Loading ...

Play interactive tourEdit tour

Windows Analysis Report NZPC0PFaC0.exe

Overview

General Information

Sample Name:NZPC0PFaC0.exe
Analysis ID:496234
MD5:550b59b69ebfd6dda6b55725245b46ad
SHA1:f6a71793288cc09397b262fba8fc38b29073a44e
SHA256:0d977e55742460c71884d6040178fc8c7abf8c97136b6293da37cbf9c59b6778
Tags:exeRansomwareStopStop
Infos:

Most interesting Screenshot:

Detection

Djvu
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Detected unpacking (overwrites its own PE header)
Found ransom note / readme
Yara detected Djvu Ransomware
Detected unpacking (changes PE section rights)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Machine Learning detection for sample
Modifies existing user documents (likely ransomware behavior)
Injects a PE file into a foreign processes
Contains functionality to inject code into remote processes
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Extensive use of GetProcAddress (often used to hide API calls)
PE file contains strange resources
Drops PE files
Contains functionality to read the PEB
Uses cacls to modify the permissions of files
Contains functionality to launch a program with higher privileges
Uses Microsoft's Enhanced Cryptographic Provider
Contains functionality to query network adapater information
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • NZPC0PFaC0.exe (PID: 4332 cmdline: 'C:\Users\user\Desktop\NZPC0PFaC0.exe' MD5: 550B59B69EBFD6DDA6B55725245B46AD)
    • NZPC0PFaC0.exe (PID: 752 cmdline: 'C:\Users\user\Desktop\NZPC0PFaC0.exe' MD5: 550B59B69EBFD6DDA6B55725245B46AD)
      • icacls.exe (PID: 6824 cmdline: icacls 'C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96' /deny *S-1-1-0:(OI)(CI)(DE,DC) MD5: FF0D1D4317A44C951240FAE75075D501)
      • NZPC0PFaC0.exe (PID: 5344 cmdline: 'C:\Users\user\Desktop\NZPC0PFaC0.exe' --Admin IsNotAutoStart IsNotTask MD5: 550B59B69EBFD6DDA6B55725245B46AD)
        • NZPC0PFaC0.exe (PID: 7112 cmdline: 'C:\Users\user\Desktop\NZPC0PFaC0.exe' --Admin IsNotAutoStart IsNotTask MD5: 550B59B69EBFD6DDA6B55725245B46AD)
  • NZPC0PFaC0.exe (PID: 1376 cmdline: C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe --Task MD5: 550B59B69EBFD6DDA6B55725245B46AD)
    • NZPC0PFaC0.exe (PID: 5608 cmdline: C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe --Task MD5: 550B59B69EBFD6DDA6B55725245B46AD)
  • NZPC0PFaC0.exe (PID: 4340 cmdline: 'C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe' --AutoStart MD5: 550B59B69EBFD6DDA6B55725245B46AD)
    • NZPC0PFaC0.exe (PID: 6880 cmdline: 'C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe' --AutoStart MD5: 550B59B69EBFD6DDA6B55725245B46AD)
  • NZPC0PFaC0.exe (PID: 1308 cmdline: 'C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe' --AutoStart MD5: 550B59B69EBFD6DDA6B55725245B46AD)
    • NZPC0PFaC0.exe (PID: 7044 cmdline: 'C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe' --AutoStart MD5: 550B59B69EBFD6DDA6B55725245B46AD)
  • cleanup

Malware Configuration

Threatname: Djvu

{"Download URLs": ["http://znpst.top/dl/build2.exe", "http://securebiz.org/files/1/build3.exe"], "C2 url": "http://securebiz.org/fhsgtsspen6/get.php", "Ransom note file": "_readme.txt", "Ransom note": "ATTENTION!\r\n\r\nDon't worry, you can return all your files!\r\nAll your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key.\r\nThe only method of recovering files is to purchase decrypt tool and unique key for you.\r\nThis software will decrypt all your encrypted files.\r\nWhat guarantees you have?\r\nYou can send one of your encrypted file from your PC and we decrypt it for free.\r\nBut we can decrypt only 1 file for free. File must not contain valuable information.\r\nYou can get and look video overview decrypt tool:\r\nhttps://we.tl/t-1JwFK5rT39\r\nPrice of private key and decrypt software is $980.\r\nDiscount 50% available if you contact us first 72 hours, that's price for you is $490.\r\nPlease note that you'll never restore your data without payment.\r\nCheck your e-mail \"Spam\" or \"Junk\" folder if you don't get answer more than 6 hours.\r\n\r\n\r\nTo get this software you need write on our e-mail:\r\nmanager@mailtemp.ch\r\n\r\nReserve e-mail address to contact us:\r\nsupporthelp@airmail.cc\r\n\r\nYour personal ID:\r\n0336gSd743d", "Ignore Files": ["ntuser.dat", "ntuser.dat.LOG1", "ntuser.dat.LOG2", "ntuser.pol", ".sys", ".ini", ".DLL", ".dll", ".blf", ".bat", ".lnk", ".regtrans-ms", "C:\\SystemID\\", "C:\\Users\\Default User\\", "C:\\Users\\Public\\", "C:\\Users\\All Users\\", "C:\\Users\\Default\\", "C:\\Documents and Settings\\", "C:\\ProgramData\\", "C:\\Recovery\\", "C:\\System Volume Information\\", "C:\\Users\\%username%\\AppData\\Roaming\\", "C:\\Users\\%username%\\AppData\\Local\\", "C:\\Windows\\", "C:\\PerfLogs\\", "C:\\ProgramData\\Microsoft\\", "C:\\ProgramData\\Package Cache\\", "C:\\Users\\Public\\", "C:\\$Recycle.Bin\\", "C:\\$WINDOWS.~BT\\", "C:\\dell\\", "C:\\Intel\\", "C:\\MSOCache\\", "C:\\Program Files\\", "C:\\Program Files (x86)\\", "C:\\Games\\", "C:\\Windows.old\\", "D:\\Users\\%username%\\AppData\\Roaming\\", "D:\\Users\\%username%\\AppData\\Local\\", "D:\\Windows\\", "D:\\PerfLogs\\", "D:\\ProgramData\\Desktop\\", "D:\\ProgramData\\Microsoft\\", "D:\\ProgramData\\Package Cache\\", "D:\\Users\\Public\\", "D:\\$Recycle.Bin\\", "D:\\$WINDOWS.~BT\\", "D:\\dell\\", "D:\\Intel\\", "D:\\MSOCache\\", "D:\\Program Files\\", "D:\\Program Files (x86)\\", "D:\\Games\\", "E:\\Users\\%username%\\AppData\\Roaming\\", "E:\\Users\\%username%\\AppData\\Local\\", "E:\\Windows\\", "E:\\PerfLogs\\", "E:\\ProgramData\\Desktop\\", "E:\\ProgramData\\Microsoft\\", "E:\\ProgramData\\Package Cache\\", "E:\\Users\\Public\\", "E:\\$Recycle.Bin\\", "E:\\$WINDOWS.~BT\\", "E:\\dell\\", "E:\\Intel\\", "E:\\MSOCache\\", "E:\\Program Files\\", "E:\\Program Files (x86)\\", "E:\\Games\\", "F:\\Users\\%username%\\AppData\\Roaming\\", "F:\\Users\\%username%\\AppData\\Local\\", "F:\\Windows\\", "F:\\PerfLogs\\", "F:\\ProgramData\\Desktop\\", "F:\\ProgramData\\Microsoft\\", "F:\\Users\\Public\\", "F:\\$Recycle.Bin\\", "F:\\$WINDOWS.~BT\\", "F:\\dell\\", "F:\\Intel\\"], "Public Key": "-----BEGIN PUBLIC KEY-----\\\\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu57tFlgbtLAHOxlEyo7a\\\\n5EQX5BVCj\\/a01eBfOlLp1C\\/dUPKprRIvTRRYnjtkCN5uB0ni9m\\/GGY2R7dcZkBFE\\\\nFoYdHolqx1DzonNoGRf9FH126K9Djn\\/HJE1luOEKVS57yPCWDL4Nf2c1TVGhDLl7\\\\n2NmDGdmBBTlc92jSlZKpsKqIk++xsdGv6W05uMaqMEaSbW4oorrufOnex8zyxXIA\\\\nFltacJCoc2A2tbl7Ur\\/N2sp7ppeafCe9YT\\/TIYPosfgVT3FuFUQVimLFoxytPeOv\\\\nozAeLpTyyumQUfg0WY2cC+tum+9X\\/S+\\/2ED2iaR55NnI3yeLV5ACb5mqVIBsNUlq\\\\nkQIDAQAB\\\\n-----END PUBLIC KEY-----"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000D.00000001.345040542.0000000000400000.00000040.00020000.sdmpSUSP_XORed_URL_in_EXEDetects an XORed URL in an executableFlorian Roth
  • 0xe23ea:$s1: http://
  • 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
  • 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
  • 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
  • 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
  • 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF
  • 0xe23ea:$f1: http://
0000000D.00000001.345040542.0000000000400000.00000040.00020000.sdmpJoeSecurity_DjvuYara detected Djvu RansomwareJoe Security
    00000005.00000002.310073173.0000000000400000.00000040.00000001.sdmpSUSP_XORed_URL_in_EXEDetects an XORed URL in an executableFlorian Roth
    • 0xe23ea:$s1: http://
    • 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
    • 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
    • 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
    • 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
    • 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF
    • 0xe23ea:$f1: http://
    00000005.00000002.310073173.0000000000400000.00000040.00000001.sdmpJoeSecurity_DjvuYara detected Djvu RansomwareJoe Security
      0000000D.00000002.348927479.0000000000400000.00000040.00000001.sdmpSUSP_XORed_URL_in_EXEDetects an XORed URL in an executableFlorian Roth
      • 0xe23ea:$s1: http://
      • 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
      • 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
      • 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
      • 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
      • 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF
      • 0xe23ea:$f1: http://
      Click to see the 30 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      12.2.NZPC0PFaC0.exe.400000.0.raw.unpackSUSP_XORed_URL_in_EXEDetects an XORed URL in an executableFlorian Roth
      • 0xe23ea:$s1: http://
      • 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
      • 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
      • 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
      • 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
      • 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF
      • 0xe23ea:$f1: http://
      12.2.NZPC0PFaC0.exe.400000.0.raw.unpackJoeSecurity_DjvuYara detected Djvu RansomwareJoe Security
        8.2.NZPC0PFaC0.exe.7c15a0.1.raw.unpackSUSP_XORed_URL_in_EXEDetects an XORed URL in an executableFlorian Roth
        • 0xe0dea:$s1: http://
        • 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
        • 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
        • 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
        • 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
        • 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF
        • 0xe0dea:$f1: http://
        8.2.NZPC0PFaC0.exe.7c15a0.1.raw.unpackJoeSecurity_DjvuYara detected Djvu RansomwareJoe Security
          13.2.NZPC0PFaC0.exe.400000.0.raw.unpackSUSP_XORed_URL_in_EXEDetects an XORed URL in an executableFlorian Roth
          • 0xe23ea:$s1: http://
          • 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
          • 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
          • 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
          • 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
          • 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF
          • 0xe23ea:$f1: http://
          Click to see the 55 entries

          Sigma Overview

          No Sigma rule has matched

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 10.2.NZPC0PFaC0.exe.400000.0.unpackMalware Configuration Extractor: Djvu {"Download URLs": ["http://znpst.top/dl/build2.exe", "http://securebiz.org/files/1/build3.exe"], "C2 url": "http://securebiz.org/fhsgtsspen6/get.php", "Ransom note file": "_readme.txt", "Ransom note": "ATTENTION!\r\n\r\nDon't worry, you can return all your files!\r\nAll your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key.\r\nThe only method of recovering files is to purchase decrypt tool and unique key for you.\r\nThis software will decrypt all your encrypted files.\r\nWhat guarantees you have?\r\nYou can send one of your encrypted file from your PC and we decrypt it for free.\r\nBut we can decrypt only 1 file for free. File must not contain valuable information.\r\nYou can get and look video overview decrypt tool:\r\nhttps://we.tl/t-1JwFK5rT39\r\nPrice of private key and decrypt software is $980.\r\nDiscount 50% available if you contact us first 72 hours, that's price for you is $490.\r\nPlease note that you'll never restore your data without payment.\r\nCheck your e-mail \"Spam\" or \"Junk\" folder if you don't get answer more than 6 hours.\r\n\r\n\r\nTo get this software you need write on our e-mail:\r\nmanager@mailtemp.ch\r\n\r\nReserve e-mail address to contact us:\r\nsupporthelp@airmail.cc\r\n\r\nYour personal ID:\r\n0336gSd743d", "Ignore Files": ["ntuser.dat", "ntuser.dat.LOG1", "ntuser.dat.LOG2", "ntuser.pol", ".sys", ".ini", ".DLL", ".dll", ".blf", ".bat", ".lnk", ".regtrans-ms", "C:\\SystemID\\", "C:\\Users\\Default User\\", "C:\\Users\\Public\\", "C:\\Users\\All Users\\", "C:\\Users\\Default\\", "C:\\Documents and Settings\\", "C:\\ProgramData\\", "C:\\Recovery\\", "C:\\System Volume Information\\", "C:\\Users\\%username%\\AppData\\Roaming\\", "C:\\Users\\%username%\\AppData\\Local\\", "C:\\Windows\\", "C:\\PerfLogs\\", "C:\\ProgramData\\Microsoft\\", "C:\\ProgramData\\Package Cache\\", "C:\\Users\\Public\\", "C:\\$Recycle.Bin\\", "C:\\$WINDOWS.~BT\\", "C:\\dell\\", "C:\\Intel\\", "C:\\MSOCache\\", "C:\\Program Files\\", "C:\\Program Files (x86)\\", "C:\\Games\\", "C:\\Windows.old\\", "D:\\Users\\%username%\\AppData\\Roaming\\", "D:\\Users\\%username%\\AppData\\Local\\", "D:\\Windows\\", "D:\\PerfLogs\\", "D:\\ProgramData\\Desktop\\", "D:\\ProgramData\\Microsoft\\", "D:\\ProgramData\\Package Cache\\", "D:\\Users\\Public\\", "D:\\$Recycle.Bin\\", "D:\\$WINDOWS.~BT\\", "D:\\dell\\", "D:\\Intel\\", "D:\\MSOCache\\", "D:\\Program Files\\", "D:\\Program Files (x86)\\", "D:\\Games\\", "E:\\Users\\%username%\\AppData\\Roaming\\", "E:\\Users\\%username%\\AppData\\Local\\", "E:\\Windows\\", "E:\\PerfLogs\\", "E:\\ProgramData\\Desktop\\", "E:\\ProgramData\\Microsoft\\", "E:\\ProgramData\\Package Cache\\", "E:\\Users\\Public\\", "E:\\$Recycle.Bin\\", "E:\\$WINDOWS.~BT\\", "E:\\dell\\", "E:\\Intel\\", "E:\\MSOCache\\", "E:\\Program Files\\", "E:\\Program Files (x86)\\", "E:\\Games\\", "F:\\Users\\%username%\\AppData\\Roaming\\", "F:\\Users\\%username%\\AppData\\Local\\", "F
          Multi AV Scanner detection for submitted fileShow sources
          Source: NZPC0PFaC0.exeVirustotal: Detection: 35%Perma Link
          Source: NZPC0PFaC0.exeReversingLabs: Detection: 55%
          Multi AV Scanner detection for domain / URLShow sources
          Source: securebiz.orgVirustotal: Detection: 17%Perma Link
          Source: http://securebiz.org/fhsgtsspen6/get.phpVirustotal: Detection: 19%Perma Link
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exeReversingLabs: Detection: 55%
          Machine Learning detection for sampleShow sources
          Source: NZPC0PFaC0.exeJoe Sandbox ML: detected
          Machine Learning detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exeJoe Sandbox ML: detected
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 5_2_0040E870 CryptAcquireContextW,__CxxThrowException@8,CryptCreateHash,__CxxThrowException@8,CryptHashData,__CxxThrowException@8,CryptGetHashParam,CryptGetHashParam,__CxxThrowException@8,_memset,CryptGetHashParam,__CxxThrowException@8,_sprintf,CryptDestroyHash,CryptReleaseContext,5_2_0040E870
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 5_2_0040EAA0 CryptAcquireContextW,__CxxThrowException@8,CryptCreateHash,__CxxThrowException@8,CryptHashData,__CxxThrowException@8,CryptGetHashParam,CryptGetHashParam,__CxxThrowException@8,_memset,CryptGetHashParam,__CxxThrowException@8,_sprintf,CryptDestroyHash,CryptReleaseContext,5_2_0040EAA0
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 5_2_00410FC0 CryptAcquireContextW,__CxxThrowException@8,CryptCreateHash,__CxxThrowException@8,lstrlenA,CryptHashData,__CxxThrowException@8,CryptGetHashParam,CryptGetHashParam,__CxxThrowException@8,_memset,CryptGetHashParam,__CxxThrowException@8,CryptGetHashParam,_malloc,CryptGetHashParam,_memset,_sprintf,lstrcatA,CryptDestroyHash,CryptReleaseContext,5_2_00410FC0
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 10_2_0040E870 CryptAcquireContextW,__CxxThrowException@8,CryptCreateHash,__CxxThrowException@8,CryptHashData,__CxxThrowException@8,CryptGetHashParam,CryptGetHashParam,__CxxThrowException@8,_memset,CryptGetHashParam,__CxxThrowException@8,_sprintf,CryptDestroyHash,CryptReleaseContext,10_2_0040E870
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 10_2_0040EA51 CryptDestroyHash,CryptReleaseContext,10_2_0040EA51
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 10_2_0040EAA0 CryptAcquireContextW,__CxxThrowException@8,CryptCreateHash,__CxxThrowException@8,CryptHashData,__CxxThrowException@8,CryptGetHashParam,CryptGetHashParam,__CxxThrowException@8,_memset,CryptGetHashParam,__CxxThrowException@8,_sprintf,CryptDestroyHash,CryptReleaseContext,10_2_0040EAA0
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 10_2_0040EC68 CryptDestroyHash,CryptReleaseContext,10_2_0040EC68
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 10_2_00410FC0 CryptAcquireContextW,__CxxThrowException@8,CryptCreateHash,__CxxThrowException@8,lstrlenA,CryptHashData,__CxxThrowException@8,CryptGetHashParam,CryptGetHashParam,__CxxThrowException@8,_memset,CryptGetHashParam,__CxxThrowException@8,CryptGetHashParam,_malloc,CryptGetHashParam,_memset,_sprintf,lstrcatA,CryptDestroyHash,CryptReleaseContext,10_2_00410FC0
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 10_2_00411178 CryptDestroyHash,CryptReleaseContext,10_2_00411178
          Source: NZPC0PFaC0.exe, 00000010.00000002.555399079.00000000031BA000.00000004.00000010.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----

          Compliance:

          barindex
          Detected unpacking (overwrites its own PE header)Show sources
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeUnpacked PE file: 5.2.NZPC0PFaC0.exe.400000.0.unpack
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeUnpacked PE file: 10.2.NZPC0PFaC0.exe.400000.0.unpack
          Source: C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exeUnpacked PE file: 12.2.NZPC0PFaC0.exe.400000.0.unpack
          Source: C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exeUnpacked PE file: 13.2.NZPC0PFaC0.exe.400000.0.unpack
          Source: C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exeUnpacked PE file: 16.2.NZPC0PFaC0.exe.400000.0.unpack
          Source: NZPC0PFaC0.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
          Source: C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exeFile created: C:\_readme.txtJump to behavior
          Source: C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exeFile created: C:\Users\user\_readme.txtJump to behavior
          Source: unknownHTTPS traffic detected: 77.123.139.190:443 -> 192.168.2.3:49750 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 77.123.139.190:443 -> 192.168.2.3:49751 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 77.123.139.190:443 -> 192.168.2.3:49752 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 77.123.139.190:443 -> 192.168.2.3:49753 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 77.123.139.190:443 -> 192.168.2.3:49756 version: TLS 1.2
          Source: Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb source: NZPC0PFaC0.exe, NZPC0PFaC0.exe, 0000000B.00000002.345555445.00000000008C0000.00000040.00000001.sdmp, NZPC0PFaC0.exe, 0000000C.00000001.343177485.0000000000400000.00000040.00020000.sdmp, NZPC0PFaC0.exe, 0000000D.00000001.345040542.0000000000400000.00000040.00020000.sdmp, NZPC0PFaC0.exe, 0000000E.00000002.364511145.00000000008B0000.00000040.00000001.sdmp, NZPC0PFaC0.exe, 00000010.00000001.363770530.0000000000400000.00000040.00020000.sdmp
          Source: Binary string: C:\lif-ved49-podacarofo-judisovuhola10.pdb source: NZPC0PFaC0.exe
          Source: Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdbI source: NZPC0PFaC0.exe, 00000001.00000002.303261681.0000000000840000.00000040.00000001.sdmp, NZPC0PFaC0.exe, 00000005.00000002.310073173.0000000000400000.00000040.00000001.sdmp, NZPC0PFaC0.exe, 00000008.00000002.329001364.00000000007C0000.00000040.00000001.sdmp, NZPC0PFaC0.exe, 00000009.00000002.344398408.0000000000840000.00000040.00000001.sdmp, NZPC0PFaC0.exe, 0000000A.00000001.328371406.0000000000400000.00000040.00020000.sdmp, NZPC0PFaC0.exe, 0000000B.00000002.345555445.00000000008C0000.00000040.00000001.sdmp, NZPC0PFaC0.exe, 0000000C.00000001.343177485.0000000000400000.00000040.00020000.sdmp, NZPC0PFaC0.exe, 0000000D.00000001.345040542.0000000000400000.00000040.00020000.sdmp, NZPC0PFaC0.exe, 0000000E.00000002.364511145.00000000008B0000.00000040.00000001.sdmp, NZPC0PFaC0.exe, 00000010.00000001.363770530.0000000000400000.00000040.00020000.sdmp
          Source: Binary string: cC:\lif-ved49-podacarofo-judisovuhola10.pdb source: NZPC0PFaC0.exe
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 5_2_00410160 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,FindNextFileW,FindClose,5_2_00410160
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 5_2_0040F730 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,_wcsstr,_wcsstr,FindNextFileW,FindClose,5_2_0040F730
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 5_1_00410160 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,FindNextFileW,FindClose,5_1_00410160
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 10_2_00410160 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,FindNextFileW,FindClose,10_2_00410160

          Networking:

          barindex
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: http://securebiz.org/fhsgtsspen6/get.php
          Source: Joe Sandbox ViewASN Name: SKB-ASSKBroadbandCoLtdKR SKB-ASSKBroadbandCoLtdKR
          Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
          Source: Joe Sandbox ViewIP Address: 77.123.139.190 77.123.139.190
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49753
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49752
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49751
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49750
          Source: unknownNetwork traffic detected: HTTP traffic on port 49751 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49752 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49750 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49753 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49756 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49756
          Source: NZPC0PFaC0.exe, 00000010.00000003.376779367.0000000003500000.00000004.00000010.sdmpString found in binary or memory: URL=http://www.facebook.com/ equals www.facebook.com (Facebook)
          Source: NZPC0PFaC0.exe, 00000010.00000003.377098240.0000000003500000.00000004.00000010.sdmpString found in binary or memory: URL=http://www.twitter.com/ equals www.twitter.com (Twitter)
          Source: NZPC0PFaC0.exe, 00000010.00000003.377220530.0000000003500000.00000004.00000010.sdmpString found in binary or memory: URL=http://www.youtube.com/ equals www.youtube.com (Youtube)
          Source: NZPC0PFaC0.exe, 0000000A.00000002.332855453.0000000000808000.00000004.00000020.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: NZPC0PFaC0.exe, 00000001.00000002.303261681.0000000000840000.00000040.00000001.sdmp, NZPC0PFaC0.exe, 00000005.00000002.310073173.0000000000400000.00000040.00000001.sdmp, NZPC0PFaC0.exe, 00000008.00000002.329001364.00000000007C0000.00000040.00000001.sdmp, NZPC0PFaC0.exe, 00000009.00000002.344398408.0000000000840000.00000040.00000001.sdmp, NZPC0PFaC0.exe, 0000000A.00000001.328371406.0000000000400000.00000040.00020000.sdmp, NZPC0PFaC0.exe, 0000000B.00000002.345555445.00000000008C0000.00000040.00000001.sdmp, NZPC0PFaC0.exe, 0000000C.00000001.343177485.0000000000400000.00000040.00020000.sdmp, NZPC0PFaC0.exe, 0000000D.00000001.345040542.0000000000400000.00000040.00020000.sdmp, NZPC0PFaC0.exe, 0000000E.00000002.364511145.00000000008B0000.00000040.00000001.sdmp, NZPC0PFaC0.exe, 00000010.00000001.363770530.0000000000400000.00000040.00020000.sdmpString found in binary or memory: http://https://ns1.kriston.ugns2.chalekin.ugns3.unalelath.ugns4.andromath.ug/Error
          Source: NZPC0PFaC0.exe, 00000010.00000003.376736269.0000000003500000.00000004.00000010.sdmpString found in binary or memory: http://www.amazon.com/
          Source: NZPC0PFaC0.exe, 00000010.00000003.376800469.0000000003500000.00000004.00000010.sdmpString found in binary or memory: http://www.google.com/
          Source: NZPC0PFaC0.exe, 00000010.00000003.376822071.0000000003500000.00000004.00000010.sdmpString found in binary or memory: http://www.live.com/
          Source: NZPC0PFaC0.exe, 00000010.00000003.376954535.0000000003500000.00000004.00000010.sdmpString found in binary or memory: http://www.nytimes.com/
          Source: NZPC0PFaC0.exe, 00000010.00000001.363770530.0000000000400000.00000040.00020000.sdmpString found in binary or memory: http://www.openssl.org/support/faq.html
          Source: NZPC0PFaC0.exe, 00000010.00000003.377028462.0000000003500000.00000004.00000010.sdmpString found in binary or memory: http://www.reddit.com/
          Source: NZPC0PFaC0.exe, 00000010.00000003.377098240.0000000003500000.00000004.00000010.sdmpString found in binary or memory: http://www.twitter.com/
          Source: NZPC0PFaC0.exe, 00000010.00000003.377181082.0000000003500000.00000004.00000010.sdmpString found in binary or memory: http://www.wikipedia.com/
          Source: NZPC0PFaC0.exe, 00000010.00000003.377220530.0000000003500000.00000004.00000010.sdmpString found in binary or memory: http://www.youtube.com/
          Source: NZPC0PFaC0.exe, 0000000A.00000002.332855453.0000000000808000.00000004.00000020.sdmpString found in binary or memory: https://api.2ip.ua/
          Source: NZPC0PFaC0.exe, 0000000A.00000002.332855453.0000000000808000.00000004.00000020.sdmpString found in binary or memory: https://api.2ip.ua//Wjn
          Source: NZPC0PFaC0.exe, NZPC0PFaC0.exe, 0000000A.00000001.328371406.0000000000400000.00000040.00020000.sdmp, NZPC0PFaC0.exe, 0000000B.00000002.345555445.00000000008C0000.00000040.00000001.sdmp, NZPC0PFaC0.exe, 0000000C.00000001.343177485.0000000000400000.00000040.00020000.sdmp, NZPC0PFaC0.exe, 0000000D.00000001.345040542.0000000000400000.00000040.00020000.sdmp, NZPC0PFaC0.exe, 0000000E.00000002.364511145.00000000008B0000.00000040.00000001.sdmp, NZPC0PFaC0.exe, 00000010.00000003.365995689.00000000007A2000.00000004.00000001.sdmp, NZPC0PFaC0.exe, 00000010.00000001.363770530.0000000000400000.00000040.00020000.sdmpString found in binary or memory: https://api.2ip.ua/geo.json
          Source: NZPC0PFaC0.exe, 0000000A.00000002.332958697.0000000000890000.00000004.00000020.sdmpString found in binary or memory: https://api.2ip.ua/geo.jsonC
          Source: NZPC0PFaC0.exe, 0000000A.00000002.332855453.0000000000808000.00000004.00000020.sdmpString found in binary or memory: https://api.2ip.ua/geo.jsonS
          Source: NZPC0PFaC0.exe, 0000000A.00000002.332855453.0000000000808000.00000004.00000020.sdmpString found in binary or memory: https://api.2ip.ua/geo.jsons
          Source: NZPC0PFaC0.exe, 0000000A.00000002.332855453.0000000000808000.00000004.00000020.sdmpString found in binary or memory: https://api.2ip.ua/geo.jsont
          Source: NZPC0PFaC0.exe, 0000000A.00000002.332855453.0000000000808000.00000004.00000020.sdmpString found in binary or memory: https://api.2ip.ua/geo.jsonyZ3
          Source: NZPC0PFaC0.exe, 00000010.00000002.554664227.000000000078F000.00000004.00000020.sdmpString found in binary or memory: https://we.tl/t-1JwFK5rT
          Source: NZPC0PFaC0.exe, 00000010.00000002.554723819.00000000007A9000.00000004.00000020.sdmp, _readme.txt0.16.drString found in binary or memory: https://we.tl/t-1JwFK5rT39
          Source: unknownDNS traffic detected: queries for: api.2ip.ua
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 5_2_0040CF10 _memset,InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,5_2_0040CF10
          Source: global trafficHTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
          Source: global trafficHTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
          Source: global trafficHTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
          Source: global trafficHTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
          Source: global trafficHTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
          Source: global trafficHTTP traffic detected: GET /fhsgtsspen6/get.php?pid=F4B58C92E14ED1DB6A495C4F0112806C HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: securebiz.org
          Source: unknownHTTPS traffic detected: 77.123.139.190:443 -> 192.168.2.3:49750 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 77.123.139.190:443 -> 192.168.2.3:49751 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 77.123.139.190:443 -> 192.168.2.3:49752 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 77.123.139.190:443 -> 192.168.2.3:49753 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 77.123.139.190:443 -> 192.168.2.3:49756 version: TLS 1.2
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 10_2_004822E0 CreateDCA,CreateCompatibleDC,GetDeviceCaps,GetDeviceCaps,GetDeviceCaps,CreateCompatibleBitmap,SelectObject,GetObjectA,BitBlt,GetBitmapBits,SelectObject,DeleteObject,DeleteDC,DeleteDC,DeleteDC,10_2_004822E0

          Spam, unwanted Advertisements and Ransom Demands:

          barindex
          Found ransom note / readmeShow sources
          Source: C:\Users\user\AppData\Local\VirtualStore\_readme.txtDropped file: ATTENTION!Don't worry, you can return all your files!All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key.The only method of recovering files is to purchase decrypt tool and unique key for you.This software will decrypt all your encrypted files.What guarantees you have?You can send one of your encrypted file from your PC and we decrypt it for free.But we can decrypt only 1 file for free. File must not contain valuable information.You can get and look video overview decrypt tool:https://we.tl/t-1JwFK5rT39Price of private key and decrypt software is $980.Discount 50% available if you contact us first 72 hours, that's price for you is $490.Please note that you'll never restore your data without payment.Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours.To get this software you need write on our e-mail:manager@mailtemp.chReserve e-mail address to contact us:supporthelp@airmail.ccYour personal ID:0336gSd743daN9cBvsGMXusve1sBoUrEE1q7fttlXX9WCZBkEkwJump to dropped file
          Yara detected Djvu RansomwareShow sources
          Source: Yara matchFile source: 12.2.NZPC0PFaC0.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.NZPC0PFaC0.exe.7c15a0.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 13.2.NZPC0PFaC0.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.1.NZPC0PFaC0.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.NZPC0PFaC0.exe.8415a0.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.NZPC0PFaC0.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.NZPC0PFaC0.exe.8c15a0.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.1.NZPC0PFaC0.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.2.NZPC0PFaC0.exe.8415a0.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.2.NZPC0PFaC0.exe.8415a0.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.NZPC0PFaC0.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 14.2.NZPC0PFaC0.exe.8b15a0.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 13.1.NZPC0PFaC0.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.NZPC0PFaC0.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.1.NZPC0PFaC0.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.NZPC0PFaC0.exe.7c15a0.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.1.NZPC0PFaC0.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.NZPC0PFaC0.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 14.2.NZPC0PFaC0.exe.8b15a0.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.2.NZPC0PFaC0.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.1.NZPC0PFaC0.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.NZPC0PFaC0.exe.8415a0.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.2.NZPC0PFaC0.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.1.NZPC0PFaC0.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.1.NZPC0PFaC0.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.NZPC0PFaC0.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 13.1.NZPC0PFaC0.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 13.2.NZPC0PFaC0.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.NZPC0PFaC0.exe.8c15a0.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.1.NZPC0PFaC0.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000D.00000001.345040542.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.310073173.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.348927479.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000001.343177485.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.345555445.00000000008C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.344398408.0000000000840000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.303261681.0000000000840000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000001.363770530.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.332287808.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.347226816.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000001.328371406.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.364511145.00000000008B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000001.301512197.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.553605048.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.329001364.00000000007C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: NZPC0PFaC0.exe PID: 4332, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: NZPC0PFaC0.exe PID: 752, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: NZPC0PFaC0.exe PID: 5344, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: NZPC0PFaC0.exe PID: 1376, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: NZPC0PFaC0.exe PID: 7112, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: NZPC0PFaC0.exe PID: 4340, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: NZPC0PFaC0.exe PID: 5608, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: NZPC0PFaC0.exe PID: 6880, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: NZPC0PFaC0.exe PID: 1308, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: NZPC0PFaC0.exe PID: 7044, type: MEMORYSTR
          Modifies existing user documents (likely ransomware behavior)Show sources
          Source: C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exeFile moved: C:\Users\user\Desktop\QNCYCDFIJJ\QNCYCDFIJJ.docxJump to behavior
          Source: C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exeFile deleted: C:\Users\user\Desktop\QNCYCDFIJJ\QNCYCDFIJJ.docxJump to behavior
          Source: C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exeFile moved: C:\Users\user\Desktop\QNCYCDFIJJ\SUAVTZKNFL.jpgJump to behavior
          Source: C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exeFile deleted: C:\Users\user\Desktop\QNCYCDFIJJ\SUAVTZKNFL.jpgJump to behavior
          Source: C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exeFile moved: C:\Users\user\Desktop\QNCYCDFIJJ\PWCCAWLGRE.pdfJump to behavior
          Source: NZPC0PFaC0.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
          Source: 12.2.NZPC0PFaC0.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: 8.2.NZPC0PFaC0.exe.7c15a0.1.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: 13.2.NZPC0PFaC0.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: 10.1.NZPC0PFaC0.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: 1.2.NZPC0PFaC0.exe.8415a0.1.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: 5.2.NZPC0PFaC0.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: 11.2.NZPC0PFaC0.exe.8c15a0.1.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: 10.1.NZPC0PFaC0.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: 9.2.NZPC0PFaC0.exe.8415a0.1.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: 9.2.NZPC0PFaC0.exe.8415a0.1.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: 10.2.NZPC0PFaC0.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: 14.2.NZPC0PFaC0.exe.8b15a0.1.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: 13.1.NZPC0PFaC0.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: 12.2.NZPC0PFaC0.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: 12.1.NZPC0PFaC0.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: 8.2.NZPC0PFaC0.exe.7c15a0.1.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: 16.1.NZPC0PFaC0.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: 5.2.NZPC0PFaC0.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: 14.2.NZPC0PFaC0.exe.8b15a0.1.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: 16.2.NZPC0PFaC0.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: 12.1.NZPC0PFaC0.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: 1.2.NZPC0PFaC0.exe.8415a0.1.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: 16.2.NZPC0PFaC0.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: 16.1.NZPC0PFaC0.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: 5.1.NZPC0PFaC0.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: 10.2.NZPC0PFaC0.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: 13.1.NZPC0PFaC0.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: 13.2.NZPC0PFaC0.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: 11.2.NZPC0PFaC0.exe.8c15a0.1.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: 5.1.NZPC0PFaC0.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: 0000000D.00000001.345040542.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: 00000005.00000002.310073173.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: 0000000D.00000002.348927479.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: 0000000C.00000001.343177485.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: 00000010.00000001.363770530.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: 0000000A.00000002.332287808.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: 0000000C.00000002.347226816.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: 0000000A.00000001.328371406.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: 00000005.00000001.301512197.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: 00000010.00000002.553605048.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 1_2_0040A46B1_2_0040A46B
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 1_2_0040DC171_2_0040DC17
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 1_2_0040E4C01_2_0040E4C0
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 1_2_0040E8CC1_2_0040E8CC
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 1_2_0040E0EC1_2_0040E0EC
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 1_2_0040ECEC1_2_0040ECEC
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 1_2_004119B21_2_004119B2
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 1_2_00414E6E1_2_00414E6E
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 1_2_00407AEA1_2_00407AEA
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 1_2_00411EF61_2_00411EF6
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 1_2_00412FF21_2_00412FF2
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 1_2_0084B0B01_2_0084B0B0
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 1_2_008500D01_2_008500D0
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 1_2_008618D01_2_008618D0
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 1_2_008430EE1_2_008430EE
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 1_2_0084B0001_2_0084B000
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 1_2_0086E9A31_2_0086E9A3
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 1_2_0086F9B01_2_0086F9B0
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 1_2_0084CA101_2_0084CA10
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 1_2_0084DBE01_2_0084DBE0
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 1_2_00850B001_2_00850B00
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 1_2_0084E6E01_2_0084E6E0
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 1_2_0084C7601_2_0084C760