrator.pdb source: integrator.exe.0.dr
Source:	Binary string: ProtectionManagement.pdb source: ProtectionManagement.dll.0.dr
Source:	Binary string: MpUxAgent.pdbGCTL source: MpUxAgent.dll.0.dr
Source:	Binary string: MsMpEngSvc.pdb source: mpengine.dll0.0.dr
Source:	Binary string: MpDlpCmd.pdb source: MpDlpCmd.exe.0.dr
Source:	Binary string: MsMpEngSvc.pdbGCTL source: mpengine.dll0.0.dr
Source:	Binary string: KSLD.pdbGCTL source: mpengine.dll0.0.dr
Source:	Binary string: offreg.pdb source: mpengine.dll0.0.dr
Source:	Binary string: d:\dbs\el\omr\target\x86\ship\click2run\x-none\Integrator.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: integrator.exe.0.dr
Source:	Binary string: MpUpdate.pdb source: MpUpdate.dll.0.dr

Source: mpengine.dll.0.dr

Static PE information: 0xD9A34D43 [Sat Sep 15 02:06:59 2085 UTC]

Source: MpClient.dll.0.dr	Static PE information: section name: .didat
Source: MpCmdRun.exe.0.dr	Static PE information: section name: .didat
Source: MpCommu.dll.0.dr	Static PE information: section name: .didat
Source: MpDetours.dll.0.dr	Static PE information: section name: .detourc
Source: MpDetours.dll.0.dr	Static PE information: section name: .detourd
Source: MpRtp.dll.0.dr	Static PE information: section name: .didat
Source: MpSvc.dll.0.dr	Static PE information: section name: .didat
Source: NisSrv.exe.0.dr	Static PE information: section name: .didat
Source: MpCmdRun.exe0.0.dr	Static PE information: section name: .didat
Source: VC_redist.x64.exe.0.dr	Static PE information: section name: .wixburn
Source: MpDetoursCopyAccelerator.dll.0.dr	Static PE information: section name: .detourc
Source: MpDetoursCopyAccelerator.dll.0.dr	Static PE information: section name: .detourd
Source: ProtectionManagement.dll.0.dr	Static PE information: section name: .didat
Source: MpDetoursCopyAccelerator.dll0.0.dr	Static PE information: section name: .detourc
Source: MpDetoursCopyAccelerator.dll0.0.dr	Static PE information: section name: .detourd

Persistence and Installation Behavior

Infects executable files (exe, dll, sys, html)

Source: C:\Users\user\Desktop\jqXe6tttFa.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpUpdate.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpSvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCommu.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpCmdRun.exe	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpAzSubmit.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exe	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\endpointdlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpEvMsg.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MsMpLics.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\DefenderCSP.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpRtp.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpAsDesc.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\endpointdlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	System file written: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ProtectionManagement.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpUxAgent.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDetoursCopyAccelerator.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDetours.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpClient.dll	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpSenseComm.dll	Jump to behavior

Source: C:\Users\user\Desktop\jqXe6tttFa.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpUpdate.dll	Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe.rtcrypted (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpSenseComm.dll.rtcrypted (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe.rtcrypted (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCommu.dll	Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe.rtcrypted (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe	Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpAzSubmit.dll	Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\endpointdlp.dll	Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpAsDesc.dll.rtcrypted (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpUxAgent.dll.rtcrypted (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpDetoursCopyAccelerator.dll.rtcrypted (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe	Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpAsDesc.dll.rtcrypted (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MsMpLics.dll	Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\DefenderCSP.dll	Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpEvMsg.dll.rtcrypted (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpRtp.dll	Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpAsDesc.dll	Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{744D5067-632F-490D-A7F8-522F3DDB7ACB}\mpengine.dll	Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDetours.dll.rtcrypted (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exe	Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ProtectionManagement.dll	Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MsMpLics.dll.rtcrypted (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpDetoursCopyAccelerator.dll	Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Definition Updates\StableEngineEtwLocation\mpengine_etw.dll.rtcrypted (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpLics.dll	Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe	Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDetours.dll	Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpSvc.dll.rtcrypted (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\endpointdlp.dll.rtcrypted (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe.rtcrypted (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDetoursCopyAccelerator.dll.rtcrypted (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Definition Updates\{744D5067-632F-490D-A7F8-522F3DDB7ACB}\mpengine.dll.rtcrypted (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpUpdate.dll.rtcrypted (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exe.rtcrypted (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\StableEngineEtwLocation\mpengine_etw.dll	Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpSvc.dll	Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpCmdRun.exe	Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll.rtcrypted (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe	Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpAzSubmit.dll.rtcrypted (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe.rtcrypted (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpEvMsg.dll	Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpRtp.dll.rtcrypted (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	File created: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe	Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe.rtcrypted (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpLics.dll.rtcrypted (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpCmdRun.exe.rtcrypted (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCommu.dll.rtcrypted (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpAsDesc.dll	Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll	Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpUxAgent.dll	Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDetoursCopyAccelerator.dll	Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpClient.dll.rtcrypted (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ProtectionManagement.dll.rtcrypted (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\DefenderCSP.dll.rtcrypted (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpClient.dll	Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpSenseComm.dll	Jump to dropped file

Source: C:\Users\user\Desktop\jqXe6tttFa.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpUpdate.dll	Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\StableEngineEtwLocation\mpengine_etw.dll	Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpSvc.dll	Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCommu.dll	Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpCmdRun.exe	Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe	Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpAzSubmit.dll	Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\endpointdlp.dll	Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe	Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe	Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpEvMsg.dll	Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	File created: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe	Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MsMpLics.dll	Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\DefenderCSP.dll	Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpRtp.dll	Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpAsDesc.dll	Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{744D5067-632F-490D-A7F8-522F3DDB7ACB}\mpengine.dll	Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpAsDesc.dll	Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll	Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exe	Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ProtectionManagement.dll	Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpUxAgent.dll	Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDetoursCopyAccelerator.dll	Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpDetoursCopyAccelerator.dll	Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe	Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpLics.dll	Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDetours.dll	Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpClient.dll	Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpSenseComm.dll	Jump to dropped file

Source: C:\Users\user\Desktop\jqXe6tttFa.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Ransomtoad			Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Ransomtoad			Jump to behavior

Source: C:\Users\user\Desktop\jqXe6tttFa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\jqXe6tttFa.exe	Memory allocated: 9C0000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	Memory allocated: 1A520000 memory reserve \| memory write watch			Jump to behavior

Source: C:\Users\user\Desktop\jqXe6tttFa.exe	Window / User API: threadDelayed 2044			Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	Window / User API: threadDelayed 7278			Jump to behavior

Source: C:\Users\user\Desktop\jqXe6tttFa.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpUpdate.dll	Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	Dropped PE file which has not been started: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe.rtcrypted (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	Dropped PE file which has not been started: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpSenseComm.dll.rtcrypted (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	Dropped PE file which has not been started: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe.rtcrypted (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	Dropped PE file which has not been started: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe.rtcrypted (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCommu.dll	Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe	Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpAzSubmit.dll	Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\endpointdlp.dll	Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	Dropped PE file which has not been started: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpUxAgent.dll.rtcrypted (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	Dropped PE file which has not been started: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpAsDesc.dll.rtcrypted (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	Dropped PE file which has not been started: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpDetoursCopyAccelerator.dll.rtcrypted (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe	Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	Dropped PE file which has not been started: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpAsDesc.dll.rtcrypted (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MsMpLics.dll	Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	Dropped PE file which has not been started: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpEvMsg.dll.rtcrypted (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\DefenderCSP.dll	Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpRtp.dll	Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpAsDesc.dll	Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{744D5067-632F-490D-A7F8-522F3DDB7ACB}\mpengine.dll	Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	Dropped PE file which has not been started: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDetours.dll.rtcrypted (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ProtectionManagement.dll	Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exe	Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	Dropped PE file which has not been started: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MsMpLics.dll.rtcrypted (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpDetoursCopyAccelerator.dll	Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	Dropped PE file which has not been started: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Definition Updates\StableEngineEtwLocation\mpengine_etw.dll.rtcrypted (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpLics.dll	Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe	Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDetours.dll	Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	Dropped PE file which has not been started: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpSvc.dll.rtcrypted (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	Dropped PE file which has not been started: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe.rtcrypted (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	Dropped PE file which has not been started: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDetoursCopyAccelerator.dll.rtcrypted (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	Dropped PE file which has not been started: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\endpointdlp.dll.rtcrypted (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	Dropped PE file which has not been started: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Definition Updates\{744D5067-632F-490D-A7F8-522F3DDB7ACB}\mpengine.dll.rtcrypted (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	Dropped PE file which has not been started: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpUpdate.dll.rtcrypted (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	Dropped PE file which has not been started: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exe.rtcrypted (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\StableEngineEtwLocation\mpengine_etw.dll	Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpSvc.dll	Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpCmdRun.exe	Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	Dropped PE file which has not been started: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll.rtcrypted (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe	Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	Dropped PE file which has not been started: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpAzSubmit.dll.rtcrypted (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	Dropped PE file which has not been started: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe.rtcrypted (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpEvMsg.dll	Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	Dropped PE file which has not been started: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpRtp.dll.rtcrypted (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	Dropped PE file which has not been started: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe	Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	Dropped PE file which has not been started: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe.rtcrypted (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	Dropped PE file which has not been started: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpLics.dll.rtcrypted (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	Dropped PE file which has not been started: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpCmdRun.exe.rtcrypted (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	Dropped PE file which has not been started: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCommu.dll.rtcrypted (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll	Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpAsDesc.dll	Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpUxAgent.dll	Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	Dropped PE file which has not been started: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpClient.dll.rtcrypted (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDetoursCopyAccelerator.dll	Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	Dropped PE file which has not been started: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ProtectionManagement.dll.rtcrypted (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	Dropped PE file which has not been started: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\DefenderCSP.dll.rtcrypted (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpClient.dll	Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpSenseComm.dll	Jump to dropped file

Source: C:\Users\user\Desktop\jqXe6tttFa.exe TID: 6956	Thread sleep time: -1226400s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe TID: 6956	Thread sleep time: -4366800s >= -30000s			Jump to behavior

Source: mpengine.dll0.0.dr	Binary or memory string: detects_vmware
Source: jqXe6tttFa.exe, 00000000.00000002.4136818503.000000001AFB6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\MM
Source: jqXe6tttFa.exe, 00000000.00000002.4136818503.000000001AF30000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: ProtectionManagement.dll.0.dr	Binary or memory string: Microsoft HvVMwareVMware
Source: mpengine.dll0.0.dr	Binary or memory string: azurevirtualmachinename_scrubbed
Source: ProtectionManagement.dll.0.dr	Binary or memory string: VMwareVMware
Source: jqXe6tttFa.exe, 00000000.00000002.4136818503.000000001AF9E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:
Source: mpengine.dll0.0.dr	Binary or memory string: SendWDOReportHasTelemetryPath????????-????-????-????-????????????.telemEngine.Maps.SendWdoReport%ls.telemdetectScanOfflineTelemetryPathInitUserDbCleanuputctimeerr%lu-%lu-%lu %lu:%lu:%luHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\ResultsLastSuccessTimeLastErrordownloadinstall%program_files%\internet explorer\iexplore.exeBuildLabExSoftware\Microsoft\Office\15.0\ClickToRun\ConfigurationSoftware\Microsoft\OfficePassiveModeAllowCommercialDataPipelineSOFTWARE\Microsoft\Microsoft Antimalware\FeaturesSOFTWARE\Microsoft\Windows Azure\CurrentVersionSOFTWARE\Microsoft\Windows AzureSOFTWARE\Microsoft\Virtual Machine\Guest\ParametersNodeIdSoftware\Policies\Microsoft\Windows\DataCollectionSOFTWARE\AzureHL\NodePropertiesPolicyManager_GetPolicyPolicyManager_FreeGetPolicyDataMicrosoft HvVMwareVMwareVMTypeVirtualMachineName\\IdentHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Media CenterRtpStatenameenabledwscserviceAVProductclean%08llXstateuptodateproductamsiuacstreamfilterdriverslistbootrpfsamplesubmission_lockingprocesses&%ls-%lsrpfcleaningstatusamsistreamieprotectstreamsenseremediationetwMd5ThreatTrackingStartTimeRemediationCheckpointReport/AmsiUacInfo skippedThreatTrackingScanSourceThreatTrackingScanTyperuleidexpirytimeNamedAttributesSigNameWebFileBrowserAmsiAppIdWebFileUrlWin32ActionStatusActionTimeAmsiContentNameContentSizeRtpProcessNameAmsiSessionIdRtpDesiredAccessRtpNewFileHintAllSigNamesRtpScanReasonPropertyBagThreatTrackingIdIsRuntimePackedDetectionTimePeAttributesLsHashCollectReasonsSigattrEventsSigAgeInheritedResourceOriginalSizeOriginalSha1OriginalSha256ActiveReasonError sending sense remediation reportParentSha1FromSyncLofiBMContextRichDataOriginalReportTypeBMSigContextRichInformationAgentException: Failed to create json for etw eventError allocated user/usersidHeartbeatTypeAutoSampleSubmissionOptInValueBlockAtFirstSightOnAccessProtectionRealTimeProtectionNetworkProtectionBloomFilterTimeAmsiEnabledEdgeBloomFilterTimeAnaheimBloomFilterTimeSmartScreenAppRepSmartScreenEdgeUrlRepIsSxSPassiveModeLastFullScanEndTimeLastFullScanDurationCurrentThreatInfoLastFullScanResultIoavEnabledSignatureFallbackOrderSenseDLPEnabledPassiveRemediationOnboardedInforeporttypesenseheartbeatetwError creating json for sense heartbeat reportLastQuickScanDurationError sending sense heartbeat reportLastQuickScanResultLastQuickScanEndTimetelemetryonlycmdsha1ThreatTrackingScanFlagsThreatTrackingIdListconsolidatedthreattrackingidsmftshadowfilecreationtimethreattrackingidfirstfiletimelastfiletimenotfoundcounttotalfilecountcollectiontypeexpensivefilecountoriginalnameissuerpublisherdeschashedpathselectionratereportlimitsignerhashauthenticodehash256issuerhashsignerpetypepearchnewfiletypecontentsha1contentsha256controlguidcontrolversionframeurlclassificationstreamurltargetpathruletypeinheritanceflagsparentpathisauditdeepscaninvolvedfilepathtargetprocesscmdlineparentprocesscmdlineistargetrtpscanreasonThreatTrackingThreatNamethreatnameresourceschemaThreatTracki
Source: mpengine.dll0.0.dr	Binary or memory string: azurevirtualmachinename
Source: jqXe6tttFa.exe, 00000000.00000002.4136818503.000000001AFB6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: w-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}D
Source: mpengine.dll0.0.dr	Binary or memory string: dynmem_detects_vmware
Source: mpengine.dll0.0.dr	Binary or memory string: pea_dynmem_detects_vmware
Source: mpengine.dll0.0.dr	Binary or memory string: pea_detects_vmware

Source: C:\Users\user\Desktop\jqXe6tttFa.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\jqXe6tttFa.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\jqXe6tttFa.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Drops or copies MsMpEng.exe (Windows Defender, likely to bypass HIPS)

Source: C:\Users\user\Desktop\jqXe6tttFa.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe			Jump to dropped file
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe.rtcrypted (copy)			Jump to dropped file

Source: C:\Users\user\Desktop\jqXe6tttFa.exe

Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://primearea.biz/product/235093/

Jump to behavior

Source: C:\Users\user\Desktop\jqXe6tttFa.exe

Queries volume information: C:\Users\user\Desktop\jqXe6tttFa.exe VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\jqXe6tttFa.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Overwrites Mozilla Firefox settings

Source: C:\Users\user\Desktop\jqXe6tttFa.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\AlternateServices.txt	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\pkcs11.txt	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\SiteSecurityServiceState.txt	Jump to behavior
Source: C:\Users\user\Desktop\jqXe6tttFa.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\Telemetry.FailedProfileLocks.txt	Jump to behavior

Source: jqXe6tttFa.exe, 00000000.00000002.4132924740.0000000002521000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe
Source: jqXe6tttFa.exe, 00000000.00000002.4132924740.0000000002521000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vC:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe
Source: jqXe6tttFa.exe, 00000000.00000002.4132924740.0000000002521000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vC:\Users\All Users\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe
Source: jqXe6tttFa.exe, 00000000.00000002.4132924740.0000000002521000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe
Source: jqXe6tttFa.exe, 00000000.00000002.4132924740.0000000002521000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Users\All Users\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe
Source: jqXe6tttFa.exe, 00000000.00000002.4132924740.0000000002521000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe
Source: jqXe6tttFa.exe, 00000000.00000002.4132924740.0000000002521000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: eC:\Users\All Users\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe
Source: jqXe6tttFa.exe, 00000000.00000002.4132924740.0000000002521000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe
Source: jqXe6tttFa.exe, 00000000.00000002.4132924740.0000000002521000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe
Source: jqXe6tttFa.exe, 00000000.00000002.4132924740.0000000002521000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe
Source: jqXe6tttFa.exe, 00000000.00000002.4132924740.0000000002521000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe
Source: jqXe6tttFa.exe, 00000000.00000002.4132924740.0000000002521000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe
Source: jqXe6tttFa.exe, 00000000.00000002.4132924740.0000000002521000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe
Source: jqXe6tttFa.exe, 00000000.00000002.4132924740.0000000002521000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe
Source: jqXe6tttFa.exe, 00000000.00000002.4132924740.0000000002521000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe
Source: jqXe6tttFa.exe, 00000000.00000002.4132924740.0000000002521000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe
Source: jqXe6tttFa.exe, 00000000.00000002.4132924740.0000000002521000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe
Source: jqXe6tttFa.exe, 00000000.00000002.4132924740.0000000002521000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Documents and Settings\All Users\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe
Source: jqXe6tttFa.exe, 00000000.00000002.4132924740.0000000002521000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 Registry Run Keys / Startup Folder	11 Process Injection	1 Masquerading	11 Input Capture	11 Security Software Discovery	1 Taint Shared Content	11 Input Capture	11 Encrypted Channel	Exfiltration Over Other Network Medium	1 Data Encrypted for Impact
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Registry Run Keys / Startup Folder	2 Virtualization/Sandbox Evasion	LSASS Memory	2 Virtualization/Sandbox Evasion	Remote Desktop Protocol	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	11 Disable or Modify Tools	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	1 Browser Session Hijacking	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Timestomp	LSA Secrets	13 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
jqXe6tttFa.exe	83%	ReversingLabs	ByteCode-MSIL.Ransomware.Povlsom
jqXe6tttFa.exe	82%	Virustotal		Browse
jqXe6tttFa.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Link
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll.rtcrypted (copy)	0%	ReversingLabs
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll.rtcrypted (copy)	0%	Virustotal	Browse
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\DefenderCSP.dll.rtcrypted (copy)	0%	ReversingLabs
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\DefenderCSP.dll.rtcrypted (copy)	0%	Virustotal	Browse
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpAsDesc.dll.rtcrypted (copy)	0%	ReversingLabs
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpAsDesc.dll.rtcrypted (copy)	0%	Virustotal	Browse
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpAzSubmit.dll.rtcrypted (copy)	0%	ReversingLabs
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpAzSubmit.dll.rtcrypted (copy)	0%	Virustotal	Browse
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpClient.dll.rtcrypted (copy)	0%	ReversingLabs
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpClient.dll.rtcrypted (copy)	0%	Virustotal	Browse
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe.rtcrypted (copy)	0%	ReversingLabs
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe.rtcrypted (copy)	0%	Virustotal	Browse
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCommu.dll.rtcrypted (copy)	0%	ReversingLabs
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCommu.dll.rtcrypted (copy)	0%	Virustotal	Browse
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDetours.dll.rtcrypted (copy)	0%	ReversingLabs
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDetours.dll.rtcrypted (copy)	0%	Virustotal	Browse
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe.rtcrypted (copy)	0%	ReversingLabs
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe.rtcrypted (copy)	0%	Virustotal	Browse
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpEvMsg.dll.rtcrypted (copy)	0%	ReversingLabs
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpEvMsg.dll.rtcrypted (copy)	0%	Virustotal	Browse
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpRtp.dll.rtcrypted (copy)	0%	ReversingLabs
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpRtp.dll.rtcrypted (copy)	0%	Virustotal	Browse
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpSenseComm.dll.rtcrypted (copy)	0%	ReversingLabs
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpSenseComm.dll.rtcrypted (copy)	0%	Virustotal	Browse
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpSvc.dll.rtcrypted (copy)	0%	ReversingLabs
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpSvc.dll.rtcrypted (copy)	0%	Virustotal	Browse
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpUpdate.dll.rtcrypted (copy)	0%	ReversingLabs
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpUpdate.dll.rtcrypted (copy)	0%	Virustotal	Browse
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpUxAgent.dll.rtcrypted (copy)	0%	ReversingLabs
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpUxAgent.dll.rtcrypted (copy)	0%	Virustotal	Browse
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe.rtcrypted (copy)	0%	ReversingLabs
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe.rtcrypted (copy)	0%	Virustotal	Browse
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpLics.dll.rtcrypted (copy)	0%	ReversingLabs
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpLics.dll.rtcrypted (copy)	0%	Virustotal	Browse
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe.rtcrypted (copy)	0%	ReversingLabs
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe.rtcrypted (copy)	0%	Virustotal	Browse
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpAsDesc.dll.rtcrypted (copy)	0%	ReversingLabs
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpAsDesc.dll.rtcrypted (copy)	0%	Virustotal	Browse
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpCmdRun.exe.rtcrypted (copy)	0%	ReversingLabs
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpCmdRun.exe.rtcrypted (copy)	0%	Virustotal	Browse

Source	Detection	Scanner	Label	Link
http://www.tiro.com	0%	URL Reputation	safe
https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	1%	Virustotal		Browse
http://www.founder.com.cn/cn/bThe	0%	Virustotal		Browse
http://127.0.0.1:13556/InsiderSlabBehaviorReportedBuildInsiderSlabBehaviorInsiderSlabBehaviorReporte	0%	Virustotal		Browse
http://www.founder.com.cn/cn/cThe	0%	Virustotal		Browse
http://www.founder.com.cn/cn	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.google.com	64.233.177.104	true	false		high
primearea.biz	67.225.218.22	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://primearea.biz/product/235093/	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.apache.org/licenses/LICENSE-2.0	jqXe6tttFa.exe, 00000000.00000002.4137757380.000000001C812000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com	jqXe6tttFa.exe, 00000000.00000002.4137757380.000000001C812000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designersG	jqXe6tttFa.exe, 00000000.00000002.4137757380.000000001C812000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/?	jqXe6tttFa.exe, 00000000.00000002.4137757380.000000001C812000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/bThe	jqXe6tttFa.exe, 00000000.00000002.4137757380.000000001C812000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg	prefs.js.0.dr	false		high
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous	MpCommu.dll.0.dr	false		high
http://www.fontbureau.com/designers?	jqXe6tttFa.exe, 00000000.00000002.4137757380.000000001C812000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.	prefs.js.0.dr	false		high
http://www.tiro.com	jqXe6tttFa.exe, 00000000.00000002.4137757380.000000001C812000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta	prefs.js.0.dr	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers	jqXe6tttFa.exe, 00000000.00000002.4137757380.000000001C812000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.goodfont.co.kr	jqXe6tttFa.exe, 00000000.00000002.4137757380.000000001C812000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://primearea.biz/product/235093/X	jqXe6tttFa.exe, 00000000.00000002.4136818503.000000001AF9E000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web	mpengine.dll0.0.dr	false		high
http://www.carterandcone.coml	jqXe6tttFa.exe, 00000000.00000002.4137757380.000000001C812000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://www.sajatypeworks.com	jqXe6tttFa.exe, 00000000.00000002.4137757380.000000001C812000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.typography.netD	jqXe6tttFa.exe, 00000000.00000002.4137757380.000000001C812000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	jqXe6tttFa.exe, 00000000.00000002.4137757380.000000001C812000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/cThe	jqXe6tttFa.exe, 00000000.00000002.4137757380.000000001C812000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
http://www.galapagosdesign.com/staff/dennis.htm	jqXe6tttFa.exe, 00000000.00000002.4137757380.000000001C812000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn	jqXe6tttFa.exe, 00000000.00000002.4137757380.000000001C812000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
http://www.fontbureau.com/designers/frere-user.html	jqXe6tttFa.exe, 00000000.00000002.4137757380.000000001C812000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg	prefs.js.0.dr	false		high
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi	prefs.js.0.dr	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/	jqXe6tttFa.exe, 00000000.00000002.4137757380.000000001C812000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://primearea.biz/product/235093/3Decrypting...	jqXe6tttFa.exe	false		high
https://primearea.biz/product/235093/xU	jqXe6tttFa.exe, 00000000.00000002.4136818503.000000001AF23000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.galapagosdesign.com/DPlease	jqXe6tttFa.exe, 00000000.00000002.4137757380.000000001C812000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	jqXe6tttFa.exe, 00000000.00000002.4137757380.000000001C812000.00000004.00000800.00020000.00000000.sdmp	false		high
https://primearea.biz/product/235093/q	jqXe6tttFa.exe, 00000000.00000002.4136818503.000000001AF30000.00000004.00000020.00020000.00000000.sdmp	false		high
http://127.0.0.1:13556/InsiderSlabBehaviorReportedBuildInsiderSlabBehaviorInsiderSlabBehaviorReporte	integrator.exe.0.dr	false	0%, Virustotal, Browse	unknown
http://www.fonts.com	jqXe6tttFa.exe, 00000000.00000002.4137757380.000000001C812000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sandoll.co.kr	jqXe6tttFa.exe, 00000000.00000002.4137757380.000000001C812000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://primearea.biz/product/235093/l	jqXe6tttFa.exe, 00000000.00000002.4136818503.000000001AF30000.00000004.00000020.00020000.00000000.sdmp	false		high
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd	MpCommu.dll.0.dr	false		high
http://www.urwpp.deDPlease	jqXe6tttFa.exe, 00000000.00000002.4137757380.000000001C812000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	jqXe6tttFa.exe, 00000000.00000002.4137757380.000000001C812000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse	unknown
https://primearea.biz/product/235093/o	jqXe6tttFa.exe, 00000000.00000002.4136818503.000000001AF30000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.sakkal.com	jqXe6tttFa.exe, 00000000.00000002.4137757380.000000001C812000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://primearea.biz/product/235093/.0lnkM	jqXe6tttFa.exe, 00000000.00000002.4131952380.00000000006FE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94	prefs.js.0.dr	false		high
https://primearea.biz/product/235093/5	jqXe6tttFa.exe, 00000000.00000002.4136818503.000000001AF30000.00000004.00000020.00020000.00000000.sdmp	false		high
https://primearea.biz/product/235093/qSOFTWARE	jqXe6tttFa.exe	false		high
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest	MpCommu.dll.0.dr	false		high
https://primearea.biz/product/235093/w	jqXe6tttFa.exe, 00000000.00000002.4136818503.000000001AF30000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
64.233.177.104	www.google.com	United States	15169	GOOGLEUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
67.225.218.22	primearea.biz	United States	32244	LIQUIDWEBUS	false

Private

IP
192.168.2.4

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1428504
Start date and time:	2024-04-19 03:50:10 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 41s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	jqXe6tttFa.exe renamed because original name is a hash value
Original Sample Name:	fd32cec288cec4f16dc5430cf86dc17e1d4cf941d635979fc17a59c8d6d83d44.exe
Detection:	MAL
Classification:	mal88.rans.spre.phis.evad.winEXE@16/781@4/4
EGA Information:	Failed
HCA Information:	Successful, ratio: 96% Number of executed functions: 33 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 72.21.81.240, 192.229.211.108, 64.233.185.94, 173.194.219.139, 173.194.219.102, 173.194.219.138, 173.194.219.100, 173.194.219.101, 173.194.219.113, 172.217.215.84, 34.104.35.123, 142.250.105.94, 74.125.136.102, 74.125.136.101, 74.125.136.100, 74.125.136.139, 74.125.136.113, 74.125.136.138
Excluded domains from analysis (whitelisted): clients1.google.com, fs.microsoft.com, clients2.google.com, ocsp.digicert.com, accounts.google.com, edgedl.me.gvt1.com, slscr.update.microsoft.com, update.googleapis.com, ctldl.windowsupdate.com, clientservices.googleapis.com, clients.l.google.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target jqXe6tttFa.exe, PID 6876 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtQueryVolumeInformationFile calls found.
Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
02:51:26	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Ransomtoad "C:\Users\user\Desktop\jqXe6tttFa.exe"
02:51:34	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Ransomtoad "C:\Users\user\Desktop\jqXe6tttFa.exe"
03:51:33	API Interceptor	66979x Sleep call for process: jqXe6tttFa.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
239.255.255.250	SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe	Get hash	malicious	Amadey, RedLine, RisePro Stealer	Browse
	HxesZl7bIx.exe	Get hash	malicious	Unknown	Browse
	https://aeno.co.jp.talglfts.cc/aeon	Get hash	malicious	Unknown	Browse
	https://scsang.cn/	Get hash	malicious	Unknown	Browse
	https://cvn7.sa.com/invoice.html?app=	Get hash	malicious	HTMLPhisher	Browse
	https://setteledpaineter.uk.nf/	Get hash	malicious	Unknown	Browse
	https://zmmzmnsnnbxbbxvcxv22.z13.web.core.windows.net/	Get hash	malicious	Unknown	Browse
	https://dev217.d3uf3ys8fxt6s2.amplifyapp.com/Win08ShDMeEr0887/index.html	Get hash	malicious	Unknown	Browse
	https://www.huiyuan-sh.com/	Get hash	malicious	Unknown	Browse
	https://sdcoes.net/LandingPage/Index/122/	Get hash	malicious	HTMLPhisher	Browse
67.225.218.22	http://www.jostle.com	Get hash	malicious	Unknown	Browse	www.jostle.com/

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
LIQUIDWEBUS	Oo2yeTdq5J.elf	Get hash	malicious	Mirai	Browse	96.30.37.174
	Invoice copy.pdf.exe	Get hash	malicious	FormBook	Browse	67.225.137.57
	http://www.indeks.pt/	Get hash	malicious	Unknown	Browse	67.225.152.61
	http://zacharryblogs.com	Get hash	malicious	Unknown	Browse	72.52.179.174
	https://www.idofea.org/idea-std-1010-inspection-standard	Get hash	malicious	Unknown	Browse	209.59.137.47
	http://loveevamk.life	Get hash	malicious	Unknown	Browse	72.52.251.155
	Ofsoptics-Documents734.eml	Get hash	malicious	HTMLPhisher	Browse	209.59.138.160
	https://yesterwebring.neocities.org	Get hash	malicious	Phisher	Browse	67.227.226.240
	https://www.imobie.com/go/download.php?product=ati	Get hash	malicious	Unknown	Browse	67.225.249.166
	gRDcPJpgMQ.exe	Get hash	malicious	FormBook	Browse	67.225.137.57

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
28a2c9bd18a11de089ef85a160da29e4	SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe	Get hash	malicious	Amadey, RedLine, RisePro Stealer	Browse	52.165.165.26 40.68.123.157 23.33.134.2
	HxesZl7bIx.exe	Get hash	malicious	Unknown	Browse	52.165.165.26 40.68.123.157 23.33.134.2
	https://aeno.co.jp.talglfts.cc/aeon	Get hash	malicious	Unknown	Browse	52.165.165.26 40.68.123.157 23.33.134.2
	https://scsang.cn/	Get hash	malicious	Unknown	Browse	52.165.165.26 40.68.123.157 23.33.134.2
	https://cvn7.sa.com/invoice.html?app=	Get hash	malicious	HTMLPhisher	Browse	52.165.165.26 40.68.123.157 23.33.134.2
	https://setteledpaineter.uk.nf/	Get hash	malicious	Unknown	Browse	52.165.165.26 40.68.123.157 23.33.134.2
	SecuriteInfo.com.Trojan.KillProc2.23108.29569.31585.exe	Get hash	malicious	Unknown	Browse	52.165.165.26 40.68.123.157 23.33.134.2
	https://www.huiyuan-sh.com/	Get hash	malicious	Unknown	Browse	52.165.165.26 40.68.123.157 23.33.134.2
	https://sdcoes.net/LandingPage/Index/122/	Get hash	malicious	HTMLPhisher	Browse	52.165.165.26 40.68.123.157 23.33.134.2
	https://appddd08.z19.web.core.windows.net/Win0security-helpline07/index.html?ph0n=1-844-492-0415	Get hash	malicious	TechSupportScam	Browse	52.165.165.26 40.68.123.157 23.33.134.2

Dropped Files

⊘No context

Process:	C:\Users\user\Desktop\jqXe6tttFa.exe
File Type:	data
Category:	dropped
Size (bytes):	2061
Entropy (8bit):	3.8899002241052396
Encrypted:	false
SSDEEP:	24:DdHPxS/jKA8sAoCdw6nfTb+MLxqKeSlx/z4WLxqKJdcqnyfm:DdHPLldJP5LFeS7EWLry
MD5:	9FD37B9FE51E1D068E04528EE09C8817
SHA1:	C33BADDB0B24DC0F1D19F628CB566BAF49338054
SHA-256:	2FF90E88DC6E0A24DD3E402B2A4B643F21E8B918FA52F3F1454D2AC6567DB5FF
SHA-512:	5A88127A2F8EA8B42646A28A202236166A63FBC7720EA49EA6E1367BFC1B96695436B55E339000D504899922EA8BEA894F8C3D4CC60316C57D20CB4D79785499
Malicious:	false
Reputation:	low
Preview:	...........@.......K........4.\|.aY.Nn[.huY..4.\|.aY.X............................`.P.j.."X.....................................CW.V..PROGRA~1..t......O.ICW.V....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....P.1.....CW.V..Adobe.<......CW.VCW.V..............................A.d.o.b.e.....^.1.....CW.V..ACROBA~1..F......CW.VCW.V............................F.A.c.r.o.b.a.t. .D.C.....V.1.....CW.V..Acrobat.@......CW.VCW.V..............................A.c.r.o.b.a.t.....b.2...V.&W.. .Acrobat.exe.H......&W..CW.V....u.........................A.c.r.o.b.a.t...e.x.e.......d...............-.......c............F.......C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe..;.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.A.d.o.b.e.\.A.c.r.o.b.a.t. .D.C.\.A.c.r.o.b.a.t.\.A.c.r.o.b.a.t...e.x.e.K.C.:.\.W.i.n.d.o.w.s.\.I.n.s.t.a.l.l.e.r.\.{.A.C.7.6.B.A.8.6.-.1.0.3.3.-.1.0.3.3.-.7.7.6.0.-.B.C.1.5.0.1.4.E.A.7.0.0.}.\._.S.C._.A.c.r.o.b.a.t...i.c.o......

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	6.1269425012215555
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	jqXe6tttFa.exe
File size:	27'136 bytes
MD5:	c7cfaca6501361febe27a6b3e66a61bf
SHA1:	55a3414b9668596e120139a059db91a306281dcc
SHA256:	fd32cec288cec4f16dc5430cf86dc17e1d4cf941d635979fc17a59c8d6d83d44
SHA512:	490814ad45e81ca6712c179fc6f9849788da1e379a02597136a52cc8695d895b648676f1ae2ee200effdac0f0dac7d56bef0af3b6854c8c150f33120af4d75a1
SSDEEP:	768:57NEFbb6uTIm2IfuxvMG0HRvMG0H0uc5tunpqKYhJ:57NEwSIjIyvcHRvcH0gnpqKmJ
TLSH:	1CC22A0132E84B70E2FD5BBA2DB266C207B5B95F5815CA1D7D8C518C1B73B648A22F93
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......_.........."...0..V...........u... ........@.. ....................................@................................

Entrypoint:	0x40751a
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x5FD50BF3 [Sat Dec 12 18:29:07 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x74c8	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x8000	0xfdc	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xa000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x7390	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x5520	0x5600	46677b181a9c6225ed617fc8f8f698c0	False	0.4823310319767442	data	6.316560853859544	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x8000	0xfdc	0x1000	67ffd350a3208050eebccc11bb0ab0e7	False	0.39599609375	data	4.9859376786375575	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xa000	0xc	0x200	8b2782453271cfdda060bc3a1c7b8e09	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x8090	0x32c	data			0.41995073891625617
RT_MANIFEST	0x83cc	0xc09	XML 1.0 document, Unicode text, UTF-8 (with BOM) text			0.39954560207724765

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 19, 2024 03:50:56.115804911 CEST	49675	443	192.168.2.4	173.222.162.32
Apr 19, 2024 03:51:05.724992990 CEST	49675	443	192.168.2.4	173.222.162.32
Apr 19, 2024 03:51:18.657428980 CEST	49672	443	192.168.2.4	173.222.162.32
Apr 19, 2024 03:51:18.657510042 CEST	443	49672	173.222.162.32	192.168.2.4
Apr 19, 2024 03:51:18.657561064 CEST	49672	443	192.168.2.4	173.222.162.32
Apr 19, 2024 03:51:18.657582998 CEST	443	49672	173.222.162.32	192.168.2.4
Apr 19, 2024 03:51:18.865642071 CEST	49730	443	192.168.2.4	52.165.165.26
Apr 19, 2024 03:51:18.865684032 CEST	443	49730	52.165.165.26	192.168.2.4
Apr 19, 2024 03:51:18.866442919 CEST	49730	443	192.168.2.4	52.165.165.26
Apr 19, 2024 03:51:18.870215893 CEST	49730	443	192.168.2.4	52.165.165.26
Apr 19, 2024 03:51:18.870233059 CEST	443	49730	52.165.165.26	192.168.2.4
Apr 19, 2024 03:51:19.299323082 CEST	443	49730	52.165.165.26	192.168.2.4
Apr 19, 2024 03:51:19.299541950 CEST	49730	443	192.168.2.4	52.165.165.26
Apr 19, 2024 03:51:19.302701950 CEST	49730	443	192.168.2.4	52.165.165.26
Apr 19, 2024 03:51:19.302720070 CEST	443	49730	52.165.165.26	192.168.2.4
Apr 19, 2024 03:51:19.303121090 CEST	443	49730	52.165.165.26	192.168.2.4
Apr 19, 2024 03:51:19.350198030 CEST	49730	443	192.168.2.4	52.165.165.26
Apr 19, 2024 03:51:19.752991915 CEST	49730	443	192.168.2.4	52.165.165.26
Apr 19, 2024 03:51:19.800116062 CEST	443	49730	52.165.165.26	192.168.2.4
Apr 19, 2024 03:51:20.026617050 CEST	443	49730	52.165.165.26	192.168.2.4
Apr 19, 2024 03:51:20.026644945 CEST	443	49730	52.165.165.26	192.168.2.4
Apr 19, 2024 03:51:20.026654005 CEST	443	49730	52.165.165.26	192.168.2.4
Apr 19, 2024 03:51:20.026667118 CEST	443	49730	52.165.165.26	192.168.2.4
Apr 19, 2024 03:51:20.026710033 CEST	443	49730	52.165.165.26	192.168.2.4
Apr 19, 2024 03:51:20.026743889 CEST	49730	443	192.168.2.4	52.165.165.26
Apr 19, 2024 03:51:20.026743889 CEST	49730	443	192.168.2.4	52.165.165.26
Apr 19, 2024 03:51:20.026766062 CEST	443	49730	52.165.165.26	192.168.2.4
Apr 19, 2024 03:51:20.026776075 CEST	443	49730	52.165.165.26	192.168.2.4
Apr 19, 2024 03:51:20.026822090 CEST	49730	443	192.168.2.4	52.165.165.26
Apr 19, 2024 03:51:20.026822090 CEST	49730	443	192.168.2.4	52.165.165.26
Apr 19, 2024 03:51:20.026838064 CEST	443	49730	52.165.165.26	192.168.2.4
Apr 19, 2024 03:51:20.026885986 CEST	49730	443	192.168.2.4	52.165.165.26
Apr 19, 2024 03:51:20.026932001 CEST	49730	443	192.168.2.4	52.165.165.26
Apr 19, 2024 03:51:20.040709019 CEST	49730	443	192.168.2.4	52.165.165.26
Apr 19, 2024 03:51:20.040709019 CEST	49730	443	192.168.2.4	52.165.165.26
Apr 19, 2024 03:51:20.040731907 CEST	443	49730	52.165.165.26	192.168.2.4
Apr 19, 2024 03:51:20.040745974 CEST	443	49730	52.165.165.26	192.168.2.4
Apr 19, 2024 03:51:29.105156898 CEST	49741	443	192.168.2.4	67.225.218.22
Apr 19, 2024 03:51:29.105194092 CEST	443	49741	67.225.218.22	192.168.2.4
Apr 19, 2024 03:51:29.105246067 CEST	49741	443	192.168.2.4	67.225.218.22
Apr 19, 2024 03:51:29.105660915 CEST	49741	443	192.168.2.4	67.225.218.22
Apr 19, 2024 03:51:29.105683088 CEST	443	49741	67.225.218.22	192.168.2.4
Apr 19, 2024 03:51:29.106026888 CEST	49742	443	192.168.2.4	67.225.218.22
Apr 19, 2024 03:51:29.106118917 CEST	443	49742	67.225.218.22	192.168.2.4
Apr 19, 2024 03:51:29.106185913 CEST	49742	443	192.168.2.4	67.225.218.22
Apr 19, 2024 03:51:29.106342077 CEST	49742	443	192.168.2.4	67.225.218.22
Apr 19, 2024 03:51:29.106360912 CEST	443	49742	67.225.218.22	192.168.2.4
Apr 19, 2024 03:51:29.554800987 CEST	443	49742	67.225.218.22	192.168.2.4
Apr 19, 2024 03:51:29.555278063 CEST	49742	443	192.168.2.4	67.225.218.22
Apr 19, 2024 03:51:29.555337906 CEST	443	49742	67.225.218.22	192.168.2.4
Apr 19, 2024 03:51:29.557022095 CEST	443	49742	67.225.218.22	192.168.2.4
Apr 19, 2024 03:51:29.557100058 CEST	49742	443	192.168.2.4	67.225.218.22
Apr 19, 2024 03:51:29.557121038 CEST	443	49742	67.225.218.22	192.168.2.4
Apr 19, 2024 03:51:29.557171106 CEST	49742	443	192.168.2.4	67.225.218.22
Apr 19, 2024 03:51:29.558157921 CEST	49742	443	192.168.2.4	67.225.218.22
Apr 19, 2024 03:51:29.558253050 CEST	443	49742	67.225.218.22	192.168.2.4
Apr 19, 2024 03:51:29.558314085 CEST	49742	443	192.168.2.4	67.225.218.22
Apr 19, 2024 03:51:29.558335066 CEST	443	49742	67.225.218.22	192.168.2.4
Apr 19, 2024 03:51:29.559770107 CEST	443	49741	67.225.218.22	192.168.2.4
Apr 19, 2024 03:51:29.559947968 CEST	49741	443	192.168.2.4	67.225.218.22
Apr 19, 2024 03:51:29.559967995 CEST	443	49741	67.225.218.22	192.168.2.4
Apr 19, 2024 03:51:29.561636925 CEST	443	49741	67.225.218.22	192.168.2.4
Apr 19, 2024 03:51:29.561789989 CEST	49741	443	192.168.2.4	67.225.218.22
Apr 19, 2024 03:51:29.561796904 CEST	443	49741	67.225.218.22	192.168.2.4
Apr 19, 2024 03:51:29.561911106 CEST	49741	443	192.168.2.4	67.225.218.22
Apr 19, 2024 03:51:29.562583923 CEST	49741	443	192.168.2.4	67.225.218.22
Apr 19, 2024 03:51:29.562671900 CEST	443	49741	67.225.218.22	192.168.2.4
Apr 19, 2024 03:51:29.617660999 CEST	49742	443	192.168.2.4	67.225.218.22
Apr 19, 2024 03:51:29.617676020 CEST	49741	443	192.168.2.4	67.225.218.22
Apr 19, 2024 03:51:29.617681980 CEST	443	49741	67.225.218.22	192.168.2.4
Apr 19, 2024 03:51:29.755525112 CEST	49741	443	192.168.2.4	67.225.218.22
Apr 19, 2024 03:51:30.070771933 CEST	443	49742	67.225.218.22	192.168.2.4
Apr 19, 2024 03:51:30.070967913 CEST	443	49742	67.225.218.22	192.168.2.4
Apr 19, 2024 03:51:30.071599960 CEST	49742	443	192.168.2.4	67.225.218.22
Apr 19, 2024 03:51:30.093242884 CEST	49742	443	192.168.2.4	67.225.218.22
Apr 19, 2024 03:51:30.093312025 CEST	443	49742	67.225.218.22	192.168.2.4
Apr 19, 2024 03:51:31.245743990 CEST	49744	443	192.168.2.4	23.33.134.2
Apr 19, 2024 03:51:31.245824099 CEST	443	49744	23.33.134.2	192.168.2.4
Apr 19, 2024 03:51:31.245908976 CEST	49744	443	192.168.2.4	23.33.134.2
Apr 19, 2024 03:51:31.246889114 CEST	49744	443	192.168.2.4	23.33.134.2
Apr 19, 2024 03:51:31.246923923 CEST	443	49744	23.33.134.2	192.168.2.4
Apr 19, 2024 03:51:31.472073078 CEST	443	49744	23.33.134.2	192.168.2.4
Apr 19, 2024 03:51:31.472302914 CEST	49744	443	192.168.2.4	23.33.134.2
Apr 19, 2024 03:51:31.477197886 CEST	49744	443	192.168.2.4	23.33.134.2
Apr 19, 2024 03:51:31.477248907 CEST	443	49744	23.33.134.2	192.168.2.4
Apr 19, 2024 03:51:31.477669954 CEST	443	49744	23.33.134.2	192.168.2.4
Apr 19, 2024 03:51:31.513061047 CEST	49744	443	192.168.2.4	23.33.134.2
Apr 19, 2024 03:51:31.556194067 CEST	443	49744	23.33.134.2	192.168.2.4
Apr 19, 2024 03:51:31.671230078 CEST	443	49744	23.33.134.2	192.168.2.4
Apr 19, 2024 03:51:31.671375990 CEST	443	49744	23.33.134.2	192.168.2.4
Apr 19, 2024 03:51:31.671509027 CEST	49744	443	192.168.2.4	23.33.134.2
Apr 19, 2024 03:51:31.671509981 CEST	49744	443	192.168.2.4	23.33.134.2
Apr 19, 2024 03:51:31.671509981 CEST	49744	443	192.168.2.4	23.33.134.2
Apr 19, 2024 03:51:31.671587944 CEST	443	49744	23.33.134.2	192.168.2.4
Apr 19, 2024 03:51:31.712241888 CEST	49745	443	192.168.2.4	23.33.134.2
Apr 19, 2024 03:51:31.712316036 CEST	443	49745	23.33.134.2	192.168.2.4
Apr 19, 2024 03:51:31.712413073 CEST	49745	443	192.168.2.4	23.33.134.2
Apr 19, 2024 03:51:31.712676048 CEST	49745	443	192.168.2.4	23.33.134.2
Apr 19, 2024 03:51:31.712703943 CEST	443	49745	23.33.134.2	192.168.2.4
Apr 19, 2024 03:51:31.932790041 CEST	443	49745	23.33.134.2	192.168.2.4
Apr 19, 2024 03:51:31.932991028 CEST	49745	443	192.168.2.4	23.33.134.2
Apr 19, 2024 03:51:31.934142113 CEST	49745	443	192.168.2.4	23.33.134.2
Apr 19, 2024 03:51:31.934191942 CEST	443	49745	23.33.134.2	192.168.2.4
Apr 19, 2024 03:51:31.934811115 CEST	443	49745	23.33.134.2	192.168.2.4
Apr 19, 2024 03:51:31.935906887 CEST	49745	443	192.168.2.4	23.33.134.2
Apr 19, 2024 03:51:31.973442078 CEST	49744	443	192.168.2.4	23.33.134.2
Apr 19, 2024 03:51:31.973500013 CEST	443	49744	23.33.134.2	192.168.2.4
Apr 19, 2024 03:51:31.976190090 CEST	443	49745	23.33.134.2	192.168.2.4
Apr 19, 2024 03:51:32.151211977 CEST	443	49745	23.33.134.2	192.168.2.4
Apr 19, 2024 03:51:32.151371956 CEST	443	49745	23.33.134.2	192.168.2.4
Apr 19, 2024 03:51:32.151578903 CEST	49745	443	192.168.2.4	23.33.134.2
Apr 19, 2024 03:51:32.152143002 CEST	49745	443	192.168.2.4	23.33.134.2
Apr 19, 2024 03:51:32.152143002 CEST	49745	443	192.168.2.4	23.33.134.2
Apr 19, 2024 03:51:32.152204037 CEST	443	49745	23.33.134.2	192.168.2.4
Apr 19, 2024 03:51:32.152240992 CEST	443	49745	23.33.134.2	192.168.2.4
Apr 19, 2024 03:51:33.333322048 CEST	49746	443	192.168.2.4	64.233.177.104
Apr 19, 2024 03:51:33.333372116 CEST	443	49746	64.233.177.104	192.168.2.4
Apr 19, 2024 03:51:33.334218025 CEST	49746	443	192.168.2.4	64.233.177.104
Apr 19, 2024 03:51:33.334218025 CEST	49746	443	192.168.2.4	64.233.177.104
Apr 19, 2024 03:51:33.334259987 CEST	443	49746	64.233.177.104	192.168.2.4
Apr 19, 2024 03:51:33.561911106 CEST	443	49746	64.233.177.104	192.168.2.4
Apr 19, 2024 03:51:33.562668085 CEST	49746	443	192.168.2.4	64.233.177.104
Apr 19, 2024 03:51:33.562712908 CEST	443	49746	64.233.177.104	192.168.2.4
Apr 19, 2024 03:51:33.564448118 CEST	443	49746	64.233.177.104	192.168.2.4
Apr 19, 2024 03:51:33.564888000 CEST	49746	443	192.168.2.4	64.233.177.104
Apr 19, 2024 03:51:33.979720116 CEST	49746	443	192.168.2.4	64.233.177.104
Apr 19, 2024 03:51:33.980202913 CEST	443	49746	64.233.177.104	192.168.2.4
Apr 19, 2024 03:51:34.020162106 CEST	49746	443	192.168.2.4	64.233.177.104
Apr 19, 2024 03:51:34.020181894 CEST	443	49746	64.233.177.104	192.168.2.4
Apr 19, 2024 03:51:34.067050934 CEST	49746	443	192.168.2.4	64.233.177.104
Apr 19, 2024 03:51:41.066605091 CEST	443	49741	67.225.218.22	192.168.2.4
Apr 19, 2024 03:51:41.066807032 CEST	443	49741	67.225.218.22	192.168.2.4
Apr 19, 2024 03:51:41.066867113 CEST	49741	443	192.168.2.4	67.225.218.22
Apr 19, 2024 03:51:41.272161007 CEST	49741	443	192.168.2.4	67.225.218.22
Apr 19, 2024 03:51:41.272177935 CEST	443	49741	67.225.218.22	192.168.2.4
Apr 19, 2024 03:51:43.558099031 CEST	443	49746	64.233.177.104	192.168.2.4
Apr 19, 2024 03:51:43.558262110 CEST	443	49746	64.233.177.104	192.168.2.4
Apr 19, 2024 03:51:43.558363914 CEST	49746	443	192.168.2.4	64.233.177.104
Apr 19, 2024 03:51:45.272003889 CEST	49746	443	192.168.2.4	64.233.177.104
Apr 19, 2024 03:51:45.272070885 CEST	443	49746	64.233.177.104	192.168.2.4
Apr 19, 2024 03:52:02.330734968 CEST	49747	443	192.168.2.4	40.68.123.157
Apr 19, 2024 03:52:02.330801010 CEST	443	49747	40.68.123.157	192.168.2.4
Apr 19, 2024 03:52:02.330873013 CEST	49747	443	192.168.2.4	40.68.123.157
Apr 19, 2024 03:52:02.331290960 CEST	49747	443	192.168.2.4	40.68.123.157
Apr 19, 2024 03:52:02.331312895 CEST	443	49747	40.68.123.157	192.168.2.4
Apr 19, 2024 03:52:02.967566013 CEST	443	49747	40.68.123.157	192.168.2.4
Apr 19, 2024 03:52:02.967750072 CEST	49747	443	192.168.2.4	40.68.123.157
Apr 19, 2024 03:52:02.969422102 CEST	49747	443	192.168.2.4	40.68.123.157
Apr 19, 2024 03:52:02.969472885 CEST	443	49747	40.68.123.157	192.168.2.4
Apr 19, 2024 03:52:02.969980001 CEST	443	49747	40.68.123.157	192.168.2.4
Apr 19, 2024 03:52:02.981904984 CEST	49747	443	192.168.2.4	40.68.123.157
Apr 19, 2024 03:52:03.028151989 CEST	443	49747	40.68.123.157	192.168.2.4
Apr 19, 2024 03:52:03.577259064 CEST	443	49747	40.68.123.157	192.168.2.4
Apr 19, 2024 03:52:03.577317953 CEST	443	49747	40.68.123.157	192.168.2.4
Apr 19, 2024 03:52:03.577364922 CEST	443	49747	40.68.123.157	192.168.2.4
Apr 19, 2024 03:52:03.577645063 CEST	49747	443	192.168.2.4	40.68.123.157
Apr 19, 2024 03:52:03.577645063 CEST	49747	443	192.168.2.4	40.68.123.157
Apr 19, 2024 03:52:03.577711105 CEST	443	49747	40.68.123.157	192.168.2.4
Apr 19, 2024 03:52:03.577750921 CEST	443	49747	40.68.123.157	192.168.2.4
Apr 19, 2024 03:52:03.577775955 CEST	443	49747	40.68.123.157	192.168.2.4
Apr 19, 2024 03:52:03.577816963 CEST	49747	443	192.168.2.4	40.68.123.157
Apr 19, 2024 03:52:03.577848911 CEST	49747	443	192.168.2.4	40.68.123.157
Apr 19, 2024 03:52:03.582129002 CEST	49747	443	192.168.2.4	40.68.123.157
Apr 19, 2024 03:52:03.582129955 CEST	49747	443	192.168.2.4	40.68.123.157
Apr 19, 2024 03:52:03.582191944 CEST	443	49747	40.68.123.157	192.168.2.4
Apr 19, 2024 03:52:03.582279921 CEST	443	49747	40.68.123.157	192.168.2.4
Apr 19, 2024 03:52:33.068620920 CEST	49749	443	192.168.2.4	64.233.177.104
Apr 19, 2024 03:52:33.068661928 CEST	443	49749	64.233.177.104	192.168.2.4
Apr 19, 2024 03:52:33.068748951 CEST	49749	443	192.168.2.4	64.233.177.104
Apr 19, 2024 03:52:33.068994999 CEST	49749	443	192.168.2.4	64.233.177.104
Apr 19, 2024 03:52:33.069003105 CEST	443	49749	64.233.177.104	192.168.2.4
Apr 19, 2024 03:52:33.289706945 CEST	443	49749	64.233.177.104	192.168.2.4
Apr 19, 2024 03:52:33.289961100 CEST	49749	443	192.168.2.4	64.233.177.104
Apr 19, 2024 03:52:33.289992094 CEST	443	49749	64.233.177.104	192.168.2.4
Apr 19, 2024 03:52:33.291475058 CEST	443	49749	64.233.177.104	192.168.2.4
Apr 19, 2024 03:52:33.291943073 CEST	49749	443	192.168.2.4	64.233.177.104
Apr 19, 2024 03:52:33.292407990 CEST	443	49749	64.233.177.104	192.168.2.4
Apr 19, 2024 03:52:33.333116055 CEST	49749	443	192.168.2.4	64.233.177.104
Apr 19, 2024 03:52:43.317817926 CEST	443	49749	64.233.177.104	192.168.2.4
Apr 19, 2024 03:52:43.317981958 CEST	443	49749	64.233.177.104	192.168.2.4
Apr 19, 2024 03:52:43.318043947 CEST	49749	443	192.168.2.4	64.233.177.104
Apr 19, 2024 03:52:45.273344040 CEST	49749	443	192.168.2.4	64.233.177.104
Apr 19, 2024 03:52:45.273385048 CEST	443	49749	64.233.177.104	192.168.2.4

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 19, 2024 03:51:23.191009045 CEST	138	138	192.168.2.4	192.168.2.255
Apr 19, 2024 03:51:28.891617060 CEST	58287	53	192.168.2.4	1.1.1.1
Apr 19, 2024 03:51:28.891824007 CEST	58496	53	192.168.2.4	1.1.1.1
Apr 19, 2024 03:51:28.998249054 CEST	53	51203	1.1.1.1	192.168.2.4
Apr 19, 2024 03:51:29.014189959 CEST	53	65094	1.1.1.1	192.168.2.4
Apr 19, 2024 03:51:29.066339016 CEST	53	58287	1.1.1.1	192.168.2.4
Apr 19, 2024 03:51:29.104717970 CEST	53	58496	1.1.1.1	192.168.2.4
Apr 19, 2024 03:51:29.611488104 CEST	53	58975	1.1.1.1	192.168.2.4
Apr 19, 2024 03:51:33.005443096 CEST	61574	53	192.168.2.4	1.1.1.1
Apr 19, 2024 03:51:33.005738974 CEST	60069	53	192.168.2.4	1.1.1.1
Apr 19, 2024 03:51:33.110188007 CEST	53	61574	1.1.1.1	192.168.2.4
Apr 19, 2024 03:51:33.111632109 CEST	53	60069	1.1.1.1	192.168.2.4
Apr 19, 2024 03:51:47.026932001 CEST	53	63481	1.1.1.1	192.168.2.4
Apr 19, 2024 03:52:10.706526995 CEST	53	50758	1.1.1.1	192.168.2.4
Apr 19, 2024 03:52:28.504796028 CEST	53	56458	1.1.1.1	192.168.2.4
Apr 19, 2024 03:52:33.143177032 CEST	53	56224	1.1.1.1	192.168.2.4
Apr 19, 2024 03:52:57.736609936 CEST	53	64719	1.1.1.1	192.168.2.4
Apr 19, 2024 03:53:42.828772068 CEST	53	51913	1.1.1.1	192.168.2.4
Apr 19, 2024 03:55:01.850575924 CEST	53	63727	1.1.1.1	192.168.2.4

Timestamp	Bytes transferred	Direction	Data
2024-04-19 01:51:19 UTC	306	OUT	GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=Y9Bovd3FB3pfDT2&MD=1VU9cbn4 HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-04-19 01:51:20 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "XAopazV00XDWnJCwkmEWRv6JkbjRA9QSSZ2+e/3MzEk=_2880" MS-CorrelationId: 28d99ce5-ca50-4394-a39d-b907334ec145 MS-RequestId: 9057b160-2e8c-44d4-9d39-e431c2477007 MS-CV: 5zybiJa7V0GN2roR.0 X-Microsoft-SLSClientCache: 2880 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Fri, 19 Apr 2024 01:51:19 GMT Connection: close Content-Length: 24490
2024-04-19 01:51:20 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 92 1e 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 23 d0 00 00 14 00 00 00 00 00 10 00 92 1e 00 00 18 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 e6 42 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 78 cf 8d 5c 26 1e e6 42 43 4b ed 5c 07 54 13 db d6 4e a3 f7 2e d5 d0 3b 4c 42 af 4a 57 10 e9 20 bd 77 21 94 80 88 08 24 2a 02 02 d2 55 10 a4 a8 88 97 22 8a 0a d2 11 04 95 ae d2 8b 20 28 0a 88 20 45 05 f4 9f 80 05 bd ed dd f7 ff 77 dd f7 bf 65 d6 4a 66 ce 99 33 67 4e d9 7b 7f fb db 7b 56 f4 4d 34 b4 21 e0 a7 03 0a d9 fc 68 6e 1d 20 70 28 14 02 85 20 20 ad 61 10 08 e3 66 0d ed 66 9b 1d 6a 90 af 1f 17 f0 4b 68 35 01 83 6c fb 44 42 5c 7d 83 3d 03 30 be 3e ae be 58 Data Ascii: MSCFD#AdBenvironment.cabx\&BCK\TN.;LBJW w!$*U" ( EweJf3gN{{VM4!hn p( affjKh5lDB\}=0>X
2024-04-19 01:51:20 UTC	8666	IN	Data Raw: 04 01 31 2f 30 2d 30 0a 02 05 00 e1 2b 8a 50 02 01 00 30 0a 02 01 00 02 02 12 fe 02 01 ff 30 07 02 01 00 02 02 11 e6 30 0a 02 05 00 e1 2c db d0 02 01 00 30 36 06 0a 2b 06 01 04 01 84 59 0a 04 02 31 28 30 26 30 0c 06 0a 2b 06 01 04 01 84 59 0a 03 02 a0 0a 30 08 02 01 00 02 03 07 a1 20 a1 0a 30 08 02 01 00 02 03 01 86 a0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 03 81 81 00 0c d9 08 df 48 94 57 65 3e ad e7 f2 17 9c 1f ca 3d 4d 6c cd 51 e1 ed 9c 17 a5 52 35 0f fd de 4b bd 22 92 c5 69 e5 d7 9f 29 23 72 40 7a ca 55 9d 8d 11 ad d5 54 00 bb 53 b4 87 7b 72 84 da 2d f6 e3 2c 4f 7e ba 1a 58 88 6e d6 b9 6d 16 ae 85 5b b5 c2 81 a8 e0 ee 0a 9c 60 51 3a 7b e4 61 f8 c3 e4 38 bd 7d 28 17 d6 79 f0 c8 58 c6 ef 1f f7 88 65 b1 ea 0a c0 df f7 ee 5c 23 c2 27 fd 98 63 08 31 Data Ascii: 1/0-0+P000,06+Y1(0&0+Y0 00*HHWe>=MlQR5K"i)#r@zUTS{r-,O~Xnm[`Q:{a8}(yXe\#'c1

Timestamp	Bytes transferred	Direction	Data
2024-04-19 01:51:29 UTC	671	OUT	GET /product/235093/ HTTP/1.1 Host: primearea.biz Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-04-19 01:51:30 UTC	304	IN	HTTP/1.1 200 OK Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 Cache-Control: no-cache Content-Type: text/html; charset=UTF-8 Date: Fri, 19 Apr 2024 01:51:29 GMT Keep-Alive: timeout=5, max=99 Pragma: no-cache Connection: close X-Powered-By: PHP/5.4.16 Content-Length: 2176
2024-04-19 01:51:30 UTC	1139	IN	Data Raw: 3c 68 74 6d 6c 3e 0a 09 3c 68 65 61 64 3e 0a 09 09 3c 73 63 72 69 70 74 3e 0a 09 09 09 76 61 72 20 66 6f 72 77 61 72 64 69 6e 67 55 72 6c 20 3d 20 22 2f 70 61 67 65 2f 62 6f 75 6e 63 79 2e 70 68 70 3f 26 62 70 61 65 3d 47 62 68 47 64 7a 30 6d 6f 6c 78 37 7a 25 32 42 39 6c 31 6a 25 32 42 35 4f 71 35 77 57 54 66 5a 71 44 34 6d 4b 52 55 66 79 47 57 42 34 46 7a 65 69 49 6b 6e 66 41 66 6f 4b 4e 52 6b 6d 72 64 47 4d 62 66 6f 7a 38 6f 63 50 68 47 6b 6b 25 32 42 53 42 55 32 45 52 25 32 46 44 4f 56 70 4b 77 48 71 68 55 30 46 4b 55 6a 71 59 35 25 32 46 54 25 32 42 45 70 65 6b 58 45 59 4a 6a 49 43 44 54 44 45 54 49 55 31 73 35 76 73 56 4f 4f 63 35 6c 78 6e 30 30 63 71 6e 4e 59 77 5a 79 6c 63 78 36 72 5a 33 49 63 31 6c 59 62 4f 4c 4e 4e 49 61 36 58 67 38 63 4d 25 32 Data Ascii: <html><head><script>var forwardingUrl = "/page/bouncy.php?&bpae=GbhGdz0molx7z%2B9l1j%2B5Oq5wWTfZqD4mKRUfyGWB4FzeiIknfAfoKNRkmrdGMbfoz8ocPhGkk%2BSBU2ER%2FDOVpKwHqhU0FKUjqY5%2FT%2BEpekXEYJjICDTDETIU1s5vsVOOc5lxn00cqnNYwZylcx6rZ3Ic1lYbOLNNIa6Xg8cM%2

Timestamp	Bytes transferred	Direction	Data
2024-04-19 01:51:31 UTC	161	OUT	HEAD /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-04-19 01:51:31 UTC	467	IN	HTTP/1.1 200 OK Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (chd/073D) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-eus-z1 Cache-Control: public, max-age=191539 Date: Fri, 19 Apr 2024 01:51:31 GMT Connection: close X-CID: 2

Timestamp	Bytes transferred	Direction	Data
2024-04-19 01:51:31 UTC	239	OUT	GET /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity If-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMT Range: bytes=0-2147483646 User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-04-19 01:51:32 UTC	531	IN	HTTP/1.1 200 OK Content-Type: application/octet-stream Last-Modified: Tue, 16 May 2017 22:58:00 GMT ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" ApiVersion: Distribute 1.1 Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json X-Azure-Ref: 0DMGnYgAAAACXaXykPZuVRq4aV6pCkeO8U0pDRURHRTAzMTgAY2VmYzI1ODMtYTliMi00NGE3LTk3NTUtYjc2ZDE3ZTA1Zjdm Cache-Control: public, max-age=191552 Date: Fri, 19 Apr 2024 01:51:32 GMT Content-Length: 55 Connection: close X-CID: 2
2024-04-19 01:51:32 UTC	55	IN	Data Raw: 7b 22 66 6f 6e 74 53 65 74 55 72 69 22 3a 22 66 6f 6e 74 73 65 74 2d 32 30 31 37 2d 30 34 2e 6a 73 6f 6e 22 2c 22 62 61 73 65 55 72 69 22 3a 22 66 6f 6e 74 73 22 7d Data Ascii: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

Timestamp	Bytes transferred	Direction	Data
2024-04-19 01:52:02 UTC	306	OUT	GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=Y9Bovd3FB3pfDT2&MD=1VU9cbn4 HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-04-19 01:52:03 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "Mx1RoJH/qEwpWfKllx7sbsl28AuERz5IYdcsvtTJcgM=_2160" MS-CorrelationId: e115a803-8e6b-4f9d-888c-0ab3eecb5d5a MS-RequestId: e7a5187b-67b1-4d17-9ab9-7826602d7c9d MS-CV: pxln9I5Sdk6KNPm+.0 X-Microsoft-SLSClientCache: 2160 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Fri, 19 Apr 2024 01:52:02 GMT Connection: close Content-Length: 25457
2024-04-19 01:52:03 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 51 22 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 db 8e 00 00 14 00 00 00 00 00 10 00 51 22 00 00 20 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 f3 43 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 0d 92 6f db e5 21 f3 43 43 4b ed 5a 09 38 55 5b df 3f 93 99 90 29 99 e7 29 ec 73 cc 4a 66 32 cf 84 32 64 c8 31 c7 11 52 38 87 90 42 66 09 99 87 32 0f 19 0a 09 51 a6 a8 08 29 53 86 4a 52 84 50 df 46 83 ba dd 7b df fb 7e ef 7d ee 7d bf ef 9e e7 d9 67 ef 35 ee b5 fe eb 3f ff b6 96 81 a2 0a 04 fc 31 40 21 5b 3f a5 ed 1b 04 0e 85 42 a0 10 04 64 12 6c a5 de aa a1 d8 ea f3 58 01 f2 f5 67 0b 5e 9b bd e8 a0 90 1d bf 40 88 9d eb 49 b4 87 9b ab 8b 9d 2b 46 c8 c7 c5 19 92 Data Ascii: MSCFQ"DQ" AdCenvironment.cabo!CCKZ8U[?))sJf22d1R8Bf2Q)SJRPF{~}}g5?1@![?BdlXg^@I+F
2024-04-19 01:52:03 UTC	9633	IN	Data Raw: 21 6f b3 eb a6 cc f5 31 be cf 05 e2 a9 fe fa 57 6d 19 30 b3 c2 c5 66 c9 6a df f5 e7 f0 78 bd c7 a8 9e 25 e3 f9 bc ed 6b 54 57 08 2b 51 82 44 12 fb b9 53 8c cc f4 60 12 8a 76 cc 40 40 41 9b dc 5c 17 ff 5c f9 5e 17 35 98 24 56 4b 74 ef 42 10 c8 af bf 7f c6 7f f2 37 7d 5a 3f 1c f2 99 79 4a 91 52 00 af 38 0f 17 f5 2f 79 81 65 d9 a9 b5 6b e4 c7 ce f6 ca 7a 00 6f 4b 30 44 24 22 3c cf ed 03 a5 96 8f 59 29 bc b6 fd 04 e1 70 9f 32 4a 27 fd 55 af 2f fe b6 e5 8e 33 bb 62 5f 9a db 57 40 e9 f1 ce 99 66 90 8c ff 6a 62 7f dd c5 4a 0b 91 26 e2 39 ec 19 4a 71 63 9d 7b 21 6d c3 9c a3 a2 3c fa 7f 7d 96 6a 90 78 a6 6d d2 e1 9c f9 1d fc 38 d8 94 f4 c6 a5 0a 96 86 a4 bd 9e 1a ae 04 42 83 b8 b5 80 9b 22 38 20 b5 25 e5 64 ec f7 f4 bf 7e 63 59 25 0f 7a 2e 39 57 76 a2 71 aa 06 8a Data Ascii: !o1Wm0fjx%kTW+QDS`v@@A\\^5$VKtB7}Z?yJR8/yekzoK0D$"<Y)p2J'U/3b_W@fjbJ&9Jqc{!m<}jxm8B"8 %d~cY%z.9Wvq

Target ID:	0
Start time:	03:50:59
Start date:	19/04/2024
Path:	C:\Users\user\Desktop\jqXe6tttFa.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\jqXe6tttFa.exe"
Imagebase:	0x280000
File size:	27'136 bytes
MD5 hash:	C7CFACA6501361FEBE27A6B3E66A61BF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Target ID:	7
Start time:	03:51:26
Start date:	19/04/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://primearea.biz/product/235093/
Imagebase:	0x7ff76e190000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report jqXe6tttFa.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Desktop\Adobe Acrobat.lnk.rtcrypted (copy)

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Desktop\Firefox.lnk.rtcrypted (copy)

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Desktop\Google Chrome.lnk.rtcrypted (copy)

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\ClickToRun\DeploymentConfig.1.xml.rtcrypted (copy)

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\osver.txt.rtcrypted (copy)

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\IdentityCRL\INT\wlidsvcconfig.xml.rtcrypted (copy)

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\guest.bmp.rtcrypted (copy)

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\guest.png.rtcrypted (copy)

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\user-32.png.rtcrypted (copy)

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\user-40.png.rtcrypted (copy)

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\user-48.png.rtcrypted (copy)

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\user.bmp.rtcrypted (copy)

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\user.png.rtcrypted (copy)

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\AppxProvisioning.xml.rtcrypted (copy)

Windows Analysis Report
jqXe6tttFa.exe

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may deliver payloads to remote systems by adding content to shared storage locations, such as network drives or internal code repositories. Content stored on network drives or in other shared locations may be tainted by adding malicious programs, scripts, or exploit code to otherwise valid files. Once a user opens the shared tainted content, the malicious portion can be executed to run the adversary's code on a remote system. Adversaries may use tainted shared content to move laterally.
Tactics:	Lateral Movement
Data Sources:	File: File Creation, File: File Modification, Network Share: Network Share Access, Process: Process Creation
Platforms:	Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
Tactics:	Collection
Data Sources:	Logon Session: Logon Session Creation, Process: Process Access, Process: Process Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre