Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report P3FwQWmwUM.exe

Overview

General Information

Sample Name:P3FwQWmwUM.exe
Analysis ID:411752
MD5:c4da0137cbb99626fd44da707ae1bca8
SHA1:a38e9891152755d9e7fff7386bb5a1bca375bd91
SHA256:1d4c0b32aea68056755daf70689699200ffa09688495ccd65a0907cade18bd2a
Tags:darksideOASISCOURTLIMITEDransomwaresigned
Infos:

Most interesting Screenshot:

Detection

DarkSide
Score:92
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found ransom note / readme
Multi AV Scanner detection for submitted file
Yara detected DarkSide Ransomware
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionalty to change the wallpaper
Found Tor onion address
Machine Learning detection for sample
PE file has a writeable .text section
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to delete services
Contains functionality to dynamically determine API calls
Contains functionality to enumerate running services
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to read the PEB
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Entry point lies outside standard sections
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for user specific document files
Stores files to the Windows start menu directory
Tries to load missing DLLs
Uses 32bit PE files

Classification

Startup

  • System is w10x64
  • P3FwQWmwUM.exe (PID: 5976 cmdline: 'C:\Users\user\Desktop\P3FwQWmwUM.exe' MD5: C4DA0137CBB99626FD44DA707AE1BCA8)
  • P3FwQWmwUM.exe (PID: 6020 cmdline: 'C:\Users\user\Desktop\P3FwQWmwUM.exe' MD5: C4DA0137CBB99626FD44DA707AE1BCA8)
    • P3FwQWmwUM.exe (PID: 1600 cmdline: 'C:\Users\user\Desktop\P3FwQWmwUM.exe' MD5: C4DA0137CBB99626FD44DA707AE1BCA8)
      • P3FwQWmwUM.exe (PID: 2900 cmdline: C:\Users\user\Desktop\p3fwqwmwum.exe -work worker0 -path \\?\C:\ MD5: C4DA0137CBB99626FD44DA707AE1BCA8)
  • svchost.exe (PID: 5964 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5892 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5408 cmdline: c:\windows\system32\svchost.exe -k unistacksvcgroup MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 3996 cmdline: c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5968 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6248 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • SgrmBroker.exe (PID: 6356 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: D3170A3F3A9626597EEE1888686E3EA6)
  • svchost.exe (PID: 6388 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
    • MpCmdRun.exe (PID: 6076 cmdline: 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable MD5: A267555174BFA53844371226F482B86B)
      • conhost.exe (PID: 5448 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • svchost.exe (PID: 6664 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • notepad.exe (PID: 7048 cmdline: 'C:\Windows\system32\NOTEPAD.EXE' C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\README.2c9ccbf3.TXT MD5: BB9A06B8F2DD9D24C77F389D7B2B58D2)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\README.2c9ccbf3.TXTJoeSecurity_DarkSideYara detected DarkSide RansomwareJoe Security
    C:\README.2c9ccbf3.TXTJoeSecurity_DarkSideYara detected DarkSide RansomwareJoe Security
      C:\README.2c9ccbf3.TXTJoeSecurity_DarkSideYara detected DarkSide RansomwareJoe Security
        C:\README.2c9ccbf3.TXTJoeSecurity_DarkSideYara detected DarkSide RansomwareJoe Security
          C:\README.2c9ccbf3.TXTJoeSecurity_DarkSideYara detected DarkSide RansomwareJoe Security
            Click to see the 30 entries

            Memory Dumps

            SourceRuleDescriptionAuthorStrings
            00000004.00000003.432905231.0000000002DB4000.00000004.00000001.sdmpJoeSecurity_DarkSideYara detected DarkSide RansomwareJoe Security
              00000004.00000003.362840336.0000000002B69000.00000004.00000001.sdmpJoeSecurity_DarkSideYara detected DarkSide RansomwareJoe Security
                00000004.00000003.327849253.0000000000849000.00000004.00000001.sdmpJoeSecurity_DarkSideYara detected DarkSide RansomwareJoe Security
                  00000004.00000003.411060522.0000000002D70000.00000004.00000001.sdmpJoeSecurity_DarkSideYara detected DarkSide RansomwareJoe Security
                    00000004.00000003.408654426.0000000002B6A000.00000004.00000001.sdmpJoeSecurity_DarkSideYara detected DarkSide RansomwareJoe Security
                      Click to see the 129 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Antivirus / Scanner detection for submitted sampleShow sources
                      Source: P3FwQWmwUM.exeAvira: detected
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: P3FwQWmwUM.exeVirustotal: Detection: 45%Perma Link
                      Source: P3FwQWmwUM.exeReversingLabs: Detection: 62%
                      Machine Learning detection for sampleShow sources
                      Source: P3FwQWmwUM.exeJoe Sandbox ML: detected
                      Source: P3FwQWmwUM.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeFile created: C:\\README.2c9ccbf3.TXTJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeFile created: C:\Users\README.2c9ccbf3.TXTJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeFile created: C:\Users\Default\README.2c9ccbf3.TXTJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeFile created: C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\README.2c9ccbf3.TXTJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeFile created: C:\Users\Default\Desktop\README.2c9ccbf3.TXTJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeFile created: C:\Users\Default\Documents\README.2c9ccbf3.TXTJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeFile created: C:\Users\Default\Music\README.2c9ccbf3.TXTJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeFile created: C:\Users\Default\Pictures\README.2c9ccbf3.TXTJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeFile created: C:\Users\Default\Videos\README.2c9ccbf3.TXTJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeFile created: C:\Users\Default\Downloads\README.2c9ccbf3.TXTJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeFile created: C:\Users\Default\Favorites\README.2c9ccbf3.TXTJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeFile created: C:\Users\Default\Links\README.2c9ccbf3.TXTJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeFile created: C:\Users\Default\AppData\Local\README.2c9ccbf3.TXTJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeFile created: C:\Users\Default\AppData\Local\Microsoft\Windows\History\README.2c9ccbf3.TXTJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeFile created: C:\Users\Default\AppData\Local\Microsoft\README.2c9ccbf3.TXTJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeFile created: C:\Users\Default\AppData\Local\Microsoft\InputPersonalization\README.2c9ccbf3.TXTJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeFile created: C:\Users\Default\AppData\Local\Microsoft\InputPersonalization\TrainedDataStore\README.2c9ccbf3.TXTJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeFile created: C:\Users\Default\AppData\Local\Microsoft\Windows Sidebar\README.2c9ccbf3.TXTJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeFile created: C:\Users\Default\AppData\Local\Microsoft\Windows Sidebar\Gadgets\README.2c9ccbf3.TXTJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeFile created: C:\Users\Default\AppData\Local\Microsoft\WindowsApps\README.2c9ccbf3.TXTJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeFile created: C:\Users\Default\AppData\Local\Temp\README.2c9ccbf3.TXTJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeFile created: C:\Users\Default\AppData\Local\Microsoft\Windows\INetCache\README.2c9ccbf3.TXTJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeFile created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts\README.2c9ccbf3.TXTJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeFile created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\README.2c9ccbf3.TXTJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeFile created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent\README.2c9ccbf3.TXTJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeFile created: C:\Users\Default\Saved Games\README.2c9ccbf3.TXTJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeFile created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\README.2c9ccbf3.TXTJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeFile created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\README.2c9ccbf3.TXTJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeFile created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\README.2c9ccbf3.TXTJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeFile created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\README.2c9ccbf3.TXTJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeFile created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\README.2c9ccbf3.TXTJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeFile created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\README.2c9ccbf3.TXTJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeFile created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\README.2c9ccbf3.TXTJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeFile created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\README.2c9ccbf3.TXTJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeFile created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\README.2c9ccbf3.TXTJump to behavior
                      Source: P3FwQWmwUM.exeStatic PE information: certificate valid
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeCode function: 1_2_00403EDD wcscat,FindFirstFileExW,wcsrchr,wcscpy,FindNextFileW,FindClose,1_2_00403EDD
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeCode function: 1_2_00401B91 wcslen,RtlAllocateHeap,wcscpy,wcscat,FindFirstFileExW,FindNextFileW,FindClose,RtlFreeHeap,1_2_00401B91
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeCode function: 1_2_0040409F wcslen,RtlAllocateHeap,wcscpy,wcscat,FindFirstFileExW,wcslen,wcslen,RtlAllocateHeap,wcscpy,wcsrchr,wcscpy,GetFileAttributesW,RemoveDirectoryW,RtlFreeHeap,DeleteFileW,RtlFreeHeap,FindNextFileW,FindClose,RtlFreeHeap,RtlFreeHeap,1_2_0040409F
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeCode function: 1_2_004066AC wcslen,RtlAllocateHeap,wcscpy,GetFileAttributesW,wcscat,FindFirstFileExW,wcslen,wcslen,RtlAllocateHeap,wcscpy,wcsrchr,wcscat,GetFileAttributesW,wcsstr,FindNextFileW,FindClose,RtlFreeHeap,RtlFreeHeap,1_2_004066AC
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeCode function: 1_2_00403FBA wcscpy,wcscat,FindFirstFileExW,wcscpy,wcscat,FindNextFileW,FindClose,1_2_00403FBA
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeCode function: 1_2_00403E86 GetLogicalDriveStringsW,GetDriveTypeW,1_2_00403E86

                      Networking:

                      barindex
                      Found Tor onion addressShow sources
                      Source: P3FwQWmwUM.exe, 00000001.00000002.232594392.00000000007AA000.00000004.00000020.sdmpString found in binary or memory: Your personal leak page: http://darksidedxcftmqa.onion/blog/article/id/6/dQDclB_6Kg-c-6fJesONyHoaKh9BtI8j9Wkw2inG8O72jWaOcKbrxMWbPfKrUbHC
                      Source: P3FwQWmwUM.exe, 00000001.00000002.232594392.00000000007AA000.00000004.00000020.sdmpString found in binary or memory: 2) Open our website: http://darksidfqzcuhtk2.onion/K71D6P88YTX04R3ISCJZHMD5IYV55V9247QHJY0HJYUXX68H2P05XPRIR5SP2U68
                      Source: P3FwQWmwUM.exe, 00000004.00000003.474064504.0000000002B42000.00000004.00000001.sdmpString found in binary or memory: 2) Open our website: http://darksidfqzcuhtk2.onion/K71D6P88YTX04R3ISCJZHMD5IYV55V9247QHJY0HJYUXX68H2P05XPRIR5SP2U68
                      Source: P3FwQWmwUM.exe, 00000004.00000003.317859109.00000000007F2000.00000004.00000001.sdmpString found in binary or memory: Your personal leak page: http://darksidedxcftmqa.onion/blog/
                      Source: P3FwQWmwUM.exe, 00000004.00000003.317859109.00000000007F2000.00000004.00000001.sdmpString found in binary or memory: 2) Open our website: http://darksidfqzcuhtk2.onion/K71D6P88YTX04R3ISCJZHMD5IYV55V9D
                      Source: P3FwQWmwUM.exe, 00000004.00000003.460157247.0000000002DB3000.00000004.00000001.sdmpString found in binary or memory: Your personal leak page: http://darksidedxcftmqa.onion/blog/article/id/6/dQDclB_6Kg-c-6fJesONyHoaKh9BtI8j9Wkw2inG8O72jWaOcKbrxMWbPfKrUbHC
                      Source: P3FwQWmwUM.exe, 00000004.00000003.321471581.00000000007F2000.00000004.00000001.sdmpString found in binary or memory: 2) Open our website: http://darksidfqzcuhtk2.onion/K71D6P88YTX04R3ISCJZHMD5IYV55V9247QHJY0HJYUXX68H2P05XPR
                      Source: P3FwQWmwUM.exe, 00000004.00000003.411544467.0000000002B47000.00000004.00000001.sdmpString found in binary or memory: Open our website: http://darksidfqzcuhtk2.onion/K71D6P88YTX04R3ISCJZHMD5IYV55V9247QHJY0HJYUXX68H2P05XPRIR5SP2U68
                      Source: P3FwQWmwUM.exe, 00000004.00000002.516426859.0000000002D40000.00000004.00000001.sdmpString found in binary or memory: Your personal leak page: http://darksidedxcftmqa.onion/blog/article/
                      Source: P3FwQWmwUM.exe, 00000004.00000002.516426859.0000000002D40000.00000004.00000001.sdmpString found in binary or memory: 2) Open our website: http://darksidfqzcuhtk2.onion/K71D6P8
                      Source: P3FwQWmwUM.exe, 00000004.00000002.510936905.0000000000768000.00000004.00000020.sdmpString found in binary or memory: Your personal leak page: http://darksidedxcftmqa.onion/blog/article/id/6/dQDclB_6Kg-c-6fJesONyHoaKh9BtI8j9Wk
                      Source: P3FwQWmwUM.exe, 00000004.00000003.296079532.0000000002AB0000.00000004.00000001.sdmpString found in binary or memory: l leak page: http://darksidedxcftmqa.onion/blog/article/id/6/dQDclB_6Kg-c-6fJesONyHoaKh9BtI8j9Wkw2inG8O72jWaOcKbrxMWbPfKrUbHC
                      Source: P3FwQWmwUM.exe, 00000004.00000003.296079532.0000000002AB0000.00000004.00000001.sdmpString found in binary or memory: |l leak page: http://darksidedxcftmqa.onion/blog/article/id/6/dQDclB_6Kg-c-6fJesONyHoaKh9BtI8j9Wkw2inG8O72jWaOcKbrxMWbPfKrUbHC
                      Source: P3FwQWmwUM.exe, 00000004.00000003.415423650.0000000002B47000.00000004.00000001.sdmpString found in binary or memory: Your personal leak page: http://darksidedxcftmqa.onion/blog/article/id/6/dQDclB_6Kg-c-6fJesONyHoaKh9BtI8j9Wkw2inG8O7h
                      Source: notepad.exe, 00000016.00000002.501980566.0000019FB6AD4000.00000004.00000020.sdmpString found in binary or memory: r website: http://darksidfqzcuhtk2.onion/K71D6P88YTX04R3ISCJZHMD5IYV55V9247QHJY0HJYUXX68H2P05XPRIR5SP2U68
                      Source: notepad.exe, 00000016.00000002.505242943.0000019FB6B02000.00000004.00000020.sdmpString found in binary or memory: Your personal leak page: http://darksidedxcftmqa.onion/blog/article/id/6/dQDclB_6Kg-c-6fJesONyHoaKh9BtI8j9Wkw2inG8O72jWaOcKbrxMWbPfKrUbHC
                      Source: notepad.exe, 00000016.00000002.505242943.0000019FB6B02000.00000004.00000020.sdmpString found in binary or memory: 2) Open our website: http://darksidfqzcuhtk2.onion/K71D6P88YTX04R3ISCJZHMD5IYV55V9247QHJY0HJYUXX68H2P05XPRIR5SP2U68
                      Source: README.2c9ccbf3.TXT22.4.drString found in binary or memory: Your personal leak page: http://darksidedxcftmqa.onion/blog/article/id/6/dQDclB_6Kg-c-6fJesONyHoaKh9BtI8j9Wkw2inG8O72jWaOcKbrxMWbPfKrUbHC
                      Source: README.2c9ccbf3.TXT22.4.drString found in binary or memory: 2) Open our website: http://darksidfqzcuhtk2.onion/K71D6P88YTX04R3ISCJZHMD5IYV55V9247QHJY0HJYUXX68H2P05XPRIR5SP2U68
                      Source: P3FwQWmwUM.exeString found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
                      Source: P3FwQWmwUM.exeString found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
                      Source: svchost.exe, 00000006.00000002.510518986.0000020C762D2000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
                      Source: P3FwQWmwUM.exeString found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
                      Source: P3FwQWmwUM.exeString found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
                      Source: P3FwQWmwUM.exe, 00000004.00000003.317859109.00000000007F2000.00000004.00000001.sdmpString found in binary or memory: http://darksidedxcftmqa.onion/blog/
                      Source: P3FwQWmwUM.exe, 00000004.00000002.516426859.0000000002D40000.00000004.00000001.sdmpString found in binary or memory: http://darksidedxcftmqa.onion/blog/article/
                      Source: P3FwQWmwUM.exe, 00000004.00000002.510936905.0000000000768000.00000004.00000020.sdmpString found in binary or memory: http://darksidedxcftmqa.onion/blog/article/id/6/dQDclB_6Kg-c-6fJesONyHoaKh9BtI8j9Wk
                      Source: P3FwQWmwUM.exe, 00000004.00000003.296079532.0000000002AB0000.00000004.00000001.sdmp, notepad.exe, 00000016.00000002.505242943.0000019FB6B02000.00000004.00000020.sdmp, README.2c9ccbf3.TXT22.4.drString found in binary or memory: http://darksidedxcftmqa.onion/blog/article/id/6/dQDclB_6Kg-c-6fJesONyHoaKh9BtI8j9Wkw2inG8O72jWaOcKbr
                      Source: P3FwQWmwUM.exe, 00000004.00000003.415423650.0000000002B47000.00000004.00000001.sdmpString found in binary or memory: http://darksidedxcftmqa.onion/blog/article/id/6/dQDclB_6Kg-c-6fJesONyHoaKh9BtI8j9Wkw2inG8O7h
                      Source: P3FwQWmwUM.exe, 00000004.00000002.516426859.0000000002D40000.00000004.00000001.sdmpString found in binary or memory: http://darksidfqzcuhtk2.onion/K71D6P8
                      Source: P3FwQWmwUM.exe, 00000004.00000003.321471581.00000000007F2000.00000004.00000001.sdmpString found in binary or memory: http://darksidfqzcuhtk2.onion/K71D6P88YTX04R3ISCJZHMD5IYV55V9247QHJY0HJYUXX68H2P05XPR
                      Source: P3FwQWmwUM.exe, 00000001.00000002.232594392.00000000007AA000.00000004.00000020.sdmp, P3FwQWmwUM.exe, 00000004.00000003.474064504.0000000002B42000.00000004.00000001.sdmp, P3FwQWmwUM.exe, 00000004.00000003.411544467.0000000002B47000.00000004.00000001.sdmp, notepad.exe, 00000016.00000002.501980566.0000019FB6AD4000.00000004.00000020.sdmp, notepad.exe, 00000016.00000002.505242943.0000019FB6B02000.00000004.00000020.sdmp, README.2c9ccbf3.TXT22.4.drString found in binary or memory: http://darksidfqzcuhtk2.onion/K71D6P88YTX04R3ISCJZHMD5IYV55V9247QHJY0HJYUXX68H2P05XPRIR5SP2U68
                      Source: P3FwQWmwUM.exe, 00000004.00000003.317859109.00000000007F2000.00000004.00000001.sdmpString found in binary or memory: http://darksidfqzcuhtk2.onion/K71D6P88YTX04R3ISCJZHMD5IYV55V9D
                      Source: svchost.exe, 00000006.00000002.510518986.0000020C762D2000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0:
                      Source: svchost.exe, 00000006.00000002.510518986.0000020C762D2000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.msocsp.com0
                      Source: P3FwQWmwUM.exeString found in binary or memory: http://ocsp.sectigo.com0
                      Source: P3FwQWmwUM.exeString found in binary or memory: http://ocsp.sectigo.com0%
                      Source: svchost.exe, 00000006.00000002.522409527.0000020C7BB50000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
                      Source: svchost.exe, 0000000C.00000002.312755628.000001F743213000.00000004.00000001.sdmpString found in binary or memory: http://www.bingmapsportal.com
                      Source: svchost.exe, 0000000A.00000002.511163775.000002AA91043000.00000004.00000001.sdmpString found in binary or memory: https://%s.dnet.xboxlive.com
                      Source: svchost.exe, 0000000A.00000002.511163775.000002AA91043000.00000004.00000001.sdmpString found in binary or memory: https://%s.xboxlive.com
                      Source: svchost.exe, 0000000A.00000002.511163775.000002AA91043000.00000004.00000001.sdmpString found in binary or memory: https://activity.windows.com
                      Source: svchost.exe, 0000000A.00000002.511163775.000002AA91043000.00000004.00000001.sdmpString found in binary or memory: https://activity.windows.comr
                      Source: svchost.exe, 0000000C.00000003.312128129.000001F74325F000.00000004.00000001.sdmpString found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
                      Source: svchost.exe, 0000000A.00000002.511163775.000002AA91043000.00000004.00000001.sdmpString found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
                      Source: svchost.exe, 0000000A.00000002.511163775.000002AA91043000.00000004.00000001.sdmpString found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
                      Source: svchost.exe, 0000000C.00000003.312226392.000001F74325A000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
                      Source: svchost.exe, 0000000C.00000003.312128129.000001F74325F000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
                      Source: svchost.exe, 0000000C.00000002.312853819.000001F74323D000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
                      Source: svchost.exe, 0000000C.00000003.312128129.000001F74325F000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
                      Source: svchost.exe, 0000000C.00000003.312159045.000001F743247000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
                      Source: svchost.exe, 0000000C.00000003.312128129.000001F74325F000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
                      Source: svchost.exe, 0000000C.00000002.312853819.000001F74323D000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
                      Source: svchost.exe, 0000000C.00000003.312128129.000001F74325F000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
                      Source: svchost.exe, 0000000C.00000003.312128129.000001F74325F000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
                      Source: svchost.exe, 0000000C.00000003.312128129.000001F74325F000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
                      Source: svchost.exe, 0000000C.00000003.312297935.000001F743240000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
                      Source: svchost.exe, 0000000C.00000003.312297935.000001F743240000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
                      Source: svchost.exe, 0000000C.00000003.312128129.000001F74325F000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
                      Source: svchost.exe, 0000000C.00000003.312297935.000001F743240000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
                      Source: svchost.exe, 0000000C.00000003.312226392.000001F74325A000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
                      Source: svchost.exe, 0000000C.00000003.312226392.000001F74325A000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
                      Source: svchost.exe, 0000000C.00000003.312226392.000001F74325A000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
                      Source: svchost.exe, 0000000C.00000003.312159045.000001F743247000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.312297935.000001F743240000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.312226392.000001F74325A000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t
                      Source: svchost.exe, 0000000C.00000003.312128129.000001F74325F000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
                      Source: svchost.exe, 0000000C.00000002.312853819.000001F74323D000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
                      Source: svchost.exe, 0000000C.00000003.289664910.000001F743231000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
                      Source: P3FwQWmwUM.exeString found in binary or memory: https://sectigo.com/CPS0
                      Source: P3FwQWmwUM.exeString found in binary or memory: https://sectigo.com/CPS0D
                      Source: svchost.exe, 0000000C.00000002.312853819.000001F74323D000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
                      Source: svchost.exe, 0000000C.00000002.312755628.000001F743213000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000002.312853819.000001F74323D000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
                      Source: svchost.exe, 0000000C.00000003.312282264.000001F743245000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
                      Source: svchost.exe, 0000000C.00000003.312282264.000001F743245000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
                      Source: svchost.exe, 0000000C.00000003.289664910.000001F743231000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
                      Source: svchost.exe, 0000000C.00000003.289664910.000001F743231000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
                      Source: svchost.exe, 0000000C.00000003.312159045.000001F743247000.00000004.00000001.sdmpString found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
                      Source: P3FwQWmwUM.exe, 00000001.00000002.232594392.00000000007AA000.00000004.00000020.sdmp, P3FwQWmwUM.exe, 00000004.00000003.474064504.0000000002B42000.00000004.00000001.sdmp, P3FwQWmwUM.exe, 00000004.00000003.317859109.00000000007F2000.00000004.00000001.sdmp, P3FwQWmwUM.exe, 00000004.00000003.332042030.00000000007D8000.00000004.00000001.sdmp, P3FwQWmwUM.exe, 00000004.00000003.409934886.0000000002B69000.00000004.00000001.sdmp, notepad.exe, 00000016.00000002.505242943.0000019FB6B02000.00000004.00000020.sdmp, README.2c9ccbf3.TXT22.4.drString found in binary or memory: https://torproject.org/
                      Source: P3FwQWmwUM.exe, 00000001.00000002.232594392.00000000007AA000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                      Spam, unwanted Advertisements and Ransom Demands:

                      barindex
                      Found ransom note / readmeShow sources
                      Source: C:\README.2c9ccbf3.TXTDropped file: ----------- [ Welcome to Dark Side] ------------->What happend?----------------------------------------------Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data.But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network.Follow our instructions below and you will recover all your data.Data leak----------------------------------------------First of all we have uploaded more then 100 GB data.Example of data: - Accounting data - Executive data - Sales data - Customer Support data - Marketing data - Quality data - And more other...Your personal leak page: http://darksidedxcftmqa.onion/blog/article/id/6/dQDclB_6Kg-c-6fJesONyHoaKh9BtI8j9Wkw2inG8O72jWaOcKbrxMWbPfKrUbHCThe data is preloaded and will be automatically published if you do not pay.After publication, your data will be available for at least 6 months on our tor cdn servers.We are ready:- To provide you the evidence of stolen data- To give you universal decrypting tool for all encrypted files.- To delete all the stolen data.What guarantees?----------------------------------------------We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests.All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems.We guarantee to decrypt one file for free. Go to the site and contact us.How to get access on website?----------------------------------------------Using a TOR browser:1) Download and install TOR browser from this site: https://torproject.org/2) Open our website: http://darksidfqzcuhtk2.onion/K71D6P88YTX04R3ISCJZHMD5IYV55V9247QHJY0HJYUXX68H2P05XPRIR5SP2U68When you open our website, put the following data in the input form:Key:pr9gzRnMz6qEwr6ovMT0cbjd9yT56NctfQZGIiVVLgo0ME2EQpAUyZucG9BLrOJjno5XLPvCN11TFfnlFHa42u5mJxoeR5k5RUgQAC1MC6LBUj4YOOAUyiBrRHQSUM3pzGoEPRVOzXSZ8YqkJyFL0TDFBbWaBKQDOSo9GzKKoVRQ0Eb02F5geTPkTAqZZSfSQ6PBBlTGPSgGe2kCyuwwp7lDmRSJlNnHssMMZHVhXzyZ6fxiBYgNiuusFK8JNI5nrtRPp3bMAc6OEddxfJWj6o2GT1Xg9j87Jp4Oyv43E1J61jLJAWBkmoBB3Gqv07mtyDW5PnmxBlNzABbLFEvJMQL23sR8nnw4svzcZHxrqD1xRcxqyeKtsaQ5yqLvyQgMdnrI2QoCqkHYYUfBIzjO8BXyBZdmjHanXE57jdDAhjaDUUqfL917cCyJr1uwVR0Xj5lJXe8BIKHd3dFrz70CsIXFAhicOsBlFzIndaNcAXXyL8Fg1avIXOcuEkGRDXt8Cs8b3TAB6n4DrbLJdiFjECo8yCA9pxvzqjXatumUloblWFZaUoLVYzP!!! DANGER !!!DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them.!!! DANGER !!!Jump to dropped file
                      Yara detected DarkSide RansomwareShow sources
                      Source: Yara matchFile source: 00000004.00000003.432905231.0000000002DB4000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.362840336.0000000002B69000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.327849253.0000000000849000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.411060522.0000000002D70000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.408654426.0000000002B6A000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.236181936.00000000007C8000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.435986395.0000000002DB4000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.337715138.0000000002B07000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.299389052.00000000007F2000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.516574687.0000000002DA2000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.478288044.0000000002AB7000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.282398886.000000000084D000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.303767851.00000000007F2000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.439503040.0000000002AB7000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.298944879.00000000007F2000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.307244631.00000000007F2000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.442911884.0000000002E08000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.295652654.0000000002AA0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.428084952.0000000002B47000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.288394609.000000000084C000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.408145616.0000000002B69000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.330427301.0000000000849000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.306781726.00000000007F2000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.292805057.0000000002A90000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.281893608.000000000084D000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.483773853.0000000002E39000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.297343335.00000000007F2000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.282524954.000000000084D000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.433763245.0000000002D60000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.288157426.000000000084C000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.411401825.0000000002D70000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.321471581.00000000007F2000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.436219840.0000000002D60000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.282409788.000000000084D000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.430404279.0000000002DB4000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.411544467.0000000002B47000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.432232782.0000000002D60000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.474609577.0000000002D60000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.407959058.0000000002B69000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.429585276.0000000002B47000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.328363880.0000000000849000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.236245311.00000000007C8000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.411912846.0000000002B47000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.302439227.00000000007F2000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.290040157.000000000084C000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.307472011.00000000007F2000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.443960653.0000000002D60000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.353326118.0000000002B47000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.516426859.0000000002D40000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.362876492.0000000002D40000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.433058006.0000000002D60000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.288198091.000000000084C000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.434687514.0000000002DB4000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.328783962.0000000000849000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.279059079.000000000084D000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.411798869.0000000002D70000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.293724321.0000000002A90000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.510936905.0000000000768000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.408432832.0000000002D70000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.509189468.00000000004F8000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.456394908.0000000002AB7000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.347522767.0000000002AA7000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.409934886.0000000002B69000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.411159789.0000000002B47000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.410791890.0000000002B4D000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.447874704.0000000002AB7000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.337437975.0000000002B07000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.433675898.0000000002DB4000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.431227855.0000000002DB4000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.408616972.0000000002B69000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.428965052.0000000002B47000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.307770705.00000000007F2000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.288409928.000000000084C000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.348924422.0000000002AA7000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.280790972.000000000084D000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.280803963.000000000084D000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.492039293.0000000002D40000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.232594392.00000000007AA000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.440558230.0000000002D60000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.294802191.0000000002AA0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.440164319.0000000002AB7000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.353303558.0000000002B47000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.304436022.00000000007F2000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.428206439.0000000002D70000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.443023882.0000000002D60000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.293143940.0000000002A90000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.432131880.0000000002DB4000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.409798220.0000000002D70000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.428389024.0000000002B47000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.289927003.000000000084C000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.328127290.0000000000849000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.493025969.0000000002D40000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.368476921.0000000002D40000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.429695025.0000000002B47000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.448359001.0000000002D60000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.304226241.00000000007F2000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.483856895.0000000002D40000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.293461617.0000000002A90000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.410319943.0000000002B4D000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.410677619.0000000002D70000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.235019158.0000000000537000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.349425661.0000000002AA7000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.321323465.00000000007F2000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.311791138.00000000007F2000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.337762957.0000000002B07000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.409162945.0000000002B69000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.434752909.0000000002D60000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.302198707.00000000007F2000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.415423650.0000000002B47000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.410205898.0000000002D70000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.473912941.0000000002D60000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.479859917.0000000002E18000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.439469384.0000000002E08000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000016.00000002.505242943.0000019FB6B02000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.295417556.0000000002AA0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.456833891.0000000002D60000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.294724805.0000000002AA0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.480034130.0000000002D50000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.429089053.0000000002D70000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.298539675.00000000007F2000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.409597850.0000000002B69000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.431347630.0000000002D60000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.409312887.0000000002D70000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.441657546.0000000002D60000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.430481720.0000000002D60000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.415984076.0000000002B47000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.458381849.0000000002D60000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.415652999.0000000002D70000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.336753706.0000000002B07000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.408806702.0000000002D70000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.281911971.000000000084D000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: P3FwQWmwUM.exe PID: 5976, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: P3FwQWmwUM.exe PID: 2900, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: notepad.exe PID: 7048, type: MEMORY
                      Source: Yara matchFile source: C:\README.2c9ccbf3.TXT, type: DROPPED
                      Source: Yara matchFile source: C:\README.2c9ccbf3.TXT, type: DROPPED
                      Source: Yara matchFile source: C:\README.2c9ccbf3.TXT, type: DROPPED
                      Source: Yara matchFile source: C:\README.2c9ccbf3.TXT, type: DROPPED
                      Source: Yara matchFile source: C:\README.2c9ccbf3.TXT, type: DROPPED
                      Source: Yara matchFile source: C:\README.2c9ccbf3.TXT, type: DROPPED
                      Source: Yara matchFile source: C:\README.2c9ccbf3.TXT, type: DROPPED
                      Source: Yara matchFile source: C:\README.2c9ccbf3.TXT, type: DROPPED
                      Source: Yara matchFile source: C:\README.2c9ccbf3.TXT, type: DROPPED
                      Source: Yara matchFile source: C:\README.2c9ccbf3.TXT, type: DROPPED
                      Source: Yara matchFile source: C:\README.2c9ccbf3.TXT, type: DROPPED
                      Source: Yara matchFile source: C:\README.2c9ccbf3.TXT, type: DROPPED
                      Source: Yara matchFile source: C:\README.2c9ccbf3.TXT, type: DROPPED
                      Source: Yara matchFile source: C:\README.2c9ccbf3.TXT, type: DROPPED
                      Source: Yara matchFile source: C:\README.2c9ccbf3.TXT, type: DROPPED
                      Source: Yara matchFile source: C:\README.2c9ccbf3.TXT, type: DROPPED
                      Source: Yara matchFile source: C:\README.2c9ccbf3.TXT, type: DROPPED
                      Source: Yara matchFile source: C:\README.2c9ccbf3.TXT, type: DROPPED
                      Source: Yara matchFile source: C:\README.2c9ccbf3.TXT, type: DROPPED
                      Source: Yara matchFile source: C:\README.2c9ccbf3.TXT, type: DROPPED
                      Source: Yara matchFile source: C:\README.2c9ccbf3.TXT, type: DROPPED
                      Source: Yara matchFile source: C:\README.2c9ccbf3.TXT, type: DROPPED
                      Source: Yara matchFile source: C:\README.2c9ccbf3.TXT, type: DROPPED
                      Source: Yara matchFile source: C:\README.2c9ccbf3.TXT, type: DROPPED
                      Source: Yara matchFile source: C:\README.2c9ccbf3.TXT, type: DROPPED
                      Source: Yara matchFile source: C:\README.2c9ccbf3.TXT, type: DROPPED
                      Source: Yara matchFile source: C:\README.2c9ccbf3.TXT, type: DROPPED
                      Source: Yara matchFile source: C:\README.2c9ccbf3.TXT, type: DROPPED
                      Source: Yara matchFile source: C:\README.2c9ccbf3.TXT, type: DROPPED
                      Source: Yara matchFile source: C:\README.2c9ccbf3.TXT, type: DROPPED
                      Source: Yara matchFile source: C:\README.2c9ccbf3.TXT, type: DROPPED
                      Source: Yara matchFile source: C:\README.2c9ccbf3.TXT, type: DROPPED
                      Source: Yara matchFile source: C:\README.2c9ccbf3.TXT, type: DROPPED
                      Source: Yara matchFile source: C:\README.2c9ccbf3.TXT, type: DROPPED
                      Source: Yara matchFile source: C:\README.2c9ccbf3.TXT, type: DROPPED
                      Contains functionalty to change the wallpaperShow sources
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeCode function: 1_2_004033B9 CreateFontW,SelectObject,RtlAllocateHeap,_swprintf,GetTextExtentPoint32W,SelectObject,SetTextColor,SetBkMode,SetBkColor,DrawTextW,memset,SelectObject,SHGetSpecialFolderPathW,wcscat,wcslen,CreateFileW,WriteFile,WriteFile,WriteFile,NtClose,wcscat,RegCreateKeyExW,wcslen,RegSetValueExW,wcslen,RegSetValueExW,SystemParametersInfoW,RtlFreeHeap,RtlFreeHeap,RtlFreeHeap,NtClose,NtClose,DeleteObject,DeleteObject,RtlFreeHeap,DeleteObject,DeleteDC,DeleteDC,1_2_004033B9

                      System Summary:

                      barindex
                      PE file has a writeable .text sectionShow sources
                      Source: P3FwQWmwUM.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeProcess Stats: CPU usage > 98%
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeCode function: 1_2_00401D45 RegCreateKeyExW,RegQueryValueExW,memcpy,RtlFreeHeap,NtClose,RtlFreeHeap,1_2_00401D45
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeCode function: 1_2_0040911D CommandLineToArgvW,NtClose,NtClose,RtlFreeHeap,OpenMutexW,NtClose,CreateMutexW,ReleaseMutex,NtClose,NtClose,NtClose,1_2_0040911D
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeCode function: 1_2_00401EBC NtOpenProcessToken,NtQueryInformationToken,LookupAccountSidW,_wcsicmp,RtlFreeHeap,_wcsicmp,RtlFreeHeap,_wcsicmp,RtlFreeHeap,NtClose,1_2_00401EBC
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeCode function: 1_2_00409042 NtSetThreadExecutionState,GetTickCount,GetTickCount,1_2_00409042
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeCode function: 1_2_00402E44 NtQueryInstallUILanguage,NtQueryDefaultUILanguage,1_2_00402E44
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeCode function: 1_2_00408249 memset,RegCreateKeyExW,RegQueryValueExW,RtlAllocateHeap,NtClose,RtlFreeHeap,RtlFreeHeap,1_2_00408249
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeCode function: 1_2_00405756 NtQuerySystemInformation,RtlAllocateHeap,NtOpenProcess,RtlFreeHeap,RtlFreeHeap,RtlFreeHeap,1_2_00405756
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeCode function: 1_2_00408F5B GetProcessId,_swprintf,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,NtClose,1_2_00408F5B
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeCode function: 1_2_0040625C wcslen,wcslen,RtlAllocateHeap,wcscpy,wcscat,SetFileAttributesW,CreateFileW,RtlAllocateHeap,ReadFile,NtClose,RtlFreeHeap,RtlFreeHeap,1_2_0040625C
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeCode function: 1_2_00402160 NtOpenProcessToken,NtQueryInformationToken,RtlAllocateHeap,NtQueryInformationToken,NtAdjustPrivilegesToken,RtlFreeHeap,NtClose,1_2_00402160
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeCode function: 1_2_00401B60 NtSetInformationThread,1_2_00401B60
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeCode function: 1_2_00408160 RegCreateKeyExW,RegQueryValueExW,RtlAllocateHeap,wcscpy,NtClose,RtlFreeHeap,RtlFreeHeap,1_2_00408160
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeCode function: 1_2_00405564 RtlAllocateHeap,NtQueryObject,RtlReAllocateHeap,RtlFreeHeap,_wcsicmp,RtlFreeHeap,1_2_00405564
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeCode function: 1_2_00402367 NtAllocateVirtualMemory,NtAllocateVirtualMemory,NtAllocateVirtualMemory,wcscpy,wcscat,wcslen,RtlFreeHeap,RtlEnterCriticalSection,RtlInitUnicodeString,RtlInitUnicodeString,RtlLeaveCriticalSection,LdrEnumerateLoadedModules,1_2_00402367
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeCode function: 1_2_0040456A SHGetSpecialFolderPathW,GetTempFileNameW,RtlAllocateHeap,memset,memset,CreateProcessW,WaitForSingleObject,NtClose,NtClose,DeleteFileW,RtlFreeHeap,RtlFreeHeap,1_2_0040456A
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeCode function: 1_2_00404878 RtlAllocateHeap,NtQuerySystemInformation,RtlReAllocateHeap,RtlFreeHeap,NtOpenProcess,NtTerminateProcess,NtClose,RtlFreeHeap,1_2_00404878
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeCode function: 1_2_00405778 NtQuerySystemInformation,RtlAllocateHeap,NtOpenProcess,RtlFreeHeap,RtlFreeHeap,RtlFreeHeap,1_2_00405778
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeCode function: 1_2_00403303 NtOpenProcessToken,NtQueryInformationToken,ConvertSidToStringSidW,wcscpy,RtlFreeHeap,NtClose,1_2_00403303
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeCode function: 1_2_00402003 NtQueryInformationToken,RtlAllocateHeap,NtQueryInformationToken,RtlFreeHeap,1_2_00402003
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeCode function: 1_2_00406C06 wcslen,wcslen,RtlAllocateHeap,wcschr,_swprintf,memset,memset,CreateProcessAsUserW,CreateProcessWithTokenW,CreateProcessW,_swprintf,CreateFileMappingW,ResumeThread,NtClose,RtlFreeHeap,1_2_00406C06
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeCode function: 1_2_00408016 RegCreateKeyExW,RegQueryValueExW,RegQueryValueExW,RtlAllocateHeap,wcscpy,NtClose,RtlFreeHeap,RtlFreeHeap,RtlFreeHeap,1_2_00408016
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeCode function: 1_2_00405C1C SetFileAttributesW,CreateFileW,PathIsNetworkPathW,SetFilePointerEx,ReadFile,memcmp,NtClose,1_2_00405C1C
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeCode function: 1_2_00407B27 GetModuleFileNameW,RtlAllocateHeap,wcslen,wcslen,RtlAllocateHeap,wcscat,wcscat,WaitForMultipleObjects,NtClose,RtlFreeHeap,WaitForMultipleObjects,NtClose,RtlFreeHeap,1_2_00407B27
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeCode function: 1_2_00407D2C GetModuleFileNameW,WaitForSingleObject,NtClose,1_2_00407D2C
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeCode function: 1_2_00405E35 wcslen,wcslen,RtlAllocateHeap,wcscpy,wcscat,RtlAllocateHeap,wcscpy,wcscat,MoveFileExW,CreateFileW,CreateIoCompletionPort,NtClose,RtlAllocateHeap,NtClose,memcpy,memcpy,PostQueuedCompletionStatus,RtlFreeHeap,NtClose,InterlockedIncrement,RtlFreeHeap,RtlFreeHeap,1_2_00405E35
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeCode function: 1_2_00405CC1 SetFilePointerEx,NtClose,1_2_00405CC1
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeCode function: 1_2_004055D1 NtQueryObject,_wcsicmp,RtlFreeHeap,1_2_004055D1
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeCode function: 1_2_004056D4 PathFindFileNameW,RtlAllocateHeap,NtQuerySystemInformation,RtlReAllocateHeap,RtlFreeHeap,RtlAllocateHeap,NtOpenProcess,NtDuplicateObject,PathFindFileNameW,_wcsicmp,RtlAllocateHeap,NtQueryInformationProcess,PathFindFileNameW,NtTerminateProcess,WaitForSingleObject,NtClose,NtClose,memset,memset,NtClose,NtClose,RtlFreeHeap,RtlFreeHeap,RtlFreeHeap,1_2_004056D4
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeCode function: 1_2_00408BD6 NtSetThreadExecutionState,wcslen,RtlAllocateHeap,wcsstr,wcscat,RtlFreeHeap,wcscpy,GetFileAttributesW,PathIsUNCServerW,PathFindExtensionW,_wcsicmp,RtlFreeHeap,PathIsNetworkPathW,wcslen,RtlAllocateHeap,wcscat,RtlFreeHeap,PathIsNetworkPathW,wcslen,RtlAllocateHeap,wcscat,RtlFreeHeap,1_2_00408BD6
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeCode function: 1_2_004048D8 NtQuerySystemInformation,NtOpenProcess,NtTerminateProcess,NtClose,RtlFreeHeap,1_2_004048D8
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeCode function: 1_2_004022D9 NtSetInformationProcess,NtSetInformationProcess,1_2_004022D9
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeCode function: 1_2_004072E0 CreateThread,WaitForSingleObject,NtTerminateThread,GetExitCodeThread,NtClose,1_2_004072E0
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeCode function: 1_2_004054E0 CreateThread,WaitForSingleObject,NtTerminateThread,GetExitCodeThread,NtClose,1_2_004054E0
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeCode function: 1_2_00401AE1 NtDuplicateToken,NtSetInformationThread,NtClose,1_2_00401AE1
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeCode function: 1_2_004069E1 CreateIoCompletionPort,CreateThread,CreateThread,Sleep,PostQueuedCompletionStatus,PostQueuedCompletionStatus,WaitForMultipleObjects,NtClose,NtClose,1_2_004069E1
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeCode function: 1_2_004039E3 SHGetSpecialFolderPathW,wcscat,wcslen,RtlAllocateHeap,RtlFreeHeap,RtlFreeHeap,RegCreateKeyExW,wcslen,RegSetValueExW,NtClose,wcscpy,wcscat,RtlFreeHeap,RegCreateKeyExW,wcslen,RegSetValueExW,NtClose,SHChangeNotify,1_2_004039E3
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeCode function: 1_2_00407784 RtlAllocateHeap,GetModuleFileNameW,RtlAllocateHeap,RtlAllocateHeap,wcslen,wcslen,RtlAllocateHeap,wcscat,wcscat,RtlFreeHeap,WaitForMultipleObjects,MapViewOfFile,UnmapViewOfFile,NtClose,NtClose,WaitForMultipleObjects,MapViewOfFile,UnmapViewOfFile,NtClose,NtClose,RtlFreeHeap,RtlFreeHeap,RtlFreeHeap,RtlFreeHeap,1_2_00407784
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeCode function: 1_2_0040318A memset,OpenWindowStationW,NtSetSecurityObject,OpenDesktopW,NtSetSecurityObject,CloseDesktop,CloseWindowStation,1_2_0040318A
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeCode function: 1_2_00401C9B CreateFileW,WriteFile,NtClose,1_2_00401C9B
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeCode function: 1_2_004020A3 NtOpenProcessToken,NtQueryInformationToken,RtlAllocateHeap,NtQueryInformationToken,RtlFreeHeap,NtClose,1_2_004020A3
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeCode function: 1_2_004055AB NtQueryObject,_wcsicmp,RtlFreeHeap,1_2_004055AB
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeCode function: 1_2_00402FB6 NtQueryInformationProcess,1_2_00402FB6
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeCode function: 1_2_004048B6 NtQuerySystemInformation,NtOpenProcess,NtTerminateProcess,NtClose,RtlFreeHeap,1_2_004048B6
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeCode function: 1_2_00406EB7 GetModuleFileNameW,GetLogicalDriveStringsW,RtlAllocateHeap,GetLogicalDriveStringsW,RtlAllocateHeap,RtlAllocateHeap,GetDriveTypeW,WaitForMultipleObjects,MapViewOfFile,UnmapViewOfFile,NtClose,NtClose,WaitForMultipleObjects,MapViewOfFile,UnmapViewOfFile,NtClose,NtClose,RtlFreeHeap,RtlFreeHeap,RtlFreeHeap,1_2_00406EB7
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeCode function: 1_2_004033B9 CreateFontW,SelectObject,RtlAllocateHeap,_swprintf,GetTextExtentPoint32W,SelectObject,SetTextColor,SetBkMode,SetBkColor,DrawTextW,memset,SelectObject,SHGetSpecialFolderPathW,wcscat,wcslen,CreateFileW,WriteFile,WriteFile,WriteFile,NtClose,wcscat,RegCreateKeyExW,wcslen,RegSetValueExW,wcslen,RegSetValueExW,SystemParametersInfoW,RtlFreeHeap,RtlFreeHeap,RtlFreeHeap,NtClose,NtClose,DeleteObject,DeleteObject,RtlFreeHeap,DeleteObject,DeleteDC,DeleteDC,1_2_004033B9
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeCode function: 1_2_004054BB NtQueryInformationFile,1_2_004054BB
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeCode function: 1_2_004027BC RegisterServiceCtrlHandlerW,SetServiceStatus,NtOpenProcessToken,NtDuplicateToken,NtSetInformationToken,memset,memset,CreateProcessAsUserW,NtClose,NtClose,NtClose,NtClose,SetServiceStatus,1_2_004027BC
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeCode function: 1_2_00402742 OpenSCManagerW,OpenServiceW,DeleteService,CloseServiceHandle,CloseServiceHandle,1_2_00402742
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeCode function: 1_2_00406C06 wcslen,wcslen,RtlAllocateHeap,wcschr,_swprintf,memset,memset,CreateProcessAsUserW,CreateProcessWithTokenW,CreateProcessW,_swprintf,CreateFileMappingW,ResumeThread,NtClose,RtlFreeHeap,1_2_00406C06
                      Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmpJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeCode function: 1_2_00402E441_2_00402E44
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeCode function: 1_2_00404A881_2_00404A88
                      Source: C:\Windows\System32\svchost.exeSection loaded: xboxlivetitleid.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: cdpsgshims.dllJump to behavior
                      Source: P3FwQWmwUM.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
                      Source: P3FwQWmwUM.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: classification engineClassification label: mal92.rans.evad.winEXE@19/47@0/1
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeCode function: 1_2_00407D8B GetLogicalDriveStringsW,RtlAllocateHeap,GetLogicalDriveStringsW,RtlAllocateHeap,GetDriveTypeW,GetDiskFreeSpaceExW,_alldiv,_alldiv,_swprintf,wcslen,RtlReAllocateHeap,1_2_00407D8B
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeCode function: OpenSCManagerW,CreateServiceW,StartServiceW,CloseServiceHandle,CloseServiceHandle,1_2_004026A6
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeCode function: 1_2_004026A6 OpenSCManagerW,CreateServiceW,StartServiceW,CloseServiceHandle,CloseServiceHandle,1_2_004026A6
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeCode function: 1_2_00402A1F StartServiceCtrlDispatcherW,1_2_00402A1F
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeFile created: C:\Users\README.2c9ccbf3.TXTJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeMutant created: \Sessions\1\BaseNamedObjects\Global\89f3671df4dda4177e202fbdb1910c9c
                      Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5448:120:WilError_01
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeFile created: C:\Users\Default\AppData\Local\Temp\README.2c9ccbf3.TXTJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: P3FwQWmwUM.exeVirustotal: Detection: 45%
                      Source: P3FwQWmwUM.exeReversingLabs: Detection: 62%
                      Source: unknownProcess created: C:\Users\user\Desktop\P3FwQWmwUM.exe 'C:\Users\user\Desktop\P3FwQWmwUM.exe'
                      Source: unknownProcess created: C:\Users\user\Desktop\P3FwQWmwUM.exe 'C:\Users\user\Desktop\P3FwQWmwUM.exe'
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeProcess created: C:\Users\user\Desktop\P3FwQWmwUM.exe 'C:\Users\user\Desktop\P3FwQWmwUM.exe'
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeProcess created: C:\Users\user\Desktop\P3FwQWmwUM.exe C:\Users\user\Desktop\p3fwqwmwum.exe -work worker0 -path \\?\C:\
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k unistacksvcgroup
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
                      Source: unknownProcess created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
                      Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: unknownProcess created: C:\Windows\System32\notepad.exe 'C:\Windows\system32\NOTEPAD.EXE' C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\README.2c9ccbf3.TXT
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeProcess created: C:\Users\user\Desktop\P3FwQWmwUM.exe 'C:\Users\user\Desktop\P3FwQWmwUM.exe' Jump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeProcess created: C:\Users\user\Desktop\P3FwQWmwUM.exe C:\Users\user\Desktop\p3fwqwmwum.exe -work worker0 -path \\?\C:\Jump to behavior
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenableJump to behavior
                      Source: C:\Windows\System32\notepad.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\InProcServer32Jump to behavior
                      Source: P3FwQWmwUM.exeStatic PE information: certificate valid
                      Source: P3FwQWmwUM.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeCode function: 1_2_00401867 LoadLibraryA,GetProcAddress,1_2_00401867
                      Source: initial sampleStatic PE information: section where entry point is pointing to: .text1
                      Source: P3FwQWmwUM.exeStatic PE information: real checksum: 0x1b03e should be: 0x1e38a
                      Source: P3FwQWmwUM.exeStatic PE information: section name: .text1
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.95739719557
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeFile created: C:\\README.2c9ccbf3.TXTJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeFile created: C:\Users\README.2c9ccbf3.TXTJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeFile created: C:\Users\Default\README.2c9ccbf3.TXTJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeFile created: C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\README.2c9ccbf3.TXTJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeFile created: C:\Users\Default\Desktop\README.2c9ccbf3.TXTJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeFile created: C:\Users\Default\Documents\README.2c9ccbf3.TXTJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeFile created: C:\Users\Default\Music\README.2c9ccbf3.TXTJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeFile created: C:\Users\Default\Pictures\README.2c9ccbf3.TXTJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeFile created: C:\Users\Default\Videos\README.2c9ccbf3.TXTJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeFile created: C:\Users\Default\Downloads\README.2c9ccbf3.TXTJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeFile created: C:\Users\Default\Favorites\README.2c9ccbf3.TXTJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeFile created: C:\Users\Default\Links\README.2c9ccbf3.TXTJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeFile created: C:\Users\Default\AppData\Local\README.2c9ccbf3.TXTJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeFile created: C:\Users\Default\AppData\Local\Microsoft\Windows\History\README.2c9ccbf3.TXTJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeFile created: C:\Users\Default\AppData\Local\Microsoft\README.2c9ccbf3.TXTJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeFile created: C:\Users\Default\AppData\Local\Microsoft\InputPersonalization\README.2c9ccbf3.TXTJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeFile created: C:\Users\Default\AppData\Local\Microsoft\InputPersonalization\TrainedDataStore\README.2c9ccbf3.TXTJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeFile created: C:\Users\Default\AppData\Local\Microsoft\Windows Sidebar\README.2c9ccbf3.TXTJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeFile created: C:\Users\Default\AppData\Local\Microsoft\Windows Sidebar\Gadgets\README.2c9ccbf3.TXTJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeFile created: C:\Users\Default\AppData\Local\Microsoft\WindowsApps\README.2c9ccbf3.TXTJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeFile created: C:\Users\Default\AppData\Local\Temp\README.2c9ccbf3.TXTJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeFile created: C:\Users\Default\AppData\Local\Microsoft\Windows\INetCache\README.2c9ccbf3.TXTJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeFile created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts\README.2c9ccbf3.TXTJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeFile created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\README.2c9ccbf3.TXTJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeFile created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent\README.2c9ccbf3.TXTJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeFile created: C:\Users\Default\Saved Games\README.2c9ccbf3.TXTJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeFile created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\README.2c9ccbf3.TXTJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeFile created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\README.2c9ccbf3.TXTJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeFile created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\README.2c9ccbf3.TXTJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeFile created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\README.2c9ccbf3.TXTJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeFile created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\README.2c9ccbf3.TXTJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeFile created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\README.2c9ccbf3.TXTJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeFile created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\README.2c9ccbf3.TXTJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeFile created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\README.2c9ccbf3.TXTJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeFile created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\README.2c9ccbf3.TXTJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeFile created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\README.2c9ccbf3.TXTJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeFile created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\README.2c9ccbf3.TXTJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeFile created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\README.2c9ccbf3.TXTJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeFile created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\README.2c9ccbf3.TXTJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeFile created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\README.2c9ccbf3.TXTJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeFile created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\README.2c9ccbf3.TXTJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeFile created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\README.2c9ccbf3.TXTJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeCode function: 1_2_004026A6 OpenSCManagerW,CreateServiceW,StartServiceW,CloseServiceHandle,CloseServiceHandle,1_2_004026A6
                      Source: C:\Windows\System32\svchost.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeCode function: OpenSCManagerW,EnumServicesStatusExW,RtlAllocateHeap,EnumServicesStatusExW,OpenServiceW,memset,ControlService,DeleteService,CloseServiceHandle,CloseServiceHandle,RtlFreeHeap,1_2_004046E2
                      Source: C:\Windows\System32\svchost.exe TID: 4048Thread sleep time: -30000s >= -30000sJump to behavior
                      Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeCode function: 1_2_00403EDD wcscat,FindFirstFileExW,wcsrchr,wcscpy,FindNextFileW,FindClose,1_2_00403EDD
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeCode function: 1_2_00401B91 wcslen,RtlAllocateHeap,wcscpy,wcscat,FindFirstFileExW,FindNextFileW,FindClose,RtlFreeHeap,1_2_00401B91
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeCode function: 1_2_0040409F wcslen,RtlAllocateHeap,wcscpy,wcscat,FindFirstFileExW,wcslen,wcslen,RtlAllocateHeap,wcscpy,wcsrchr,wcscpy,GetFileAttributesW,RemoveDirectoryW,RtlFreeHeap,DeleteFileW,RtlFreeHeap,FindNextFileW,FindClose,RtlFreeHeap,RtlFreeHeap,1_2_0040409F
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeCode function: 1_2_004066AC wcslen,RtlAllocateHeap,wcscpy,GetFileAttributesW,wcscat,FindFirstFileExW,wcslen,wcslen,RtlAllocateHeap,wcscpy,wcsrchr,wcscat,GetFileAttributesW,wcsstr,FindNextFileW,FindClose,RtlFreeHeap,RtlFreeHeap,1_2_004066AC
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeCode function: 1_2_00403FBA wcscpy,wcscat,FindFirstFileExW,wcscpy,wcscat,FindNextFileW,FindClose,1_2_00403FBA
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeCode function: 1_2_00403E86 GetLogicalDriveStringsW,GetDriveTypeW,1_2_00403E86
                      Source: svchost.exe, 0000000A.00000002.518469990.000002AA91D40000.00000002.00000001.sdmp, svchost.exe, 00000010.00000002.325436632.000002E872540000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
                      Source: svchost.exe, 00000006.00000002.511001882.0000020C762EF000.00000004.00000001.sdmpBinary or memory string: @Hyper-V RAW
                      Source: svchost.exe, 00000006.00000002.520513505.0000020C77654000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
                      Source: svchost.exe, 00000008.00000002.509479778.0000016781202000.00000004.00000001.sdmpBinary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService
                      Source: svchost.exe, 0000000A.00000002.518469990.000002AA91D40000.00000002.00000001.sdmp, svchost.exe, 00000010.00000002.325436632.000002E872540000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
                      Source: svchost.exe, 0000000A.00000002.518469990.000002AA91D40000.00000002.00000001.sdmp, svchost.exe, 00000010.00000002.325436632.000002E872540000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
                      Source: svchost.exe, 00000008.00000002.510850863.0000016781240000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.511888178.000002AA91067000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000002.508453273.0000023E35A2A000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: svchost.exe, 0000000A.00000002.518469990.000002AA91D40000.00000002.00000001.sdmp, svchost.exe, 00000010.00000002.325436632.000002E872540000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeCode function: 1_2_00402367 NtAllocateVirtualMemory,NtAllocateVirtualMemory,NtAllocateVirtualMemory,wcscpy,wcscat,wcslen,RtlFreeHeap,RtlEnterCriticalSection,RtlInitUnicodeString,RtlInitUnicodeString,RtlLeaveCriticalSection,LdrEnumerateLoadedModules,1_2_00402367
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeCode function: 1_2_00401867 LoadLibraryA,GetProcAddress,1_2_00401867
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeCode function: 1_2_00402367 mov ebx, dword ptr fs:[00000030h]1_2_00402367
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeCode function: 1_2_004016D2 mov eax, dword ptr fs:[00000030h]1_2_004016D2
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeCode function: 1_2_0040A288 mov ecx, dword ptr fs:[00000030h]1_2_0040A288
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeCode function: 1_2_004017AE mov eax, dword ptr fs:[00000030h]1_2_004017AE
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeCode function: 1_2_0040221B wcscpy,wcschr,LogonUserW,wcslen,1_2_0040221B
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeProcess created: C:\Users\user\Desktop\P3FwQWmwUM.exe C:\Users\user\Desktop\p3fwqwmwum.exe -work worker0 -path \\?\C:\Jump to behavior
                      Source: P3FwQWmwUM.exe, 00000003.00000002.510938998.0000000000D80000.00000002.00000001.sdmp, P3FwQWmwUM.exe, 00000004.00000002.513037161.0000000000CF0000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.512991576.0000020B74790000.00000002.00000001.sdmp, notepad.exe, 00000016.00000002.513746818.0000019FB7120000.00000002.00000001.sdmpBinary or memory string: uProgram Manager
                      Source: P3FwQWmwUM.exe, 00000003.00000002.510938998.0000000000D80000.00000002.00000001.sdmp, P3FwQWmwUM.exe, 00000004.00000002.513037161.0000000000CF0000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.512991576.0000020B74790000.00000002.00000001.sdmp, notepad.exe, 00000016.00000002.513746818.0000019FB7120000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                      Source: P3FwQWmwUM.exe, 00000003.00000002.510938998.0000000000D80000.00000002.00000001.sdmp, P3FwQWmwUM.exe, 00000004.00000002.513037161.0000000000CF0000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.512991576.0000020B74790000.00000002.00000001.sdmp, notepad.exe, 00000016.00000002.513746818.0000019FB7120000.00000002.00000001.sdmpBinary or memory string: Progman
                      Source: P3FwQWmwUM.exe, 00000003.00000002.510938998.0000000000D80000.00000002.00000001.sdmp, P3FwQWmwUM.exe, 00000004.00000002.513037161.0000000000CF0000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.512991576.0000020B74790000.00000002.00000001.sdmp, notepad.exe, 00000016.00000002.513746818.0000019FB7120000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\notepad.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\README.2c9ccbf3.TXT VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeCode function: 1_2_00407EFB GetUserNameW,RtlAllocateHeap,GetUserNameW,RtlFreeHeap,1_2_00407EFB
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Lowering of HIPS / PFW / Operating System Security Settings:

                      barindex
                      Changes security center settings (notifications, updates, antivirus, firewall)Show sources
                      Source: C:\Windows\System32\svchost.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cvalJump to behavior
                      Source: svchost.exe, 0000000E.00000002.511831387.00000229BCF02000.00000004.00000001.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                      Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA &apos;AntiVirusProduct&apos; OR TargetInstance ISA &apos;FirewallProduct&apos; OR TargetInstance ISA &apos;AntiSpywareProduct&apos;
                      Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
                      Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
                      Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeDirectory queried: C:\Documents and SettingsJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeDirectory queried: C:\Documents and SettingsJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeDirectory queried: C:\Users\Default\DocumentsJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeDirectory queried: C:\Users\Default\Documents\My MusicJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeDirectory queried: C:\Users\Default\Documents\My MusicJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeDirectory queried: C:\Users\Default\Documents\My PicturesJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeDirectory queried: C:\Users\Default\Documents\My PicturesJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeDirectory queried: C:\Users\Default\Documents\My VideosJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeDirectory queried: C:\Users\Default\Documents\My VideosJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeDirectory queried: C:\Users\Default\Documents\My MusicJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeDirectory queried: C:\Users\Default\Documents\My MusicJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeDirectory queried: C:\Users\Default\Documents\My PicturesJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeDirectory queried: C:\Users\Default\Documents\My PicturesJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeDirectory queried: C:\Users\Default\Documents\My VideosJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeDirectory queried: C:\Users\Default\Documents\My VideosJump to behavior

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid Accounts2Windows Management Instrumentation1DLL Side-Loading1DLL Side-Loading1Disable or Modify Tools1Input Capture1Account Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationDefacement1
                      Default AccountsNative API1Valid Accounts2Valid Accounts2Obfuscated Files or Information1LSASS MemorySystem Service Discovery1Remote Desktop ProtocolData from Local System1Exfiltration Over BluetoothProxy1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsService Execution12Windows Service14Access Token Manipulation2Software Packing2Security Account ManagerFile and Directory Discovery12SMB/Windows Admin SharesInput Capture1Automated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Registry Run Keys / Startup Folder1Windows Service14DLL Side-Loading1NTDSSystem Information Discovery23Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptProcess Injection12Masquerading11LSA SecretsQuery Registry1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRegistry Run Keys / Startup Folder1Valid Accounts2Cached Domain CredentialsSecurity Software Discovery31VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsVirtualization/Sandbox Evasion2DCSyncVirtualization/Sandbox Evasion2Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobAccess Token Manipulation2Proc FilesystemProcess Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Process Injection12/etc/passwd and /etc/shadowSystem Owner/User Discovery1Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                      Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Invalid Code SignatureNetwork SniffingRemote System Discovery1Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 signatures2 2 Behavior Graph ID: 411752 Sample: P3FwQWmwUM.exe Startdate: 12/05/2021 Architecture: WINDOWS Score: 92 30 Antivirus / Scanner detection for submitted sample 2->30 32 Multi AV Scanner detection for submitted file 2->32 34 Found ransom note / readme 2->34 36 4 other signatures 2->36 7 svchost.exe 2->7         started        10 P3FwQWmwUM.exe 2->10         started        12 P3FwQWmwUM.exe 2->12         started        14 9 other processes 2->14 process3 dnsIp4 38 Changes security center settings (notifications, updates, antivirus, firewall) 7->38 17 MpCmdRun.exe 1 7->17         started        40 Contains functionalty to change the wallpaper 10->40 19 P3FwQWmwUM.exe 2 1 12->19         started        28 127.0.0.1 unknown unknown 14->28 signatures5 process6 process7 21 conhost.exe 17->21         started        23 P3FwQWmwUM.exe 35 19->23         started        file8 26 C:\README.2c9ccbf3.TXT, ASCII 23->26 dropped

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.