Windows Analysis Report
mU2p71KMss.exe

Overview

General Information

Sample name: mU2p71KMss.exe
renamed because original name is a hash value
Original sample name: e9ff14a975f084f01373d468c0b91a16.exe
Analysis ID: 1431118
MD5: e9ff14a975f084f01373d468c0b91a16
SHA1: 302d4b9f88ae7b085b56661774d6805156039924
SHA256: f6a6765642f0f8c4b81f45d4e1a9f65505432bbf4c249fa3c96b82d9c712effe
Tags: exeStop
Infos:

Detection

Babuk, Djvu
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found ransom note / readme
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Yara detected Babuk Ransomware
Yara detected Djvu Ransomware
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies existing user documents (likely ransomware behavior)
Writes a notice file (html or txt) to demand a ransom
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to query network adapater information
Contains functionality to read the PEB
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found evasive API chain (may stop execution after checking a module file name)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses cacls to modify the permissions of files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Babuk Babuk Ransomware is a sophisticated ransomware compiled for several platforms. Windows and ARM for Linux are the most used compiled versions, but ESX and a 32bit old PE executable were observed over time. as well It uses an Elliptic Curve Algorithm (Montgomery Algorithm) to build the encryption keys. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.babuk
Name Description Attribution Blogpost URLs Link
STOP, Djvu STOP Djvu Ransomware it is a ransomware which encrypts user data through AES-256 and adds one of the dozen available extensions as marker to the encrypted file's name. It is not used to encrypt the entire file but only the first 5 MB. In its original version it was able to run offline and, in that case, it used a hard-coded key which could be extracted to decrypt files. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.stop

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: mU2p71KMss.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe Avira: detection malicious, Label: HEUR/AGEN.1313019
Found malware configuration
Source: 00000006.00000002.2025228021.0000000005DC0000.00000040.00001000.00020000.00000000.sdmp Malware Configuration Extractor: Djvu {"Download URLs": ["http://sdfjhuz.com/dl/build2.exe", "http://cajgtus.com/files/1/build3.exe"], "C2 url": "http://cajgtus.com/test2/get.php", "Ransom note file": "_README.txt", "Ransom note": "ATTENTION!\r\n\r\nDon't worry, you can return all your files!\r\nAll your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key.\r\nThe only method of recovering files is to purchase decrypt tool and unique key for you.\r\nThis software will decrypt all your encrypted files.\r\nWhat guarantees you have?\r\nYou can send one of your encrypted file from your PC and we decrypt it for free.\r\nBut we can decrypt only 1 file for free. File must not contain valuable information.\r\nDo not ask assistants from youtube and recovery data sites for help in recovering your data.\r\nThey can use your free decryption quota and scam you.\r\nOur contact is emails in this text document only.\r\nYou can get and look video overview decrypt tool:\r\nhttps://wetransfer.com/downloads/54cdfd152fe98eedb628a1f4ddb7076420240421150208/403a27\r\nPrice of private key and decrypt software is $999.\r\nDiscount 50% available if you contact us first 72 hours, that's price for you is $499.\r\nPlease note that you'll never restore your data without payment.\r\nCheck your e-mail \"Spam\" or \"Junk\" folder if you don't get answer more than 6 hours.\r\n\r\n\r\nTo get this software you need write on our e-mail:\r\nsupport@freshingmail.top\r\n\r\nReserve e-mail address to contact us:\r\ndatarestorehelpyou@airmail.cc\r\n\r\nYour personal ID:\r\n0864PsawqS", "Ignore Files": ["ntuser.dat", "ntuser.dat.LOG1", "ntuser.dat.LOG2", "ntuser.pol", ".sys", ".ini", ".DLL", ".dll", ".blf", ".bat", ".lnk", ".regtrans-ms", "C:\\SystemID\\", "C:\\Users\\Default User\\", "C:\\Users\\Public\\", "C:\\Users\\All Users\\", "C:\\Users\\Default\\", "C:\\Documents and Settings\\", "C:\\ProgramData\\", "C:\\Recovery\\", "C:\\System Volume Information\\", "C:\\Users\\%username%\\AppData\\Roaming\\", "C:\\Users\\%username%\\AppData\\Local\\", "C:\\Windows\\", "C:\\PerfLogs\\", "C:\\ProgramData\\Microsoft\\", "C:\\ProgramData\\Package Cache\\", "C:\\Users\\Public\\", "C:\\$Recycle.Bin\\", "C:\\$WINDOWS.~BT\\", "C:\\dell\\", "C:\\Intel\\", "C:\\MSOCache\\", "C:\\Program Files\\", "C:\\Program Files (x86)\\", "C:\\Games\\", "C:\\Windows.old\\", "D:\\Users\\%username%\\AppData\\Roaming\\", "D:\\Users\\%username%\\AppData\\Local\\", "D:\\Windows\\", "D:\\PerfLogs\\", "D:\\ProgramData\\Desktop\\", "D:\\ProgramData\\Microsoft\\", "D:\\ProgramData\\Package Cache\\", "D:\\Users\\Public\\", "D:\\$Recycle.Bin\\", "D:\\$WINDOWS.~BT\\", "D:\\dell\\", "D:\\Intel\\", "D:\\MSOCache\\", "D:\\Program Files\\", "D:\\Program Files (x86)\\", "D:\\Games\\", "E:\\Users\\%username%\\AppData\\Roaming\\", "E:\\Users\\%username%\\AppData\\Local\\", "E:\\Windows\\", "E:\\PerfLogs\\", "E:\\ProgramData\\Desktop\\", "E:\\ProgramData\\Microsoft\\", "E:\\ProgramData\\Package Cache\\", "E
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe ReversingLabs: Detection: 44%
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: mU2p71KMss.exe Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 1_2_0040E870 CryptAcquireContextW,__CxxThrowException@8,CryptCreateHash,__CxxThrowException@8,CryptHashData,__CxxThrowException@8,CryptGetHashParam,CryptGetHashParam,__CxxThrowException@8,_memset,CryptGetHashParam,__CxxThrowException@8,_sprintf,CryptDestroyHash,CryptReleaseContext, 1_2_0040E870
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 1_2_0040EA51 CryptDestroyHash,CryptReleaseContext, 1_2_0040EA51
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 1_2_0040EAA0 CryptAcquireContextW,__CxxThrowException@8,CryptCreateHash,__CxxThrowException@8,CryptHashData,__CxxThrowException@8,CryptGetHashParam,CryptGetHashParam,__CxxThrowException@8,_memset,CryptGetHashParam,__CxxThrowException@8,_sprintf,CryptDestroyHash,CryptReleaseContext, 1_2_0040EAA0
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 1_2_0040EC68 CryptDestroyHash,CryptReleaseContext, 1_2_0040EC68
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 1_2_00410FC0 CryptAcquireContextW,__CxxThrowException@8,CryptCreateHash,__CxxThrowException@8,lstrlenA,CryptHashData,__CxxThrowException@8,CryptGetHashParam,CryptGetHashParam,__CxxThrowException@8,_memset,CryptGetHashParam,__CxxThrowException@8,CryptGetHashParam,_malloc,CryptGetHashParam,_memset,_sprintf,lstrcatA,CryptDestroyHash,CryptReleaseContext, 1_2_00410FC0
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 1_2_00411178 CryptDestroyHash,CryptReleaseContext, 1_2_00411178
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 5_2_0040E870 CryptAcquireContextW,__CxxThrowException@8,CryptCreateHash,__CxxThrowException@8,CryptHashData,__CxxThrowException@8,CryptGetHashParam,CryptGetHashParam,__CxxThrowException@8,_memset,CryptGetHashParam,__CxxThrowException@8,_sprintf,CryptDestroyHash,CryptReleaseContext, 5_2_0040E870
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 5_2_0040EA51 CryptDestroyHash,CryptReleaseContext, 5_2_0040EA51
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 5_2_0040EAA0 CryptAcquireContextW,__CxxThrowException@8,CryptCreateHash,__CxxThrowException@8,CryptHashData,__CxxThrowException@8,CryptGetHashParam,CryptGetHashParam,__CxxThrowException@8,_memset,CryptGetHashParam,__CxxThrowException@8,_sprintf,CryptDestroyHash,CryptReleaseContext, 5_2_0040EAA0
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 5_2_0040EC68 CryptDestroyHash,CryptReleaseContext, 5_2_0040EC68
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 5_2_00410FC0 CryptAcquireContextW,__CxxThrowException@8,CryptCreateHash,__CxxThrowException@8,lstrlenA,CryptHashData,__CxxThrowException@8,CryptGetHashParam,CryptGetHashParam,__CxxThrowException@8,_memset,CryptGetHashParam,__CxxThrowException@8,CryptGetHashParam,_malloc,CryptGetHashParam,_memset,_sprintf,lstrcatA,CryptDestroyHash,CryptReleaseContext, 5_2_00410FC0
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 5_2_00411178 CryptDestroyHash,CryptReleaseContext, 5_2_00411178
Source: mU2p71KMss.exe, 00000007.00000002.3243271467.00000000007A8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: -----BEGIN PUBLIC KEY----- memstr_8361a420-5

Compliance
barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\mU2p71KMss.exe Unpacked PE file: 1.2.mU2p71KMss.exe.400000.0.unpack
Source: C:\Users\user\Desktop\mU2p71KMss.exe Unpacked PE file: 5.2.mU2p71KMss.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe Unpacked PE file: 7.2.mU2p71KMss.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe Unpacked PE file: 10.2.mU2p71KMss.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe Unpacked PE file: 13.2.mU2p71KMss.exe.400000.0.unpack
Uses 32bit PE files
Source: mU2p71KMss.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe File created: C:\_README.txt Jump to behavior
Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe File created: C:\Users\user\_README.txt Jump to behavior
Source: unknown HTTPS traffic detected: 104.21.65.24:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.65.24:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.65.24:443 -> 192.168.2.5:49706 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.65.24:443 -> 192.168.2.5:49708 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.65.24:443 -> 192.168.2.5:49716 version: TLS 1.2
Source: Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb source: mU2p71KMss.exe, mU2p71KMss.exe, 00000005.00000002.2024778410.0000000000400000.00000040.00000400.00020000.00000000.sdmp, mU2p71KMss.exe, 00000006.00000002.2025228021.0000000005DC0000.00000040.00001000.00020000.00000000.sdmp, mU2p71KMss.exe, 00000007.00000002.3243111162.0000000000400000.00000040.00000400.00020000.00000000.sdmp, mU2p71KMss.exe, 00000009.00000002.2156207791.0000000005C80000.00000040.00001000.00020000.00000000.sdmp, mU2p71KMss.exe, 0000000A.00000002.2167150824.0000000000400000.00000040.00000400.00020000.00000000.sdmp, mU2p71KMss.exe, 0000000C.00000002.2241519623.0000000005E10000.00000040.00001000.00020000.00000000.sdmp, mU2p71KMss.exe, 0000000D.00000002.2252233144.0000000000400000.00000040.00000400.00020000.00000000.sdmp
Source: Binary string: CC:\poviwodi\xik\bihunow44-jeholo43\bikeyomipacase\kagakawotenot.pdb source: mU2p71KMss.exe, mU2p71KMss.exe.1.dr
Source: Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdbI source: mU2p71KMss.exe, 00000000.00000002.1990128449.0000000005DD0000.00000040.00001000.00020000.00000000.sdmp, mU2p71KMss.exe, 00000001.00000002.2007683946.0000000000400000.00000040.00000400.00020000.00000000.sdmp, mU2p71KMss.exe, 00000004.00000002.2012565443.0000000005DE0000.00000040.00001000.00020000.00000000.sdmp, mU2p71KMss.exe, 00000005.00000002.2024778410.0000000000400000.00000040.00000400.00020000.00000000.sdmp, mU2p71KMss.exe, 00000006.00000002.2025228021.0000000005DC0000.00000040.00001000.00020000.00000000.sdmp, mU2p71KMss.exe, 00000007.00000002.3243111162.0000000000400000.00000040.00000400.00020000.00000000.sdmp, mU2p71KMss.exe, 00000009.00000002.2156207791.0000000005C80000.00000040.00001000.00020000.00000000.sdmp, mU2p71KMss.exe, 0000000A.00000002.2167150824.0000000000400000.00000040.00000400.00020000.00000000.sdmp, mU2p71KMss.exe, 0000000C.00000002.2241519623.0000000005E10000.00000040.00001000.00020000.00000000.sdmp, mU2p71KMss.exe, 0000000D.00000002.2252233144.0000000000400000.00000040.00000400.00020000.00000000.sdmp
Source: Binary string: C:\poviwodi\xik\bihunow44-jeholo43\bikeyomipacase\kagakawotenot.pdb source: mU2p71KMss.exe, mU2p71KMss.exe.1.dr
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 1_2_00410160 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,FindNextFileW,FindClose, 1_2_00410160
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 1_2_0040F730 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,_wcsstr,_wcsstr,FindNextFileW,FindClose, 1_2_0040F730
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 1_2_0040FB98 PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,FindNextFileW,FindClose, 1_2_0040FB98
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 5_2_00410160 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,FindNextFileW,FindClose, 5_2_00410160
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 5_2_0040F730 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,_wcsstr,_wcsstr,FindNextFileW,FindClose, 5_2_0040F730
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 5_2_0040FB98 PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,FindNextFileW,FindClose, 5_2_0040FB98

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2833438 ETPRO TROJAN STOP Ransomware CnC Activity 192.168.2.5:49707 -> 62.150.232.50:80
Source: Traffic Snort IDS: 2036335 ET TROJAN Win32/Filecoder.STOP Variant Public Key Download 62.150.232.50:80 -> 192.168.2.5:49707
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://cajgtus.com/test2/get.php
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 104.21.65.24 104.21.65.24
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: QNETKuwaitKW QNETKuwaitKW
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 1_2_0040CF10 _memset,InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle, 1_2_0040CF10
Source: global traffic HTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
Source: global traffic HTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
Source: global traffic HTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
Source: global traffic HTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
Source: global traffic HTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
Source: global traffic HTTP traffic detected: GET /test2/get.php?pid=903E7F261711F85395E5CEFBF4173C54 HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: cajgtus.com
Source: mU2p71KMss.exe, 00000007.00000003.2095073426.0000000003560000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: URL=http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: mU2p71KMss.exe, 00000007.00000003.2095368781.0000000003560000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: URL=http://www.twitter.com/ equals www.twitter.com (Twitter)
Source: mU2p71KMss.exe, 00000007.00000003.2095490468.0000000003560000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: URL=http://www.youtube.com/ equals www.youtube.com (Youtube)
Source: global traffic DNS traffic detected: DNS query: api.2ip.ua
Source: global traffic DNS traffic detected: DNS query: cajgtus.com
Source: mU2p71KMss.exe, 00000007.00000003.2036506866.000000000075F000.00000004.00000020.00020000.00000000.sdmp, mU2p71KMss.exe, 00000007.00000002.3243271467.0000000000764000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cajgtus.com/test2/get.php
Source: mU2p71KMss.exe, 00000007.00000002.3243271467.0000000000754000.00000004.00000020.00020000.00000000.sdmp, mU2p71KMss.exe, 00000007.00000002.3243271467.00000000006C8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cajgtus.com/test2/get.php?pid=903E7F261711F85395E5CEFBF4173C54
Source: mU2p71KMss.exe, 00000007.00000002.3243271467.0000000000707000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cajgtus.com/test2/get.phprk
Source: mU2p71KMss.exe, 00000000.00000002.1990128449.0000000005DD0000.00000040.00001000.00020000.00000000.sdmp, mU2p71KMss.exe, 00000001.00000002.2007683946.0000000000400000.00000040.00000400.00020000.00000000.sdmp, mU2p71KMss.exe, 00000004.00000002.2012565443.0000000005DE0000.00000040.00001000.00020000.00000000.sdmp, mU2p71KMss.exe, 00000005.00000002.2024778410.0000000000400000.00000040.00000400.00020000.00000000.sdmp, mU2p71KMss.exe, 00000006.00000002.2025228021.0000000005DC0000.00000040.00001000.00020000.00000000.sdmp, mU2p71KMss.exe, 00000007.00000002.3243111162.0000000000400000.00000040.00000400.00020000.00000000.sdmp, mU2p71KMss.exe, 00000009.00000002.2156207791.0000000005C80000.00000040.00001000.00020000.00000000.sdmp, mU2p71KMss.exe, 0000000A.00000002.2167150824.0000000000400000.00000040.00000400.00020000.00000000.sdmp, mU2p71KMss.exe, 0000000C.00000002.2241519623.0000000005E10000.00000040.00001000.00020000.00000000.sdmp, mU2p71KMss.exe, 0000000D.00000002.2252233144.0000000000400000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://https://ns1.kriston.ugns2.chalekin.ugns3.unalelath.ugns4.andromath.ug/Error
Source: mU2p71KMss.exe, 00000007.00000003.2094960142.0000000003560000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.amazon.com/
Source: mU2p71KMss.exe, 00000007.00000003.2095130817.0000000003560000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.google.com/
Source: mU2p71KMss.exe, 00000007.00000003.2095187541.0000000003560000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.live.com/
Source: mU2p71KMss.exe, 00000007.00000003.2095243165.0000000003560000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.nytimes.com/
Source: mU2p71KMss.exe, 0000000D.00000002.2252233144.0000000000400000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://www.openssl.org/support/faq.html
Source: mU2p71KMss.exe, 00000007.00000003.2095309712.0000000003560000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.reddit.com/
Source: mU2p71KMss.exe, 00000007.00000003.2095368781.0000000003560000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.twitter.com/
Source: mU2p71KMss.exe, 00000007.00000003.2095426359.0000000003560000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.wikipedia.com/
Source: mU2p71KMss.exe, 00000007.00000003.2095490468.0000000003560000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.youtube.com/
Source: mU2p71KMss.exe, 00000001.00000002.2009528237.00000000008F7000.00000004.00000020.00020000.00000000.sdmp, mU2p71KMss.exe, 00000001.00000003.2003059893.0000000000906000.00000004.00000020.00020000.00000000.sdmp, mU2p71KMss.exe, 00000005.00000003.2024120427.0000000000731000.00000004.00000020.00020000.00000000.sdmp, mU2p71KMss.exe, 00000005.00000003.2024457872.0000000000732000.00000004.00000020.00020000.00000000.sdmp, mU2p71KMss.exe, 00000005.00000002.2025188604.0000000000732000.00000004.00000020.00020000.00000000.sdmp, mU2p71KMss.exe, 00000007.00000002.3243271467.0000000000707000.00000004.00000020.00020000.00000000.sdmp, mU2p71KMss.exe, 00000007.00000003.2036117451.0000000000711000.00000004.00000020.00020000.00000000.sdmp, mU2p71KMss.exe, 0000000A.00000002.2167918166.0000000000768000.00000004.00000020.00020000.00000000.sdmp, mU2p71KMss.exe, 0000000A.00000003.2166629017.0000000000766000.00000004.00000020.00020000.00000000.sdmp, mU2p71KMss.exe, 0000000D.00000002.2252580072.00000000006C9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.2ip.ua/
Source: mU2p71KMss.exe, 0000000D.00000002.2252580072.00000000006C9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.2ip.ua/.
Source: mU2p71KMss.exe, 0000000D.00000002.2252580072.00000000006C9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.2ip.ua/2
Source: mU2p71KMss.exe, 0000000D.00000002.2252580072.00000000006C9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.2ip.ua/D
Source: mU2p71KMss.exe, 00000007.00000002.3243271467.0000000000707000.00000004.00000020.00020000.00000000.sdmp, mU2p71KMss.exe, 00000007.00000003.2036117451.0000000000711000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.2ip.ua/K
Source: mU2p71KMss.exe, 00000005.00000003.2024120427.0000000000731000.00000004.00000020.00020000.00000000.sdmp, mU2p71KMss.exe, 00000005.00000003.2024457872.0000000000732000.00000004.00000020.00020000.00000000.sdmp, mU2p71KMss.exe, 00000005.00000002.2025188604.0000000000732000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.2ip.ua/a
Source: mU2p71KMss.exe, 0000000A.00000002.2167737364.0000000000718000.00000004.00000020.00020000.00000000.sdmp, mU2p71KMss.exe, 0000000A.00000002.2167150824.0000000000400000.00000040.00000400.00020000.00000000.sdmp, mU2p71KMss.exe, 0000000A.00000002.2167918166.0000000000768000.00000004.00000020.00020000.00000000.sdmp, mU2p71KMss.exe, 0000000A.00000003.2166629017.0000000000766000.00000004.00000020.00020000.00000000.sdmp, mU2p71KMss.exe, 0000000C.00000002.2241519623.0000000005E10000.00000040.00001000.00020000.00000000.sdmp, mU2p71KMss.exe, 0000000D.00000002.2252580072.0000000000688000.00000004.00000020.00020000.00000000.sdmp, mU2p71KMss.exe, 0000000D.00000002.2252233144.0000000000400000.00000040.00000400.00020000.00000000.sdmp, mU2p71KMss.exe, 0000000D.00000002.2252580072.00000000006C9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.2ip.ua/geo.json
Source: mU2p71KMss.exe, 0000000A.00000002.2167737364.0000000000718000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.2ip.ua/geo.json.7
Source: mU2p71KMss.exe, 0000000D.00000002.2252580072.00000000006C9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.2ip.ua/geo.json9
Source: mU2p71KMss.exe, 00000001.00000002.2009528237.00000000008B8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.2ip.ua/geo.json=
Source: mU2p71KMss.exe, 0000000A.00000002.2167737364.0000000000718000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.2ip.ua/geo.jsonM
Source: mU2p71KMss.exe, 00000005.00000002.2025045423.00000000006D8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.2ip.ua/geo.jsonSf
Source: mU2p71KMss.exe, 0000000D.00000002.2252580072.0000000000688000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.2ip.ua/geo.jsonb
Source: mU2p71KMss.exe, 00000005.00000003.2024120427.0000000000731000.00000004.00000020.00020000.00000000.sdmp, mU2p71KMss.exe, 00000005.00000003.2024457872.0000000000732000.00000004.00000020.00020000.00000000.sdmp, mU2p71KMss.exe, 00000005.00000002.2025188604.0000000000732000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.2ip.ua/geo.jsonhy
Source: mU2p71KMss.exe, 00000001.00000002.2009528237.00000000008B8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.2ip.ua/geo.jsonmp
Source: mU2p71KMss.exe, 00000005.00000002.2025045423.00000000006D8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.2ip.ua/geo.jsonpTf
Source: mU2p71KMss.exe, 00000005.00000002.2025045423.00000000006D8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.2ip.ua/geo.jsonqS
Source: mU2p71KMss.exe, 0000000A.00000002.2167737364.0000000000718000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.2ip.ua/geo.jsons
Source: mU2p71KMss.exe, 0000000A.00000002.2167737364.0000000000718000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.2ip.ua/geo.jsons:$
Source: mU2p71KMss.exe, 00000005.00000002.2025045423.00000000006D8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.2ip.ua/geo.jsont
Source: mU2p71KMss.exe, 00000005.00000002.2025045423.00000000006D8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.2ip.ua/geo.jsonyS
Source: mU2p71KMss.exe, 00000007.00000003.2089780619.00000000007B1000.00000004.00000020.00020000.00000000.sdmp, mU2p71KMss.exe, 00000007.00000002.3243271467.0000000000754000.00000004.00000020.00020000.00000000.sdmp, mU2p71KMss.exe, 00000007.00000002.3243271467.0000000000764000.00000004.00000020.00020000.00000000.sdmp, _README.txt.7.dr, _README.txt0.7.dr String found in binary or memory: https://wetransfer.com/downloads/54cdfd152fe98eedb628a1f4ddb7076420240421150208/403a27
Source: mU2p71KMss.exe, 00000007.00000002.3243271467.00000000007A8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://wetransfer.com/downloadsVn
Source: unknown Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown HTTPS traffic detected: 104.21.65.24:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.65.24:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.65.24:443 -> 192.168.2.5:49706 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.65.24:443 -> 192.168.2.5:49708 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.65.24:443 -> 192.168.2.5:49716 version: TLS 1.2
Contains functionality to record screenshots
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 1_2_004822E0 CreateDCA,CreateCompatibleDC,GetDeviceCaps,GetDeviceCaps,GetDeviceCaps,CreateCompatibleBitmap,SelectObject,GetObjectA,BitBlt,GetBitmapBits,SelectObject,DeleteObject,DeleteDC,DeleteDC,DeleteDC, 1_2_004822E0

Spam, unwanted Advertisements and Ransom Demands
barindex
Found ransom note / readme
Source: C:\Users\user\AppData\Local\VirtualStore\_README.txt Dropped file: ATTENTION!Don't worry, you can return all your files!All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key.The only method of recovering files is to purchase decrypt tool and unique key for you.This software will decrypt all your encrypted files.What guarantees you have?You can send one of your encrypted file from your PC and we decrypt it for free.But we can decrypt only 1 file for free. File must not contain valuable information.Do not ask assistants from youtube and recovery data sites for help in recovering your data.They can use your free decryption quota and scam you.Our contact is emails in this text document only.You can get and look video overview decrypt tool:https://wetransfer.com/downloads/54cdfd152fe98eedb628a1f4ddb7076420240421150208/403a27Price of private key and decrypt software is $999.Discount 50% available if you contact us first 72 hours, that's price for you is $499.Please note that you'll never restore your data without payment.Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours.To get this software you need write on our e-mail:support@freshingmail.topReserve e-mail address to contact us:datarestorehelpyou@airmail.ccYour personal ID:0864PsawqS8JH27WdrW6kuFkS6UwG9Yu6KR0DViv5JyVmKOoKE Jump to dropped file
Yara detected Babuk Ransomware
Source: Yara match File source: Process Memory Space: mU2p71KMss.exe PID: 2164, type: MEMORYSTR
Yara detected Djvu Ransomware
Source: Yara match File source: 13.2.mU2p71KMss.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.mU2p71KMss.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.mU2p71KMss.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.mU2p71KMss.exe.5de15a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.mU2p71KMss.exe.5c815a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.mU2p71KMss.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.mU2p71KMss.exe.5dd15a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.mU2p71KMss.exe.5dc15a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.mU2p71KMss.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.mU2p71KMss.exe.5c815a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.mU2p71KMss.exe.5e115a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.mU2p71KMss.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.mU2p71KMss.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.mU2p71KMss.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.mU2p71KMss.exe.5dc15a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.mU2p71KMss.exe.5dd15a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.mU2p71KMss.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.mU2p71KMss.exe.5e115a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.mU2p71KMss.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.mU2p71KMss.exe.5de15a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.2007683946.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2252233144.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2167150824.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2025228021.0000000005DC0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2012565443.0000000005DE0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1990128449.0000000005DD0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2024778410.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.3243111162.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2156207791.0000000005C80000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2241519623.0000000005E10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: mU2p71KMss.exe PID: 348, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: mU2p71KMss.exe PID: 2716, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: mU2p71KMss.exe PID: 1896, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: mU2p71KMss.exe PID: 5968, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: mU2p71KMss.exe PID: 2828, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: mU2p71KMss.exe PID: 2164, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: mU2p71KMss.exe PID: 5524, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: mU2p71KMss.exe PID: 4748, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: mU2p71KMss.exe PID: 4144, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: mU2p71KMss.exe PID: 2616, type: MEMORYSTR
Modifies existing user documents (likely ransomware behavior)
Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe File moved: C:\Users\user\Desktop\UNKRLCVOHV.mp3 Jump to behavior
Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe File deleted: C:\Users\user\Desktop\UNKRLCVOHV.mp3 Jump to behavior
Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe File moved: C:\Users\user\Desktop\EIVQSAOTAQ.jpg Jump to behavior
Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe File deleted: C:\Users\user\Desktop\EIVQSAOTAQ.jpg Jump to behavior
Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe File moved: C:\Users\user\Desktop\EEGWXUHVUG\EEGWXUHVUG.docx Jump to behavior
Writes a notice file (html or txt) to demand a ransom
Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe File dropped: C:\Users\user\AppData\Local\VirtualStore\_README.txt -> decrypt tool and unique key for you.this software will decrypt all your encrypted files.what guarantees you have?you can send one of your encrypted file from your pc and we decrypt it for free.but we can decrypt only 1 file for free. file must not contain valuable information.do not ask assistants from youtube and recovery data sites for help in recovering your data.they can use your free decryption quota and scam you.our contact is emails in this text document only.you can get and look video overview decrypt tool:https://wetransfer.com/downloads/54cdfd152fe98eedb628a1f4ddb7076420240421150208/403a27price of private key and decrypt software is $999.discount 50% available if you contact us first 72 hours, that's price for you is $499.please note that you'll never restore your data without payment.check your e-mail "spam" or "junk" folder if you don't get answer more than 6 hours.to get this software you need write on our e-mail:support@freshingmail.topreserve e-mail address Jump to dropped file
Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe File dropped: C:\Users\user\_README.txt -> decrypt tool and unique key for you.this software will decrypt all your encrypted files.what guarantees you have?you can send one of your encrypted file from your pc and we decrypt it for free.but we can decrypt only 1 file for free. file must not contain valuable information.do not ask assistants from youtube and recovery data sites for help in recovering your data.they can use your free decryption quota and scam you.our contact is emails in this text document only.you can get and look video overview decrypt tool:https://wetransfer.com/downloads/54cdfd152fe98eedb628a1f4ddb7076420240421150208/403a27price of private key and decrypt software is $999.discount 50% available if you contact us first 72 hours, that's price for you is $499.please note that you'll never restore your data without payment.check your e-mail "spam" or "junk" folder if you don't get answer more than 6 hours.to get this software you need write on our e-mail:support@freshingmail.topreserve e-mail address Jump to dropped file

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 13.2.mU2p71KMss.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 13.2.mU2p71KMss.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 5.2.mU2p71KMss.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 5.2.mU2p71KMss.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 10.2.mU2p71KMss.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 10.2.mU2p71KMss.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 4.2.mU2p71KMss.exe.5de15a0.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 4.2.mU2p71KMss.exe.5de15a0.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 9.2.mU2p71KMss.exe.5c815a0.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 9.2.mU2p71KMss.exe.5c815a0.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 1.2.mU2p71KMss.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 1.2.mU2p71KMss.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 0.2.mU2p71KMss.exe.5dd15a0.1.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0.2.mU2p71KMss.exe.5dd15a0.1.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 6.2.mU2p71KMss.exe.5dc15a0.1.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 6.2.mU2p71KMss.exe.5dc15a0.1.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 5.2.mU2p71KMss.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 5.2.mU2p71KMss.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 9.2.mU2p71KMss.exe.5c815a0.1.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 9.2.mU2p71KMss.exe.5c815a0.1.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 12.2.mU2p71KMss.exe.5e115a0.1.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 12.2.mU2p71KMss.exe.5e115a0.1.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 7.2.mU2p71KMss.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 7.2.mU2p71KMss.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 13.2.mU2p71KMss.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 13.2.mU2p71KMss.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 1.2.mU2p71KMss.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 1.2.mU2p71KMss.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 6.2.mU2p71KMss.exe.5dc15a0.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 6.2.mU2p71KMss.exe.5dc15a0.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 0.2.mU2p71KMss.exe.5dd15a0.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0.2.mU2p71KMss.exe.5dd15a0.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 10.2.mU2p71KMss.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 10.2.mU2p71KMss.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 12.2.mU2p71KMss.exe.5e115a0.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 12.2.mU2p71KMss.exe.5e115a0.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 7.2.mU2p71KMss.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 7.2.mU2p71KMss.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 4.2.mU2p71KMss.exe.5de15a0.1.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 4.2.mU2p71KMss.exe.5de15a0.1.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000001.00000002.2007683946.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000001.00000002.2007683946.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000006.00000002.2025120505.0000000004431000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000000D.00000002.2252233144.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0000000D.00000002.2252233144.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000000.00000002.1990031031.0000000004388000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000009.00000002.2156092371.000000000444D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000000A.00000002.2167150824.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0000000A.00000002.2167150824.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000006.00000002.2025228021.0000000005DC0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000004.00000002.2012495232.00000000044A7000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000004.00000002.2012565443.0000000005DE0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0000000C.00000002.2241428739.00000000044D6000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.1990128449.0000000005DD0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000005.00000002.2024778410.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000005.00000002.2024778410.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000007.00000002.3243111162.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000007.00000002.3243111162.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000009.00000002.2156207791.0000000005C80000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0000000C.00000002.2241519623.0000000005E10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: mU2p71KMss.exe PID: 348, type: MEMORYSTR Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: mU2p71KMss.exe PID: 2716, type: MEMORYSTR Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: mU2p71KMss.exe PID: 1896, type: MEMORYSTR Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: mU2p71KMss.exe PID: 5968, type: MEMORYSTR Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: mU2p71KMss.exe PID: 2828, type: MEMORYSTR Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: mU2p71KMss.exe PID: 2164, type: MEMORYSTR Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: mU2p71KMss.exe PID: 5524, type: MEMORYSTR Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: mU2p71KMss.exe PID: 4748, type: MEMORYSTR Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: mU2p71KMss.exe PID: 4144, type: MEMORYSTR Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: mU2p71KMss.exe PID: 2616, type: MEMORYSTR Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Contains functionality to call native functions
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 0_2_05DD0110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,ExitProcess, 0_2_05DD0110
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 4_2_05DE0110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,ExitProcess, 4_2_05DE0110
Detected potential crypto function
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 0_2_00405653 0_2_00405653
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 0_2_05DD3520 0_2_05DD3520
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 0_2_05DD7520 0_2_05DD7520
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 0_2_05DFD7F1 0_2_05DFD7F1
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 0_2_05DDA79A 0_2_05DDA79A
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 0_2_05DDC760 0_2_05DDC760
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 0_2_05DDE6E0 0_2_05DDE6E0
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 0_2_05DDA699 0_2_05DDA699
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 0_2_05E1B69F 0_2_05E1B69F
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 0_2_05DFD1A4 0_2_05DFD1A4
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 0_2_05E1E141 0_2_05E1E141
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 0_2_05DD9120 0_2_05DD9120
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 0_2_05DE00D0 0_2_05DE00D0
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 0_2_05DD30F0 0_2_05DD30F0
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 0_2_05DD70E0 0_2_05DD70E0
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 0_2_05DDB0B0 0_2_05DDB0B0
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 0_2_05DDB000 0_2_05DDB000
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 0_2_05DEF030 0_2_05DEF030
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 0_2_05DDA026 0_2_05DDA026
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 0_2_05DD7393 0_2_05DD7393
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 0_2_05E1E37C 0_2_05E1E37C
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 0_2_05E522C0 0_2_05E522C0
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 0_2_05DD7220 0_2_05DD7220
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 0_2_05DD5DF7 0_2_05DD5DF7
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 0_2_05DD5DE7 0_2_05DD5DE7
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 0_2_05E12D1E 0_2_05E12D1E
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 0_2_05E04E9F 0_2_05E04E9F
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 0_2_05DD8E60 0_2_05DD8E60
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 0_2_05DD89D0 0_2_05DD89D0
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 0_2_05DD59F7 0_2_05DD59F7
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 0_2_05DFF9B0 0_2_05DFF9B0
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 0_2_05DFE9A3 0_2_05DFE9A3
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 0_2_05DDA916 0_2_05DDA916
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 0_2_05DF18D0 0_2_05DF18D0
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 0_2_05DD7880 0_2_05DD7880
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 0_2_05DDDBE0 0_2_05DDDBE0
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 0_2_05DD2B60 0_2_05DD2B60
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 0_2_05DE0B00 0_2_05DE0B00
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 0_2_05DD7A80 0_2_05DD7A80
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 0_2_05DDCA10 0_2_05DDCA10
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 1_2_0040D240 1_2_0040D240
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 1_2_00419F90 1_2_00419F90
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 1_2_0040C070 1_2_0040C070
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 1_2_0042E003 1_2_0042E003
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 1_2_00408030 1_2_00408030
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 1_2_00410160 1_2_00410160
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 1_2_004021C0 1_2_004021C0
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 1_2_0044237E 1_2_0044237E
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 1_2_004084C0 1_2_004084C0
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 1_2_004344FF 1_2_004344FF
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 1_2_0043E5A3 1_2_0043E5A3
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 1_2_0040A660 1_2_0040A660
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 1_2_0041E690 1_2_0041E690
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 1_2_00406740 1_2_00406740
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 1_2_00402750 1_2_00402750
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 1_2_0040A710 1_2_0040A710
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 1_2_00408780 1_2_00408780
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 1_2_0042C804 1_2_0042C804
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 1_2_00406880 1_2_00406880
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 1_2_004349F3 1_2_004349F3
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 1_2_004069F3 1_2_004069F3
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 1_2_00402B80 1_2_00402B80
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 1_2_00406B80 1_2_00406B80
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 1_2_0044ACFF 1_2_0044ACFF
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 1_2_0042CE51 1_2_0042CE51
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 1_2_00434E0B 1_2_00434E0B
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 1_2_00406EE0 1_2_00406EE0
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 1_2_00420F30 1_2_00420F30
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 1_2_00405057 1_2_00405057
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 1_2_0042F010 1_2_0042F010
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 1_2_004070E0 1_2_004070E0
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 1_2_004391F6 1_2_004391F6
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 1_2_00435240 1_2_00435240
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 1_2_004C9343 1_2_004C9343
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 1_2_00405447 1_2_00405447
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 1_2_00405457 1_2_00405457
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 1_2_00449506 1_2_00449506
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 1_2_0044B5B1 1_2_0044B5B1
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 1_2_00435675 1_2_00435675
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 1_2_00409686 1_2_00409686
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 1_2_0040F730 1_2_0040F730
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 1_2_0044D7A1 1_2_0044D7A1
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 1_2_00481920 1_2_00481920
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 1_2_0044D9DC 1_2_0044D9DC
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 1_2_00449A71 1_2_00449A71
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 1_2_00443B40 1_2_00443B40
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 1_2_00409CF9 1_2_00409CF9
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 1_2_0040DD40 1_2_0040DD40
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 1_2_00427D6C 1_2_00427D6C
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 1_2_0040BDC0 1_2_0040BDC0
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 1_2_00409DFA 1_2_00409DFA
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 1_2_00409F76 1_2_00409F76
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 1_2_0046BFE0 1_2_0046BFE0
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 1_2_00449FE3 1_2_00449FE3
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 4_2_05DE3520 4_2_05DE3520
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 4_2_05DE7520 4_2_05DE7520
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 4_2_05E0D7F1 4_2_05E0D7F1
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 4_2_05DEA79A 4_2_05DEA79A
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 4_2_05DEC760 4_2_05DEC760
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 4_2_05DEE6E0 4_2_05DEE6E0
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 4_2_05DEA699 4_2_05DEA699
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 4_2_05E2B69F 4_2_05E2B69F
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 4_2_05E0D1A4 4_2_05E0D1A4
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 4_2_05E2E141 4_2_05E2E141
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 4_2_05DE9120 4_2_05DE9120
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 4_2_05DF00D0 4_2_05DF00D0
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 4_2_05DE30F0 4_2_05DE30F0
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 4_2_05DE70E0 4_2_05DE70E0
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 4_2_05DEB0B0 4_2_05DEB0B0
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 4_2_05DEB000 4_2_05DEB000
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 4_2_05DFF030 4_2_05DFF030
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 4_2_05DEA026 4_2_05DEA026
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 4_2_05DE7393 4_2_05DE7393
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 4_2_05E2E37C 4_2_05E2E37C
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 4_2_05E622C0 4_2_05E622C0
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 4_2_05DE7220 4_2_05DE7220
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 4_2_05DE5DF7 4_2_05DE5DF7
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 4_2_05DE5DE7 4_2_05DE5DE7
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 4_2_05E22D1E 4_2_05E22D1E
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 4_2_05E14E9F 4_2_05E14E9F
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 4_2_05DE8E60 4_2_05DE8E60
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 4_2_05DE89D0 4_2_05DE89D0
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 4_2_05DE59F7 4_2_05DE59F7
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 4_2_05E0E9A3 4_2_05E0E9A3
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 4_2_05E0F9B0 4_2_05E0F9B0
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 4_2_05DEA916 4_2_05DEA916
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 4_2_05E018D0 4_2_05E018D0
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 4_2_05DE7880 4_2_05DE7880
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 4_2_05DEDBE0 4_2_05DEDBE0
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 4_2_05DE2B60 4_2_05DE2B60
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 4_2_05DF0B00 4_2_05DF0B00
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 4_2_05DE7A80 4_2_05DE7A80
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 4_2_05DECA10 4_2_05DECA10
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 5_2_00419F90 5_2_00419F90
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 5_2_0040C070 5_2_0040C070
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 5_2_0042E003 5_2_0042E003
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 5_2_00408030 5_2_00408030
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 5_2_00410160 5_2_00410160
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 5_2_004021C0 5_2_004021C0
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 5_2_0044237E 5_2_0044237E
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 5_2_004084C0 5_2_004084C0
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 5_2_004344FF 5_2_004344FF
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 5_2_0043E5A3 5_2_0043E5A3
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 5_2_0040A660 5_2_0040A660
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 5_2_0041E690 5_2_0041E690
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 5_2_00406740 5_2_00406740
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 5_2_00402750 5_2_00402750
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 5_2_0040A710 5_2_0040A710
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 5_2_00408780 5_2_00408780
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 5_2_0042C804 5_2_0042C804
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 5_2_00406880 5_2_00406880
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 5_2_004349F3 5_2_004349F3
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 5_2_004069F3 5_2_004069F3
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 5_2_00402B80 5_2_00402B80
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 5_2_00406B80 5_2_00406B80
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 5_2_0044ACFF 5_2_0044ACFF
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 5_2_0042CE51 5_2_0042CE51
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 5_2_00434E0B 5_2_00434E0B
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 5_2_00406EE0 5_2_00406EE0
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 5_2_00420F30 5_2_00420F30
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 5_2_00405057 5_2_00405057
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 5_2_0042F010 5_2_0042F010
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 5_2_004070E0 5_2_004070E0
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 5_2_004391F6 5_2_004391F6
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 5_2_0040D240 5_2_0040D240
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 5_2_00435240 5_2_00435240
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 5_2_004C9343 5_2_004C9343
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 5_2_00405447 5_2_00405447
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 5_2_00405457 5_2_00405457
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 5_2_00449506 5_2_00449506
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 5_2_0044B5B1 5_2_0044B5B1
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 5_2_00435675 5_2_00435675
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 5_2_00409686 5_2_00409686
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 5_2_0040F730 5_2_0040F730
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 5_2_0044D7A1 5_2_0044D7A1
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 5_2_00481920 5_2_00481920
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 5_2_0044D9DC 5_2_0044D9DC
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 5_2_00449A71 5_2_00449A71
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 5_2_00443B40 5_2_00443B40
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 5_2_00409CF9 5_2_00409CF9
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 5_2_0040DD40 5_2_0040DD40
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 5_2_00427D6C 5_2_00427D6C
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 5_2_0040BDC0 5_2_0040BDC0
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 5_2_00409DFA 5_2_00409DFA
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 5_2_00409F76 5_2_00409F76
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 5_2_0046BFE0 5_2_0046BFE0
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 5_2_00449FE3 5_2_00449FE3
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: String function: 05DF8EC0 appears 57 times
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: String function: 00428C81 appears 84 times
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: String function: 00420EC2 appears 40 times
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: String function: 004547A0 appears 150 times
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: String function: 00422587 appears 48 times
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: String function: 05E10160 appears 50 times
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: String function: 05E08EC0 appears 57 times
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: String function: 0042F7C0 appears 194 times
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: String function: 0044F23E appears 106 times
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: String function: 00428520 appears 154 times
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: String function: 05E00160 appears 50 times
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: String function: 00425007 appears 36 times
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: String function: 00450870 appears 52 times
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: String function: 00454E50 appears 82 times
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: String function: 00441A25 appears 44 times
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: String function: 0044F26C appears 40 times
Sample file is different than original file name gathered from version info
Source: mU2p71KMss.exe, 00000000.00000002.1989938513.00000000040A1000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameFirez( vs mU2p71KMss.exe
Source: mU2p71KMss.exe, 00000001.00000000.1987483622.00000000040A1000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameFirez( vs mU2p71KMss.exe
Source: mU2p71KMss.exe, 00000001.00000003.2003281151.00000000030B1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameFirez( vs mU2p71KMss.exe
Source: mU2p71KMss.exe, 00000004.00000002.2012281123.00000000040A1000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameFirez( vs mU2p71KMss.exe
Source: mU2p71KMss.exe, 00000005.00000000.2010038199.00000000040A1000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameFirez( vs mU2p71KMss.exe
Source: mU2p71KMss.exe, 00000006.00000000.2017321757.00000000040A1000.00000002.00000001.01000000.00000007.sdmp Binary or memory string: OriginalFilenameFirez( vs mU2p71KMss.exe
Source: mU2p71KMss.exe, 00000007.00000000.2021981173.00000000040A1000.00000002.00000001.01000000.00000007.sdmp Binary or memory string: OriginalFilenameFirez( vs mU2p71KMss.exe
Source: mU2p71KMss.exe, 00000009.00000002.2155871497.00000000040A1000.00000002.00000001.01000000.00000007.sdmp Binary or memory string: OriginalFilenameFirez( vs mU2p71KMss.exe
Source: mU2p71KMss.exe, 0000000A.00000000.2152407463.00000000040A1000.00000002.00000001.01000000.00000007.sdmp Binary or memory string: OriginalFilenameFirez( vs mU2p71KMss.exe
Source: mU2p71KMss.exe, 0000000C.00000002.2241186522.00000000040A1000.00000002.00000001.01000000.00000007.sdmp Binary or memory string: OriginalFilenameFirez( vs mU2p71KMss.exe
Source: mU2p71KMss.exe, 0000000D.00000000.2236703964.00000000040A1000.00000002.00000001.01000000.00000007.sdmp Binary or memory string: OriginalFilenameFirez( vs mU2p71KMss.exe
Source: mU2p71KMss.exe Binary or memory string: OriginalFilenameFirez( vs mU2p71KMss.exe
Source: mU2p71KMss.exe.1.dr Binary or memory string: OriginalFilenameFirez( vs mU2p71KMss.exe
Source: mU2p71KMss.exe.7.dr Binary or memory string: OriginalFilenameFirez( vs mU2p71KMss.exe
Uses 32bit PE files
Source: mU2p71KMss.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 13.2.mU2p71KMss.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 13.2.mU2p71KMss.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 5.2.mU2p71KMss.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 5.2.mU2p71KMss.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 10.2.mU2p71KMss.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 10.2.mU2p71KMss.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 4.2.mU2p71KMss.exe.5de15a0.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 4.2.mU2p71KMss.exe.5de15a0.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 9.2.mU2p71KMss.exe.5c815a0.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 9.2.mU2p71KMss.exe.5c815a0.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 1.2.mU2p71KMss.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 1.2.mU2p71KMss.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 0.2.mU2p71KMss.exe.5dd15a0.1.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0.2.mU2p71KMss.exe.5dd15a0.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 6.2.mU2p71KMss.exe.5dc15a0.1.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 6.2.mU2p71KMss.exe.5dc15a0.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 5.2.mU2p71KMss.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 5.2.mU2p71KMss.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 9.2.mU2p71KMss.exe.5c815a0.1.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 9.2.mU2p71KMss.exe.5c815a0.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 12.2.mU2p71KMss.exe.5e115a0.1.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 12.2.mU2p71KMss.exe.5e115a0.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 7.2.mU2p71KMss.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 7.2.mU2p71KMss.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 13.2.mU2p71KMss.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 13.2.mU2p71KMss.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 1.2.mU2p71KMss.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 1.2.mU2p71KMss.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 6.2.mU2p71KMss.exe.5dc15a0.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 6.2.mU2p71KMss.exe.5dc15a0.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 0.2.mU2p71KMss.exe.5dd15a0.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0.2.mU2p71KMss.exe.5dd15a0.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 10.2.mU2p71KMss.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 10.2.mU2p71KMss.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 12.2.mU2p71KMss.exe.5e115a0.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 12.2.mU2p71KMss.exe.5e115a0.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 7.2.mU2p71KMss.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 7.2.mU2p71KMss.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 4.2.mU2p71KMss.exe.5de15a0.1.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 4.2.mU2p71KMss.exe.5de15a0.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000001.00000002.2007683946.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000001.00000002.2007683946.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000006.00000002.2025120505.0000000004431000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000000D.00000002.2252233144.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0000000D.00000002.2252233144.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000000.00000002.1990031031.0000000004388000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000009.00000002.2156092371.000000000444D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000000A.00000002.2167150824.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0000000A.00000002.2167150824.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000006.00000002.2025228021.0000000005DC0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000004.00000002.2012495232.00000000044A7000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000004.00000002.2012565443.0000000005DE0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0000000C.00000002.2241428739.00000000044D6000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.1990128449.0000000005DD0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000005.00000002.2024778410.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000005.00000002.2024778410.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000007.00000002.3243111162.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000007.00000002.3243111162.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000009.00000002.2156207791.0000000005C80000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0000000C.00000002.2241519623.0000000005E10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: mU2p71KMss.exe PID: 348, type: MEMORYSTR Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: mU2p71KMss.exe PID: 2716, type: MEMORYSTR Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: mU2p71KMss.exe PID: 1896, type: MEMORYSTR Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: mU2p71KMss.exe PID: 5968, type: MEMORYSTR Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: mU2p71KMss.exe PID: 2828, type: MEMORYSTR Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: mU2p71KMss.exe PID: 2164, type: MEMORYSTR Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: mU2p71KMss.exe PID: 5524, type: MEMORYSTR Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: mU2p71KMss.exe PID: 4748, type: MEMORYSTR Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: mU2p71KMss.exe PID: 4144, type: MEMORYSTR Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: mU2p71KMss.exe PID: 2616, type: MEMORYSTR Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: mU2p71KMss.exe, 00000006.00000002.2024972997.000000000423E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: =.COM;.EXE;.BAT;.CMD;.VBpZ#
Source: classification engine Classification label: mal100.rans.troj.evad.winEXE@18/287@4/2
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 1_2_00411900 GetLastError,FormatMessageW,lstrlenW,lstrlenW,lstrlenW,LocalAlloc,lstrcpyW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,_memset,lstrcpynW,MessageBoxW,LocalFree,LocalFree,LocalFree, 1_2_00411900
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 0_2_043887C6 CreateToolhelp32Snapshot,Module32First, 0_2_043887C6
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 1_2_0040D240 CoInitialize,CoInitializeSecurity,CoCreateInstance,VariantInit,VariantInit,VariantInit,VariantInit,VariantInit,VariantClear,VariantClear,VariantClear,VariantClear,CoUninitialize,CoUninitialize,CoUninitialize,__time64,__localtime64,_wcsftime,VariantInit,VariantInit,VariantClear,VariantClear,VariantClear,VariantClear,swprintf,CoUninitialize,CoUninitialize, 1_2_0040D240
Source: C:\Users\user\Desktop\mU2p71KMss.exe File created: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a Jump to behavior
Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe Mutant created: \Sessions\1\BaseNamedObjects\{1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}
Source: C:\Users\user\Desktop\mU2p71KMss.exe Command line argument: --Admin 1_2_00419F90
Source: C:\Users\user\Desktop\mU2p71KMss.exe Command line argument: IsAutoStart 1_2_00419F90
Source: C:\Users\user\Desktop\mU2p71KMss.exe Command line argument: IsTask 1_2_00419F90
Source: C:\Users\user\Desktop\mU2p71KMss.exe Command line argument: --ForNetRes 1_2_00419F90
Source: C:\Users\user\Desktop\mU2p71KMss.exe Command line argument: IsAutoStart 1_2_00419F90
Source: C:\Users\user\Desktop\mU2p71KMss.exe Command line argument: IsTask 1_2_00419F90
Source: C:\Users\user\Desktop\mU2p71KMss.exe Command line argument: --Task 1_2_00419F90
Source: C:\Users\user\Desktop\mU2p71KMss.exe Command line argument: --AutoStart 1_2_00419F90
Source: C:\Users\user\Desktop\mU2p71KMss.exe Command line argument: --Service 1_2_00419F90
Source: C:\Users\user\Desktop\mU2p71KMss.exe Command line argument: X1P 1_2_00419F90
Source: C:\Users\user\Desktop\mU2p71KMss.exe Command line argument: --Admin 1_2_00419F90
Source: C:\Users\user\Desktop\mU2p71KMss.exe Command line argument: runas 1_2_00419F90
Source: C:\Users\user\Desktop\mU2p71KMss.exe Command line argument: x2Q 1_2_00419F90
Source: C:\Users\user\Desktop\mU2p71KMss.exe Command line argument: x*P 1_2_00419F90
Source: C:\Users\user\Desktop\mU2p71KMss.exe Command line argument: C:\Windows\ 1_2_00419F90
Source: C:\Users\user\Desktop\mU2p71KMss.exe Command line argument: D:\Windows\ 1_2_00419F90
Source: C:\Users\user\Desktop\mU2p71KMss.exe Command line argument: 7P 1_2_00419F90
Source: C:\Users\user\Desktop\mU2p71KMss.exe Command line argument: %username% 1_2_00419F90
Source: C:\Users\user\Desktop\mU2p71KMss.exe Command line argument: F:\ 1_2_00419F90
Source: C:\Users\user\Desktop\mU2p71KMss.exe Command line argument: --Admin 5_2_00419F90
Source: C:\Users\user\Desktop\mU2p71KMss.exe Command line argument: IsAutoStart 5_2_00419F90
Source: C:\Users\user\Desktop\mU2p71KMss.exe Command line argument: IsTask 5_2_00419F90
Source: C:\Users\user\Desktop\mU2p71KMss.exe Command line argument: --ForNetRes 5_2_00419F90
Source: C:\Users\user\Desktop\mU2p71KMss.exe Command line argument: IsAutoStart 5_2_00419F90
Source: C:\Users\user\Desktop\mU2p71KMss.exe Command line argument: IsTask 5_2_00419F90
Source: C:\Users\user\Desktop\mU2p71KMss.exe Command line argument: --Task 5_2_00419F90
Source: C:\Users\user\Desktop\mU2p71KMss.exe Command line argument: --AutoStart 5_2_00419F90
Source: C:\Users\user\Desktop\mU2p71KMss.exe Command line argument: --Service 5_2_00419F90
Source: C:\Users\user\Desktop\mU2p71KMss.exe Command line argument: X1P 5_2_00419F90
Source: C:\Users\user\Desktop\mU2p71KMss.exe Command line argument: --Admin 5_2_00419F90
Source: C:\Users\user\Desktop\mU2p71KMss.exe Command line argument: runas 5_2_00419F90
Source: C:\Users\user\Desktop\mU2p71KMss.exe Command line argument: x2Q 5_2_00419F90
Source: C:\Users\user\Desktop\mU2p71KMss.exe Command line argument: x*P 5_2_00419F90
Source: C:\Users\user\Desktop\mU2p71KMss.exe Command line argument: C:\Windows\ 5_2_00419F90
Source: C:\Users\user\Desktop\mU2p71KMss.exe Command line argument: D:\Windows\ 5_2_00419F90
Source: C:\Users\user\Desktop\mU2p71KMss.exe Command line argument: 7P 5_2_00419F90
Source: C:\Users\user\Desktop\mU2p71KMss.exe Command line argument: %username% 5_2_00419F90
Source: C:\Users\user\Desktop\mU2p71KMss.exe Command line argument: F:\ 5_2_00419F90
Source: mU2p71KMss.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\mU2p71KMss.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\mU2p71KMss.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: mU2p71KMss.exe String found in binary or memory: set-addPolicy
Source: mU2p71KMss.exe String found in binary or memory: id-cmc-addExtensions
Source: mU2p71KMss.exe String found in binary or memory: set-addPolicy
Source: mU2p71KMss.exe String found in binary or memory: id-cmc-addExtensions
Source: mU2p71KMss.exe String found in binary or memory: set-addPolicy
Source: mU2p71KMss.exe String found in binary or memory: id-cmc-addExtensions
Source: mU2p71KMss.exe String found in binary or memory: set-addPolicy
Source: mU2p71KMss.exe String found in binary or memory: id-cmc-addExtensions
Source: C:\Users\user\Desktop\mU2p71KMss.exe File read: C:\Users\user\Desktop\mU2p71KMss.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\mU2p71KMss.exe "C:\Users\user\Desktop\mU2p71KMss.exe"
Source: C:\Users\user\Desktop\mU2p71KMss.exe Process created: C:\Users\user\Desktop\mU2p71KMss.exe "C:\Users\user\Desktop\mU2p71KMss.exe"
Source: C:\Users\user\Desktop\mU2p71KMss.exe Process created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a" /deny *S-1-1-0:(OI)(CI)(DE,DC)
Source: C:\Users\user\Desktop\mU2p71KMss.exe Process created: C:\Users\user\Desktop\mU2p71KMss.exe "C:\Users\user\Desktop\mU2p71KMss.exe" --Admin IsNotAutoStart IsNotTask
Source: C:\Users\user\Desktop\mU2p71KMss.exe Process created: C:\Users\user\Desktop\mU2p71KMss.exe "C:\Users\user\Desktop\mU2p71KMss.exe" --Admin IsNotAutoStart IsNotTask
Source: unknown Process created: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe --Task
Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe Process created: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe --Task
Source: unknown Process created: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe "C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe" --AutoStart
Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe Process created: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe "C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe" --AutoStart
Source: unknown Process created: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe "C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe" --AutoStart
Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe Process created: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe "C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe" --AutoStart
Source: C:\Users\user\Desktop\mU2p71KMss.exe Process created: C:\Users\user\Desktop\mU2p71KMss.exe "C:\Users\user\Desktop\mU2p71KMss.exe" Jump to behavior
Source: C:\Users\user\Desktop\mU2p71KMss.exe Process created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a" /deny *S-1-1-0:(OI)(CI)(DE,DC) Jump to behavior
Source: C:\Users\user\Desktop\mU2p71KMss.exe Process created: C:\Users\user\Desktop\mU2p71KMss.exe "C:\Users\user\Desktop\mU2p71KMss.exe" --Admin IsNotAutoStart IsNotTask Jump to behavior
Source: C:\Users\user\Desktop\mU2p71KMss.exe Process created: C:\Users\user\Desktop\mU2p71KMss.exe "C:\Users\user\Desktop\mU2p71KMss.exe" --Admin IsNotAutoStart IsNotTask Jump to behavior
Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe Process created: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe --Task Jump to behavior
Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe Process created: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe "C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe" --AutoStart Jump to behavior
Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe Process created: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe "C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe" --AutoStart Jump to behavior
Source: C:\Users\user\Desktop\mU2p71KMss.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\mU2p71KMss.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\mU2p71KMss.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\user\Desktop\mU2p71KMss.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\mU2p71KMss.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\mU2p71KMss.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\mU2p71KMss.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\mU2p71KMss.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\mU2p71KMss.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\mU2p71KMss.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\mU2p71KMss.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\mU2p71KMss.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\mU2p71KMss.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\mU2p71KMss.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\mU2p71KMss.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\mU2p71KMss.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\mU2p71KMss.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\mU2p71KMss.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\mU2p71KMss.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\mU2p71KMss.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\mU2p71KMss.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\mU2p71KMss.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\mU2p71KMss.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\mU2p71KMss.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\mU2p71KMss.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\mU2p71KMss.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\mU2p71KMss.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\mU2p71KMss.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\mU2p71KMss.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\mU2p71KMss.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\mU2p71KMss.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\mU2p71KMss.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\mU2p71KMss.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\mU2p71KMss.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\mU2p71KMss.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\mU2p71KMss.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\mU2p71KMss.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\mU2p71KMss.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Users\user\Desktop\mU2p71KMss.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Users\user\Desktop\mU2p71KMss.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\mU2p71KMss.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\mU2p71KMss.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\mU2p71KMss.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\mU2p71KMss.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\mU2p71KMss.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\mU2p71KMss.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\mU2p71KMss.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\mU2p71KMss.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\mU2p71KMss.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\mU2p71KMss.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\mU2p71KMss.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Users\user\Desktop\mU2p71KMss.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\mU2p71KMss.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\mU2p71KMss.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\user\Desktop\mU2p71KMss.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\mU2p71KMss.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\mU2p71KMss.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\mU2p71KMss.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\mU2p71KMss.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\mU2p71KMss.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\mU2p71KMss.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\mU2p71KMss.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\mU2p71KMss.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\mU2p71KMss.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\mU2p71KMss.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\mU2p71KMss.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\mU2p71KMss.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\mU2p71KMss.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\mU2p71KMss.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\mU2p71KMss.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\mU2p71KMss.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\mU2p71KMss.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\mU2p71KMss.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\mU2p71KMss.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\mU2p71KMss.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\mU2p71KMss.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\mU2p71KMss.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\mU2p71KMss.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\mU2p71KMss.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\mU2p71KMss.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\mU2p71KMss.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\mU2p71KMss.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\mU2p71KMss.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\mU2p71KMss.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\mU2p71KMss.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\mU2p71KMss.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe Section loaded: drprov.dll Jump to behavior
Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe Section loaded: ntlanman.dll Jump to behavior
Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe Section loaded: davclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe Section loaded: davhlpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe Section loaded: cscapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe Section loaded: browcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe Section loaded: ncryptsslp.dll
Source: C:\Users\user\Desktop\mU2p71KMss.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: mU2p71KMss.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb source: mU2p71KMss.exe, mU2p71KMss.exe, 00000005.00000002.2024778410.0000000000400000.00000040.00000400.00020000.00000000.sdmp, mU2p71KMss.exe, 00000006.00000002.2025228021.0000000005DC0000.00000040.00001000.00020000.00000000.sdmp, mU2p71KMss.exe, 00000007.00000002.3243111162.0000000000400000.00000040.00000400.00020000.00000000.sdmp, mU2p71KMss.exe, 00000009.00000002.2156207791.0000000005C80000.00000040.00001000.00020000.00000000.sdmp, mU2p71KMss.exe, 0000000A.00000002.2167150824.0000000000400000.00000040.00000400.00020000.00000000.sdmp, mU2p71KMss.exe, 0000000C.00000002.2241519623.0000000005E10000.00000040.00001000.00020000.00000000.sdmp, mU2p71KMss.exe, 0000000D.00000002.2252233144.0000000000400000.00000040.00000400.00020000.00000000.sdmp
Source: Binary string: CC:\poviwodi\xik\bihunow44-jeholo43\bikeyomipacase\kagakawotenot.pdb source: mU2p71KMss.exe, mU2p71KMss.exe.1.dr
Source: Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdbI source: mU2p71KMss.exe, 00000000.00000002.1990128449.0000000005DD0000.00000040.00001000.00020000.00000000.sdmp, mU2p71KMss.exe, 00000001.00000002.2007683946.0000000000400000.00000040.00000400.00020000.00000000.sdmp, mU2p71KMss.exe, 00000004.00000002.2012565443.0000000005DE0000.00000040.00001000.00020000.00000000.sdmp, mU2p71KMss.exe, 00000005.00000002.2024778410.0000000000400000.00000040.00000400.00020000.00000000.sdmp, mU2p71KMss.exe, 00000006.00000002.2025228021.0000000005DC0000.00000040.00001000.00020000.00000000.sdmp, mU2p71KMss.exe, 00000007.00000002.3243111162.0000000000400000.00000040.00000400.00020000.00000000.sdmp, mU2p71KMss.exe, 00000009.00000002.2156207791.0000000005C80000.00000040.00001000.00020000.00000000.sdmp, mU2p71KMss.exe, 0000000A.00000002.2167150824.0000000000400000.00000040.00000400.00020000.00000000.sdmp, mU2p71KMss.exe, 0000000C.00000002.2241519623.0000000005E10000.00000040.00001000.00020000.00000000.sdmp, mU2p71KMss.exe, 0000000D.00000002.2252233144.0000000000400000.00000040.00000400.00020000.00000000.sdmp
Source: Binary string: C:\poviwodi\xik\bihunow44-jeholo43\bikeyomipacase\kagakawotenot.pdb source: mU2p71KMss.exe, mU2p71KMss.exe.1.dr

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\mU2p71KMss.exe Unpacked PE file: 1.2.mU2p71KMss.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\Desktop\mU2p71KMss.exe Unpacked PE file: 5.2.mU2p71KMss.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe Unpacked PE file: 7.2.mU2p71KMss.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe Unpacked PE file: 10.2.mU2p71KMss.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe Unpacked PE file: 13.2.mU2p71KMss.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\mU2p71KMss.exe Unpacked PE file: 1.2.mU2p71KMss.exe.400000.0.unpack
Source: C:\Users\user\Desktop\mU2p71KMss.exe Unpacked PE file: 5.2.mU2p71KMss.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe Unpacked PE file: 7.2.mU2p71KMss.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe Unpacked PE file: 10.2.mU2p71KMss.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe Unpacked PE file: 13.2.mU2p71KMss.exe.400000.0.unpack
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 1_2_00412220 GetCommandLineW,CommandLineToArgvW,PathFindFileNameW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,K32EnumProcesses,OpenProcess,K32EnumProcessModules,K32GetModuleBaseNameW,CloseHandle, 1_2_00412220
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 0_2_00406805 push ecx; ret 0_2_00406818
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 0_2_0438B0AF push ecx; retf 0_2_0438B0B2
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 0_2_05DF8F05 push ecx; ret 0_2_05DF8F18
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 1_2_00428565 push ecx; ret 1_2_00428578
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 4_2_044AA0AF push ecx; retf 4_2_044AA0B2
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 4_2_05E08F05 push ecx; ret 4_2_05E08F18
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 5_2_00428565 push ecx; ret 5_2_00428578
Drops PE files
Source: C:\Users\user\Desktop\mU2p71KMss.exe File created: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe File created: C:\Users\user\Desktop\mU2p71KMss.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe File created: C:\Users\user\Desktop\mU2p71KMss.exe.bgzq (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe File created: C:\_README.txt Jump to behavior
Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe File created: C:\Users\user\_README.txt Jump to behavior
Source: C:\Users\user\Desktop\mU2p71KMss.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SysHelper Jump to behavior
Source: C:\Users\user\Desktop\mU2p71KMss.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SysHelper Jump to behavior
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 0_2_00405653 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_00405653
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Uses cacls to modify the permissions of files
Source: C:\Users\user\Desktop\mU2p71KMss.exe Process created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a" /deny *S-1-1-0:(OI)(CI)(DE,DC)
Source: C:\Users\user\Desktop\mU2p71KMss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 0_2_0438971C rdtsc 0_2_0438971C
Contains functionality to query network adapater information
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: _malloc,_malloc,_wprintf,_free,GetAdaptersInfo,_free,_malloc,GetAdaptersInfo,_sprintf,_wprintf,_wprintf,_free, 1_2_0040E670
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: _malloc,_malloc,_wprintf,_free,GetAdaptersInfo,_free,_malloc,GetAdaptersInfo,_sprintf,_wprintf,_wprintf,_free, 5_2_0040E670
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe Dropped PE file which has not been started: C:\Users\user\Desktop\mU2p71KMss.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe Dropped PE file which has not been started: C:\Users\user\Desktop\mU2p71KMss.exe.bgzq (copy) Jump to dropped file
Found evasive API chain (may stop execution after checking a module file name)
Source: C:\Users\user\Desktop\mU2p71KMss.exe Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\mU2p71KMss.exe API coverage: 4.6 %
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 1_2_00410160 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,FindNextFileW,FindClose, 1_2_00410160
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 1_2_0040F730 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,_wcsstr,_wcsstr,FindNextFileW,FindClose, 1_2_0040F730
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 1_2_0040FB98 PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,FindNextFileW,FindClose, 1_2_0040FB98
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 5_2_00410160 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,FindNextFileW,FindClose, 5_2_00410160
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 5_2_0040F730 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,_wcsstr,_wcsstr,FindNextFileW,FindClose, 5_2_0040F730
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 5_2_0040FB98 PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,FindNextFileW,FindClose, 5_2_0040FB98
Source: mU2p71KMss.exe, 00000005.00000002.2025045423.0000000000706000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWhKw%SystemRoot%\system32\mswsock.dll
Source: mU2p71KMss.exe, 00000001.00000002.2009528237.00000000008F7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Y
Source: mU2p71KMss.exe, 00000001.00000002.2009528237.00000000008F7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: mU2p71KMss.exe, 00000001.00000003.2003059893.0000000000915000.00000004.00000020.00020000.00000000.sdmp, mU2p71KMss.exe, 00000001.00000002.2009528237.0000000000915000.00000004.00000020.00020000.00000000.sdmp, mU2p71KMss.exe, 00000005.00000002.2025188604.0000000000770000.00000004.00000020.00020000.00000000.sdmp, mU2p71KMss.exe, 00000005.00000003.2024457872.0000000000770000.00000004.00000020.00020000.00000000.sdmp, mU2p71KMss.exe, 00000005.00000003.2024120427.0000000000770000.00000004.00000020.00020000.00000000.sdmp, mU2p71KMss.exe, 00000007.00000003.2036117451.0000000000755000.00000004.00000020.00020000.00000000.sdmp, mU2p71KMss.exe, 00000007.00000002.3243271467.00000000006EB000.00000004.00000020.00020000.00000000.sdmp, mU2p71KMss.exe, 00000007.00000002.3243271467.0000000000754000.00000004.00000020.00020000.00000000.sdmp, mU2p71KMss.exe, 0000000A.00000002.2167737364.0000000000746000.00000004.00000020.00020000.00000000.sdmp, mU2p71KMss.exe, 0000000A.00000002.2167918166.00000000007A4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: mU2p71KMss.exe, 00000001.00000002.2009528237.00000000008B8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW(
Source: mU2p71KMss.exe, 0000000D.00000002.2252580072.00000000006B7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: mU2p71KMss.exe, 00000005.00000002.2025188604.0000000000770000.00000004.00000020.00020000.00000000.sdmp, mU2p71KMss.exe, 00000005.00000003.2024457872.0000000000770000.00000004.00000020.00020000.00000000.sdmp, mU2p71KMss.exe, 00000005.00000003.2024120427.0000000000770000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW|R~
Source: C:\Users\user\Desktop\mU2p71KMss.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\mU2p71KMss.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 0_2_0438971C rdtsc 0_2_0438971C
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 0_2_0040A3A4 IsDebuggerPresent, 0_2_0040A3A4
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 1_2_0042A57A EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 1_2_0042A57A
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 1_2_00412220 GetCommandLineW,CommandLineToArgvW,PathFindFileNameW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,K32EnumProcesses,OpenProcess,K32EnumProcessModules,K32GetModuleBaseNameW,CloseHandle, 1_2_00412220
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 0_2_043880A3 push dword ptr fs:[00000030h] 0_2_043880A3
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 0_2_05DD0042 push dword ptr fs:[00000030h] 0_2_05DD0042
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 4_2_044A70A3 push dword ptr fs:[00000030h] 4_2_044A70A3
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 4_2_05DE0042 push dword ptr fs:[00000030h] 4_2_05DE0042
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 0_2_00405A52 GetProcessHeap, 0_2_00405A52
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 0_2_0040A32F SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_0040A32F
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 1_2_004329EC SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_004329EC
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 1_2_004329BB SetUnhandledExceptionFilter, 1_2_004329BB
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 5_2_004329EC SetUnhandledExceptionFilter,UnhandledExceptionFilter, 5_2_004329EC
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 5_2_004329BB SetUnhandledExceptionFilter, 5_2_004329BB

HIPS / PFW / Operating System Protection Evasion
barindex
Contains functionality to inject code into remote processes
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 0_2_05DD0110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,ExitProcess, 0_2_05DD0110
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\mU2p71KMss.exe Memory written: C:\Users\user\Desktop\mU2p71KMss.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\mU2p71KMss.exe Memory written: C:\Users\user\Desktop\mU2p71KMss.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe Memory written: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe Memory written: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe Memory written: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe base: 400000 value starts with: 4D5A Jump to behavior
Contains functionality to launch a program with higher privileges
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 1_2_00419F90 GetCurrentProcess,GetLastError,GetLastError,SetPriorityClass,GetLastError,GetModuleFileNameW,PathRemoveFileSpecW,GetCommandLineW,CommandLineToArgvW,lstrcpyW,lstrcmpW,lstrcmpW,lstrcpyW,lstrcpyW,lstrcmpW,lstrcmpW,GlobalFree,lstrcpyW,lstrcpyW,OpenProcess,WaitForSingleObject,CloseHandle,Sleep,GlobalFree,GetCurrentProcess,GetExitCodeProcess,TerminateProcess,CloseHandle,lstrcatW,GetVersion,lstrcpyW,lstrcatW,lstrcatW,_memset,ShellExecuteExW,CreateThread,lstrlenA,lstrcatW,_malloc,lstrcatW,_memset,lstrcatW,MultiByteToWideChar,lstrcatW,lstrlenW,CreateThread,WaitForSingleObject,CreateMutexA,CreateMutexA,lstrlenA,lstrcpyA,_memmove,_memmove,_memmove,GetUserNameW,GetMessageW,GetMessageW,DispatchMessageW,TranslateMessage,TranslateMessage,DispatchMessageW,GetMessageW,PostThreadMessageW,PeekMessageW,PostThreadMessageW,PeekMessageW,DispatchMessageW,PeekMessageW,WaitForSingleObject,PostThreadMessageW,PeekMessageW,DispatchMessageW,PeekMessageW,WaitForSingleObject,CloseHandle, 1_2_00419F90
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\mU2p71KMss.exe Process created: C:\Users\user\Desktop\mU2p71KMss.exe "C:\Users\user\Desktop\mU2p71KMss.exe" Jump to behavior
Source: C:\Users\user\Desktop\mU2p71KMss.exe Process created: C:\Users\user\Desktop\mU2p71KMss.exe "C:\Users\user\Desktop\mU2p71KMss.exe" --Admin IsNotAutoStart IsNotTask Jump to behavior
Source: C:\Users\user\Desktop\mU2p71KMss.exe Process created: C:\Users\user\Desktop\mU2p71KMss.exe "C:\Users\user\Desktop\mU2p71KMss.exe" --Admin IsNotAutoStart IsNotTask Jump to behavior
Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe Process created: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe --Task Jump to behavior
Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe Process created: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe "C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe" --AutoStart Jump to behavior
Source: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe Process created: C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe "C:\Users\user\AppData\Local\f261f702-1524-4c10-82ff-88b548e0117a\mU2p71KMss.exe" --AutoStart Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 0_2_05DF80F6 cpuid 0_2_05DF80F6
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo, 0_2_05E03F87
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,___crtLCMapStringA,___crtLCMapStringA,___crtGetStringTypeA,_free,_free,_free,_free,_free,_free,_free,_free,_free, 0_2_05E049EA
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_free,_free,_free,_free, 0_2_05E0394D
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: ___crtGetLocaleInfoA,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,__invoke_watson, 0_2_05DFC8B7
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat, 0_2_05E10AB6
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtLCMapStringA,___crtLCMapStringA,___crtGetStringTypeA,_free,_free,_free,_free,_free,_free,_free,_free,_free, 1_2_0043404A
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: _LcidFromHexString,GetLocaleInfoW,_TestDefaultLanguage, 1_2_00438178
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat, 1_2_00440116
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 1_2_004382A2
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: GetLocaleInfoW,_GetPrimaryLen, 1_2_0043834F
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: _memset,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_GetLcidFromCountry,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,___crtDownlevelLCIDToLocaleName,___crtDownlevelLCIDToLocaleName,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,__itow_s, 1_2_00438423
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: EnumSystemLocalesW, 1_2_004387C8
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: GetLocaleInfoW, 1_2_0043884E
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,_free,_free, 1_2_00432B6D
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_free,_free,_free,_free, 1_2_00432FAD
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo, 1_2_004335E7
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,_LcidFromHexString,GetLocaleInfoW, 1_2_00437BB3
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: EnumSystemLocalesW, 1_2_00437E27
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: _GetPrimaryLen,EnumSystemLocalesW, 1_2_00437E83
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: _GetPrimaryLen,EnumSystemLocalesW, 1_2_00437F00
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free, 1_2_0042BF17
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: _LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,_TestDefaultLanguage, 1_2_00437F83
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo, 4_2_05E13F87
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,___crtLCMapStringA,___crtLCMapStringA,___crtGetStringTypeA,_free,_free,_free,_free,_free,_free,_free,_free,_free, 4_2_05E149EA
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_free,_free,_free,_free, 4_2_05E1394D
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: ___crtGetLocaleInfoA,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,__invoke_watson, 4_2_05E0C8B7
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat, 4_2_05E20AB6
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtLCMapStringA,___crtLCMapStringA,___crtGetStringTypeA,_free,_free,_free,_free,_free,_free,_free,_free,_free, 5_2_0043404A
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: _LcidFromHexString,GetLocaleInfoW,_TestDefaultLanguage, 5_2_00438178
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat, 5_2_00440116
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 5_2_004382A2
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: GetLocaleInfoW,_GetPrimaryLen, 5_2_0043834F
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: _memset,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_GetLcidFromCountry,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,___crtDownlevelLCIDToLocaleName,___crtDownlevelLCIDToLocaleName,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,__itow_s, 5_2_00438423
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: EnumSystemLocalesW, 5_2_004387C8
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: GetLocaleInfoW, 5_2_0043884E
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,_free,_free, 5_2_00432B6D
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_free,_free,_free,_free, 5_2_00432FAD
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo, 5_2_004335E7
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,_LcidFromHexString,GetLocaleInfoW, 5_2_00437BB3
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: EnumSystemLocalesW, 5_2_00437E27
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: _GetPrimaryLen,EnumSystemLocalesW, 5_2_00437E83
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: _GetPrimaryLen,EnumSystemLocalesW, 5_2_00437F00
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free, 5_2_0042BF17
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: _LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,_TestDefaultLanguage, 5_2_00437F83
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 0_2_00409DFB GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_00409DFB
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 1_2_00419F90 GetCurrentProcess,GetLastError,GetLastError,SetPriorityClass,GetLastError,GetModuleFileNameW,PathRemoveFileSpecW,GetCommandLineW,CommandLineToArgvW,lstrcpyW,lstrcmpW,lstrcmpW,lstrcpyW,lstrcpyW,lstrcmpW,lstrcmpW,GlobalFree,lstrcpyW,lstrcpyW,OpenProcess,WaitForSingleObject,CloseHandle,Sleep,GlobalFree,GetCurrentProcess,GetExitCodeProcess,TerminateProcess,CloseHandle,lstrcatW,GetVersion,lstrcpyW,lstrcatW,lstrcatW,_memset,ShellExecuteExW,CreateThread,lstrlenA,lstrcatW,_malloc,lstrcatW,_memset,lstrcatW,MultiByteToWideChar,lstrcatW,lstrlenW,CreateThread,WaitForSingleObject,CreateMutexA,CreateMutexA,lstrlenA,lstrcpyA,_memmove,_memmove,_memmove,GetUserNameW,GetMessageW,GetMessageW,DispatchMessageW,TranslateMessage,TranslateMessage,DispatchMessageW,GetMessageW,PostThreadMessageW,PeekMessageW,PostThreadMessageW,PeekMessageW,DispatchMessageW,PeekMessageW,WaitForSingleObject,PostThreadMessageW,PeekMessageW,DispatchMessageW,PeekMessageW,WaitForSingleObject,CloseHandle, 1_2_00419F90
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 1_2_0042FE47 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte, 1_2_0042FE47
Source: C:\Users\user\Desktop\mU2p71KMss.exe Code function: 1_2_00419F90 GetCurrentProcess,GetLastError,GetLastError,SetPriorityClass,GetLastError,GetModuleFileNameW,PathRemoveFileSpecW,GetCommandLineW,CommandLineToArgvW,lstrcpyW,lstrcmpW,lstrcmpW,lstrcpyW,lstrcpyW,lstrcmpW,lstrcmpW,GlobalFree,lstrcpyW,lstrcpyW,OpenProcess,WaitForSingleObject,CloseHandle,Sleep,GlobalFree,GetCurrentProcess,GetExitCodeProcess,TerminateProcess,CloseHandle,lstrcatW,GetVersion,lstrcpyW,lstrcatW,lstrcatW,_memset,ShellExecuteExW,CreateThread,lstrlenA,lstrcatW,_malloc,lstrcatW,_memset,lstrcatW,MultiByteToWideChar,lstrcatW,lstrlenW,CreateThread,WaitForSingleObject,CreateMutexA,CreateMutexA,lstrlenA,lstrcpyA,_memmove,_memmove,_memmove,GetUserNameW,GetMessageW,GetMessageW,DispatchMessageW,TranslateMessage,TranslateMessage,DispatchMessageW,GetMessageW,PostThreadMessageW,PeekMessageW,PostThreadMessageW,PeekMessageW,DispatchMessageW,PeekMessageW,WaitForSingleObject,PostThreadMessageW,PeekMessageW,DispatchMessageW,PeekMessageW,WaitForSingleObject,CloseHandle, 1_2_00419F90
Source: C:\Users\user\Desktop\mU2p71KMss.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1431118 Sample: mU2p71KMss.exe Startdate: 24/04/2024 Architecture: WINDOWS Score: 100 46 cajgtus.com 2->46 48 api.2ip.ua 2->48 54 Snort IDS alert for network traffic 2->54 56 Found malware configuration 2->56 58 Malicious sample detected (through community Yara rule) 2->58 60 6 other signatures 2->60 9 mU2p71KMss.exe 2->9         started        12 mU2p71KMss.exe 2->12         started        14 mU2p71KMss.exe 2->14         started        16 mU2p71KMss.exe 2->16         started        signatures3 process4 signatures5 64 Antivirus detection for dropped file 9->64 66 Multi AV Scanner detection for dropped file 9->66 68 Detected unpacking (changes PE section rights) 9->68 76 2 other signatures 9->76 18 mU2p71KMss.exe 1 18 9->18         started        70 Detected unpacking (overwrites its own PE header) 12->70 72 Contains functionality to inject code into remote processes 12->72 74 Injects a PE file into a foreign processes 12->74 23 mU2p71KMss.exe 1 16 12->23         started        25 mU2p71KMss.exe 12 14->25         started        27 mU2p71KMss.exe 16->27         started        process6 dnsIp7 50 cajgtus.com 62.150.232.50, 49707, 80 QNETKuwaitKW Kuwait 18->50 36 C:\Users\user\_README.txt, ASCII 18->36 dropped 38 C:\Users\user\...\mU2p71KMss.exe.bgzq (copy), MS-DOS 18->38 dropped 40 C:\Users\user\Desktop\mU2p71KMss.exe, MS-DOS 18->40 dropped 44 4 other malicious files 18->44 dropped 62 Modifies existing user documents (likely ransomware behavior) 18->62 52 api.2ip.ua 104.21.65.24, 443, 49704, 49705 CLOUDFLARENETUS United States 23->52 42 C:\Users\user\AppData\...\mU2p71KMss.exe, PE32 23->42 dropped 29 mU2p71KMss.exe 23->29         started        32 icacls.exe 23->32         started        file8 signatures9 process10 signatures11 78 Injects a PE file into a foreign processes 29->78 34 mU2p71KMss.exe 12 29->34         started        process12
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
62.150.232.50
 cajgtus.com Kuwait
9155 QNETKuwaitKW true
104.21.65.24
 api.2ip.ua United States
13335 CLOUDFLARENETUS false

Contacted Domains

Name IP Active
cajgtus.com 62.150.232.50 true
api.2ip.ua 104.21.65.24 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://cajgtus.com/test2/get.php?pid=903E7F261711F85395E5CEFBF4173C54 true
  • Avira URL Cloud: safe
 unknown
https://api.2ip.ua/geo.json false
    		high
    http://cajgtus.com/test2/get.php true
    • Avira URL Cloud: safe
    		 unknown