Windows Analysis Report
0qlnWcmhSC.exe

Overview

General Information

Sample Name: 0qlnWcmhSC.exe
Analysis ID: 679111
MD5: 7d3324aba9cb81871405761ea678c751
SHA1: 07d238ddaabe2010d5113354b5dac651c1dcf8c0
SHA256: 55043585c15ff65ca4b8df91c0b0f1c883d4cfd40933c6d25c2d9159e2f0757c
Tags: exeStop
Infos:

Detection

Djvu
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected Djvu Ransomware
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Machine Learning detection for sample
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
PE file contains strange resources
Drops PE files
Contains functionality to read the PEB
Uses cacls to modify the permissions of files
Contains functionality to launch a program with higher privileges
Uses Microsoft's Enhanced Cryptographic Provider
Contains functionality to query network adapater information
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: 0qlnWcmhSC.exe Virustotal: Detection: 53% Perma Link
Source: 0qlnWcmhSC.exe ReversingLabs: Detection: 56%
Antivirus detection for URL or domain
Source: http://acacaca.org/test2/get.php Avira URL Cloud: Label: malware
Multi AV Scanner detection for domain / URL
Source: http://acacaca.org/test2/get.php Virustotal: Detection: 18% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\a728bb78-6259-4af3-b6ac-e10b42e567f7\0qlnWcmhSC.exe Virustotal: Detection: 53% Perma Link
Source: C:\Users\user\AppData\Local\a728bb78-6259-4af3-b6ac-e10b42e567f7\0qlnWcmhSC.exe ReversingLabs: Detection: 56%
Machine Learning detection for sample
Source: 0qlnWcmhSC.exe Joe Sandbox ML: detected
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\a728bb78-6259-4af3-b6ac-e10b42e567f7\0qlnWcmhSC.exe Joe Sandbox ML: detected
Source: 5.2.0qlnWcmhSC.exe.43215a0.1.raw.unpack Malware Configuration Extractor: Djvu {"Download URLs": ["http://rgyui.top/dl/build2.exe", "http://acacaca.org/files/1/build3.exe"], "C2 url": "http://acacaca.org/test2/get.php", "Ransom note file": "_readme.txt", "Ransom note": "ATTENTION!\r\n\r\nDon't worry, you can return all your files!\r\nAll your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key.\r\nThe only method of recovering files is to purchase decrypt tool and unique key for you.\r\nThis software will decrypt all your encrypted files.\r\nWhat guarantees you have?\r\nYou can send one of your encrypted file from your PC and we decrypt it for free.\r\nBut we can decrypt only 1 file for free. File must not contain valuable information.\r\nYou can get and look video overview decrypt tool:\r\nhttps://we.tl/t-QsoSRIeAK6\r\nPrice of private key and decrypt software is $980.\r\nDiscount 50% available if you contact us first 72 hours, that's price for you is $490.\r\nPlease note that you'll never restore your data without payment.\r\nCheck your e-mail \"Spam\" or \"Junk\" folder if you don't get answer more than 6 hours.\r\n\r\n\r\nTo get this software you need write on our e-mail:\r\nsupport@bestyourmail.ch\r\n\r\nReserve e-mail address to contact us:\r\ndatarestorehelp@airmail.cc\r\n\r\nYour personal ID:\r\n0531Jhyjd", "Ignore Files": ["ntuser.dat", "ntuser.dat.LOG1", "ntuser.dat.LOG2", "ntuser.pol", ".sys", ".ini", ".DLL", ".dll", ".blf", ".bat", ".lnk", ".regtrans-ms", "C:\\SystemID\\", "C:\\Users\\Default User\\", "C:\\Users\\Public\\", "C:\\Users\\All Users\\", "C:\\Users\\Default\\", "C:\\Documents and Settings\\", "C:\\ProgramData\\", "C:\\Recovery\\", "C:\\System Volume Information\\", "C:\\Users\\%username%\\AppData\\Roaming\\", "C:\\Users\\%username%\\AppData\\Local\\", "C:\\Windows\\", "C:\\PerfLogs\\", "C:\\ProgramData\\Microsoft\\", "C:\\ProgramData\\Package Cache\\", "C:\\Users\\Public\\", "C:\\$Recycle.Bin\\", "C:\\$WINDOWS.~BT\\", "C:\\dell\\", "C:\\Intel\\", "C:\\MSOCache\\", "C:\\Program Files\\", "C:\\Program Files (x86)\\", "C:\\Games\\", "C:\\Windows.old\\", "D:\\Users\\%username%\\AppData\\Roaming\\", "D:\\Users\\%username%\\AppData\\Local\\", "D:\\Windows\\", "D:\\PerfLogs\\", "D:\\ProgramData\\Desktop\\", "D:\\ProgramData\\Microsoft\\", "D:\\ProgramData\\Package Cache\\", "D:\\Users\\Public\\", "D:\\$Recycle.Bin\\", "D:\\$WINDOWS.~BT\\", "D:\\dell\\", "D:\\Intel\\", "D:\\MSOCache\\", "D:\\Program Files\\", "D:\\Program Files (x86)\\", "D:\\Games\\", "E:\\Users\\%username%\\AppData\\Roaming\\", "E:\\Users\\%username%\\AppData\\Local\\", "E:\\Windows\\", "E:\\PerfLogs\\", "E:\\ProgramData\\Desktop\\", "E:\\ProgramData\\Microsoft\\", "E:\\ProgramData\\Package Cache\\", "E:\\Users\\Public\\", "E:\\$Recycle.Bin\\", "E:\\$WINDOWS.~BT\\", "E:\\dell\\", "E:\\Intel\\", "E:\\MSOCache\\", "E:\\Program Files\\", "E:\\Program Files (x86)\\", "E:\\Games\\", "F:\\Users\\%username%\\AppData\\Roaming\\", "F:\\Users\\%username%\\AppData\\Local\\", "F:\\W
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\0qlnWcmhSC.exe Code function: 1_2_0040E870 CryptAcquireContextW,__CxxThrowException@8,CryptCreateHash,__CxxThrowException@8,CryptHashData,__CxxThrowException@8,CryptGetHashParam,CryptGetHashParam,__CxxThrowException@8,_memset,CryptGetHashParam,__CxxThrowException@8,_sprintf,CryptDestroyHash,CryptReleaseContext, 1_2_0040E870
Source: C:\Users\user\Desktop\0qlnWcmhSC.exe Code function: 1_2_0040EAA0 CryptAcquireContextW,__CxxThrowException@8,CryptCreateHash,__CxxThrowException@8,CryptHashData,__CxxThrowException@8,CryptGetHashParam,CryptGetHashParam,__CxxThrowException@8,_memset,CryptGetHashParam,__CxxThrowException@8,_sprintf,CryptDestroyHash,CryptReleaseContext, 1_2_0040EAA0
Source: C:\Users\user\Desktop\0qlnWcmhSC.exe Code function: 1_2_00410FC0 CryptAcquireContextW,__CxxThrowException@8,CryptCreateHash,__CxxThrowException@8,lstrlenA,CryptHashData,__CxxThrowException@8,CryptGetHashParam,CryptGetHashParam,__CxxThrowException@8,_memset,CryptGetHashParam,__CxxThrowException@8,CryptGetHashParam,_malloc,CryptGetHashParam,_memset,_sprintf,lstrcatA,CryptDestroyHash,CryptReleaseContext, 1_2_00410FC0
Uses 32bit PE files
Source: 0qlnWcmhSC.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 162.0.217.254:443 -> 192.168.2.4:49756 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.0.217.254:443 -> 192.168.2.4:49757 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.0.217.254:443 -> 192.168.2.4:49758 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.0.217.254:443 -> 192.168.2.4:49770 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.0.217.254:443 -> 192.168.2.4:49773 version: TLS 1.2
Source: Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb source: 0qlnWcmhSC.exe, 0qlnWcmhSC.exe, 00000001.00000000.253006362.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 0qlnWcmhSC.exe, 00000001.00000002.260647827.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 0qlnWcmhSC.exe, 00000001.00000000.250322502.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 0qlnWcmhSC.exe, 00000005.00000002.283839825.0000000004320000.00000040.00001000.00020000.00000000.sdmp, 0qlnWcmhSC.exe, 00000006.00000002.327195774.00000000042C0000.00000040.00001000.00020000.00000000.sdmp, 0qlnWcmhSC.exe, 00000008.00000000.280029578.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 0qlnWcmhSC.exe, 00000008.00000002.286929685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 0qlnWcmhSC.exe, 00000008.00000000.278990352.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 0qlnWcmhSC.exe, 00000009.00000002.305843208.00000000042F0000.00000040.00001000.00020000.00000000.sdmp, 0qlnWcmhSC.exe, 0000000A.00000000.319421336.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 0qlnWcmhSC.exe, 0000000A.00000000.316973990.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 0qlnWcmhSC.exe, 0000000A.00000002.329549593.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 0qlnWcmhSC.exe, 0000000D.00000000.301047779.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 0qlnWcmhSC.exe, 0000000D.00000000.297986626.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 0qlnWcmhSC.exe, 0000000D.00000002.315111035.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 0qlnWcmhSC.exe, 00000014.00000002.327894580.0000000004290000.00000040.00001000.00020000.00000000.sdmp, 0qlnWcmhSC.exe, 00000015.00000000.323385297.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 0qlnWcmhSC.exe, 00000015.00000000.322747797.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 0qlnWcmhSC.exe, 00000015.00000002.332044267.0000000000400000.00000040.00000400.00020000.00000000.sdmp
Source: Binary string: C:\moxutohoxani.pdb source: 0qlnWcmhSC.exe, 0qlnWcmhSC.exe.1.dr
Source: Binary string: _C:\moxutohoxani.pdb` source: 0qlnWcmhSC.exe, 0qlnWcmhSC.exe.1.dr
Source: Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdbI source: 0qlnWcmhSC.exe, 00000000.00000002.255350583.00000000042D0000.00000040.00001000.00020000.00000000.sdmp, 0qlnWcmhSC.exe, 00000001.00000000.253006362.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 0qlnWcmhSC.exe, 00000001.00000002.260647827.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 0qlnWcmhSC.exe, 00000001.00000000.250322502.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 0qlnWcmhSC.exe, 00000005.00000002.283839825.0000000004320000.00000040.00001000.00020000.00000000.sdmp, 0qlnWcmhSC.exe, 00000006.00000002.327195774.00000000042C0000.00000040.00001000.00020000.00000000.sdmp, 0qlnWcmhSC.exe, 00000008.00000000.280029578.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 0qlnWcmhSC.exe, 00000008.00000002.286929685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 0qlnWcmhSC.exe, 00000008.00000000.278990352.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 0qlnWcmhSC.exe, 00000009.00000002.305843208.00000000042F0000.00000040.00001000.00020000.00000000.sdmp, 0qlnWcmhSC.exe, 0000000A.00000000.319421336.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 0qlnWcmhSC.exe, 0000000A.00000000.316973990.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 0qlnWcmhSC.exe, 0000000A.00000002.329549593.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 0qlnWcmhSC.exe, 0000000D.00000000.301047779.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 0qlnWcmhSC.exe, 0000000D.00000000.297986626.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 0qlnWcmhSC.exe, 0000000D.00000002.315111035.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 0qlnWcmhSC.exe, 00000014.00000002.327894580.0000000004290000.00000040.00001000.00020000.00000000.sdmp, 0qlnWcmhSC.exe, 00000015.00000000.323385297.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 0qlnWcmhSC.exe, 00000015.00000000.322747797.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 0qlnWcmhSC.exe, 00000015.00000002.332044267.0000000000400000.00000040.00000400.00020000.00000000.sdmp
Source: C:\Users\user\Desktop\0qlnWcmhSC.exe Code function: 1_2_00410160 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,FindNextFileW,FindClose, 1_2_00410160
Source: C:\Users\user\Desktop\0qlnWcmhSC.exe Code function: 1_2_0040F730 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,_wcsstr,_wcsstr,FindNextFileW,FindClose, 1_2_0040F730

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://acacaca.org/test2/get.php
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 162.0.217.254 162.0.217.254
Source: unknown Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49756
Source: 0qlnWcmhSC.exe, 00000001.00000003.255498314.000000000073F000.00000004.00000020.00020000.00000000.sdmp, 0qlnWcmhSC.exe, 00000001.00000003.255449271.000000000073F000.00000004.00000020.00020000.00000000.sdmp, 0qlnWcmhSC.exe, 00000001.00000002.260907718.0000000000737000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: 0qlnWcmhSC.exe, 00000000.00000002.255350583.00000000042D0000.00000040.00001000.00020000.00000000.sdmp, 0qlnWcmhSC.exe, 00000001.00000000.253006362.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 0qlnWcmhSC.exe, 00000001.00000002.260647827.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 0qlnWcmhSC.exe, 00000001.00000000.250322502.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 0qlnWcmhSC.exe, 00000005.00000002.283839825.0000000004320000.00000040.00001000.00020000.00000000.sdmp, 0qlnWcmhSC.exe, 00000006.00000002.327195774.00000000042C0000.00000040.00001000.00020000.00000000.sdmp, 0qlnWcmhSC.exe, 00000008.00000000.280029578.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 0qlnWcmhSC.exe, 00000008.00000002.286929685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 0qlnWcmhSC.exe, 00000008.00000000.278990352.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 0qlnWcmhSC.exe, 00000009.00000002.305843208.00000000042F0000.00000040.00001000.00020000.00000000.sdmp, 0qlnWcmhSC.exe, 0000000A.00000000.319421336.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 0qlnWcmhSC.exe, 0000000A.00000000.316973990.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 0qlnWcmhSC.exe, 0000000A.00000002.329549593.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 0qlnWcmhSC.exe, 0000000D.00000000.301047779.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 0qlnWcmhSC.exe, 0000000D.00000000.297986626.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 0qlnWcmhSC.exe, 0000000D.00000002.315111035.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 0qlnWcmhSC.exe, 00000014.00000002.327894580.0000000004290000.00000040.00001000.00020000.00000000.sdmp, 0qlnWcmhSC.exe, 00000015.00000000.323385297.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 0qlnWcmhSC.exe, 00000015.00000000.322747797.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 0qlnWcmhSC.exe, 00000015.00000002.332044267.0000000000400000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://https://ns1.kriston.ugns2.chalekin.ugns3.unalelath.ugns4.andromath.ug/Error
Source: 0qlnWcmhSC.exe, 00000015.00000002.332044267.0000000000400000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://www.openssl.org/support/faq.html
Source: 0qlnWcmhSC.exe, 0qlnWcmhSC.exe, 00000001.00000003.255498314.000000000073F000.00000004.00000020.00020000.00000000.sdmp, 0qlnWcmhSC.exe, 00000001.00000003.255449271.000000000073F000.00000004.00000020.00020000.00000000.sdmp, 0qlnWcmhSC.exe, 00000001.00000000.253006362.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 0qlnWcmhSC.exe, 00000001.00000002.260647827.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 0qlnWcmhSC.exe, 00000001.00000000.250322502.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 0qlnWcmhSC.exe, 00000005.00000002.283839825.0000000004320000.00000040.00001000.00020000.00000000.sdmp, 0qlnWcmhSC.exe, 00000006.00000002.327195774.00000000042C0000.00000040.00001000.00020000.00000000.sdmp, 0qlnWcmhSC.exe, 00000008.00000000.280029578.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 0qlnWcmhSC.exe, 00000008.00000002.286929685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 0qlnWcmhSC.exe, 00000008.00000000.278990352.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 0qlnWcmhSC.exe, 00000009.00000002.305843208.00000000042F0000.00000040.00001000.00020000.00000000.sdmp, 0qlnWcmhSC.exe, 0000000A.00000000.319421336.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 0qlnWcmhSC.exe, 0000000A.00000000.316973990.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 0qlnWcmhSC.exe, 0000000A.00000002.329549593.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 0qlnWcmhSC.exe, 0000000D.00000000.301047779.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 0qlnWcmhSC.exe, 0000000D.00000000.297986626.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 0qlnWcmhSC.exe, 0000000D.00000002.315111035.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 0qlnWcmhSC.exe, 00000014.00000002.327894580.0000000004290000.00000040.00001000.00020000.00000000.sdmp, 0qlnWcmhSC.exe, 00000015.00000000.323385297.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 0qlnWcmhSC.exe, 00000015.00000000.322747797.0000000000400000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://api.2ip.ua/geo.json
Source: unknown DNS traffic detected: queries for: api.2ip.ua
Source: C:\Users\user\Desktop\0qlnWcmhSC.exe Code function: 1_2_0040CF10 _memset,InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle, 1_2_0040CF10
Source: global traffic HTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
Source: global traffic HTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
Source: global traffic HTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
Source: global traffic HTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
Source: global traffic HTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
Source: unknown HTTPS traffic detected: 162.0.217.254:443 -> 192.168.2.4:49756 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.0.217.254:443 -> 192.168.2.4:49757 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.0.217.254:443 -> 192.168.2.4:49758 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.0.217.254:443 -> 192.168.2.4:49770 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.0.217.254:443 -> 192.168.2.4:49773 version: TLS 1.2

Spam, unwanted Advertisements and Ransom Demands
barindex
Yara detected Djvu Ransomware
Source: Yara match File source: 10.0.0qlnWcmhSC.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.0qlnWcmhSC.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.0qlnWcmhSC.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.0qlnWcmhSC.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.0qlnWcmhSC.exe.400000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.0qlnWcmhSC.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.0qlnWcmhSC.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.0qlnWcmhSC.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.0qlnWcmhSC.exe.43215a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.0qlnWcmhSC.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.0qlnWcmhSC.exe.400000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.0qlnWcmhSC.exe.42d15a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.0qlnWcmhSC.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.0qlnWcmhSC.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.0qlnWcmhSC.exe.43215a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.0qlnWcmhSC.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.0qlnWcmhSC.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.0qlnWcmhSC.exe.42c15a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.0qlnWcmhSC.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.0qlnWcmhSC.exe.400000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.0qlnWcmhSC.exe.400000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.0qlnWcmhSC.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.0qlnWcmhSC.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.0.0qlnWcmhSC.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.0qlnWcmhSC.exe.42915a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.0qlnWcmhSC.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.0qlnWcmhSC.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.0qlnWcmhSC.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.0.0qlnWcmhSC.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.0qlnWcmhSC.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.0qlnWcmhSC.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.0.0qlnWcmhSC.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.0qlnWcmhSC.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.0qlnWcmhSC.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.0qlnWcmhSC.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.0qlnWcmhSC.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.0qlnWcmhSC.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.0qlnWcmhSC.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.0qlnWcmhSC.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.0qlnWcmhSC.exe.42f15a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.0.0qlnWcmhSC.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.0qlnWcmhSC.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.0qlnWcmhSC.exe.42d15a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.0qlnWcmhSC.exe.400000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.0qlnWcmhSC.exe.400000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.0.0qlnWcmhSC.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.0qlnWcmhSC.exe.400000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.0qlnWcmhSC.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.0qlnWcmhSC.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.0.0qlnWcmhSC.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.0qlnWcmhSC.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.0qlnWcmhSC.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.0qlnWcmhSC.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.0.0qlnWcmhSC.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.0qlnWcmhSC.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.0qlnWcmhSC.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.0qlnWcmhSC.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.0.0qlnWcmhSC.exe.400000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.0.0qlnWcmhSC.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.0.0qlnWcmhSC.exe.400000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.0qlnWcmhSC.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.0qlnWcmhSC.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.0qlnWcmhSC.exe.400000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.0qlnWcmhSC.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.0qlnWcmhSC.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.0qlnWcmhSC.exe.42f15a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.0qlnWcmhSC.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.0.0qlnWcmhSC.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.0qlnWcmhSC.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.0qlnWcmhSC.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.0qlnWcmhSC.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.0qlnWcmhSC.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.0qlnWcmhSC.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.0qlnWcmhSC.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.0qlnWcmhSC.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.0qlnWcmhSC.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.0qlnWcmhSC.exe.42915a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.0qlnWcmhSC.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.0qlnWcmhSC.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.0qlnWcmhSC.exe.42c15a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000015.00000000.323385297.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000000.324597957.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000000.319421336.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000000.316973990.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.253006362.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000000.322747797.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.251005615.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000000.321324368.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000000.297986626.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.327195774.00000000042C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000000.325090580.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.286929685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.327894580.0000000004290000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.280029578.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000000.320295591.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.315111035.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.280526458.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.329549593.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.250322502.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.279453243.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.260647827.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.283839825.0000000004320000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.278990352.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.251612299.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000000.301047779.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000000.299793553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000000.322027544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000000.298661197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.332044267.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.281073813.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.252249739.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000000.300393397.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.305843208.00000000042F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.255350583.00000000042D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000000.324034251.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 0qlnWcmhSC.exe PID: 4220, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 0qlnWcmhSC.exe PID: 5912, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 0qlnWcmhSC.exe PID: 5296, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 0qlnWcmhSC.exe PID: 896, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 0qlnWcmhSC.exe PID: 5192, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 0qlnWcmhSC.exe PID: 5812, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 0qlnWcmhSC.exe PID: 5264, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 0qlnWcmhSC.exe PID: 2100, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 0qlnWcmhSC.exe PID: 480, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 0qlnWcmhSC.exe PID: 5300, type: MEMORYSTR

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 10.0.0qlnWcmhSC.exe.400000.5.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 1.0.0qlnWcmhSC.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 1.0.0qlnWcmhSC.exe.400000.3.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 8.0.0qlnWcmhSC.exe.400000.5.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 1.0.0qlnWcmhSC.exe.400000.5.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 10.0.0qlnWcmhSC.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 10.0.0qlnWcmhSC.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 10.0.0qlnWcmhSC.exe.400000.3.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 10.0.0qlnWcmhSC.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 13.0.0qlnWcmhSC.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 1.0.0qlnWcmhSC.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 1.0.0qlnWcmhSC.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 1.0.0qlnWcmhSC.exe.400000.7.raw.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 1.0.0qlnWcmhSC.exe.400000.7.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 8.2.0qlnWcmhSC.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 8.2.0qlnWcmhSC.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 1.0.0qlnWcmhSC.exe.400000.9.raw.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 1.0.0qlnWcmhSC.exe.400000.9.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 21.2.0qlnWcmhSC.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 21.2.0qlnWcmhSC.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 13.0.0qlnWcmhSC.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 13.0.0qlnWcmhSC.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 10.2.0qlnWcmhSC.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 10.2.0qlnWcmhSC.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 5.2.0qlnWcmhSC.exe.43215a0.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 5.2.0qlnWcmhSC.exe.43215a0.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 8.0.0qlnWcmhSC.exe.400000.9.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 8.0.0qlnWcmhSC.exe.400000.9.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 21.0.0qlnWcmhSC.exe.400000.10.raw.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 21.0.0qlnWcmhSC.exe.400000.10.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0.2.0qlnWcmhSC.exe.42d15a0.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 0.2.0qlnWcmhSC.exe.42d15a0.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 8.0.0qlnWcmhSC.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 8.0.0qlnWcmhSC.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 10.2.0qlnWcmhSC.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 10.2.0qlnWcmhSC.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 5.2.0qlnWcmhSC.exe.43215a0.1.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 5.2.0qlnWcmhSC.exe.43215a0.1.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 1.0.0qlnWcmhSC.exe.400000.9.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 1.0.0qlnWcmhSC.exe.400000.9.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 21.0.0qlnWcmhSC.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 21.0.0qlnWcmhSC.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 6.2.0qlnWcmhSC.exe.42c15a0.1.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 6.2.0qlnWcmhSC.exe.42c15a0.1.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 21.0.0qlnWcmhSC.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 21.0.0qlnWcmhSC.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 8.0.0qlnWcmhSC.exe.400000.9.raw.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 8.0.0qlnWcmhSC.exe.400000.9.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 1.0.0qlnWcmhSC.exe.400000.10.raw.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 1.0.0qlnWcmhSC.exe.400000.10.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 13.0.0qlnWcmhSC.exe.400000.7.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 13.0.0qlnWcmhSC.exe.400000.7.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 13.0.0qlnWcmhSC.exe.400000.9.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 13.0.0qlnWcmhSC.exe.400000.9.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 10.0.0qlnWcmhSC.exe.400000.7.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 10.0.0qlnWcmhSC.exe.400000.7.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 20.2.0qlnWcmhSC.exe.42915a0.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 20.2.0qlnWcmhSC.exe.42915a0.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 21.0.0qlnWcmhSC.exe.400000.7.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 21.0.0qlnWcmhSC.exe.400000.7.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 8.0.0qlnWcmhSC.exe.400000.7.raw.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 8.0.0qlnWcmhSC.exe.400000.7.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 13.2.0qlnWcmhSC.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 13.2.0qlnWcmhSC.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 10.0.0qlnWcmhSC.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 10.0.0qlnWcmhSC.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 10.0.0qlnWcmhSC.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 1.0.0qlnWcmhSC.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 1.0.0qlnWcmhSC.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 13.0.0qlnWcmhSC.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 13.0.0qlnWcmhSC.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 10.0.0qlnWcmhSC.exe.400000.7.raw.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 10.0.0qlnWcmhSC.exe.400000.7.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 1.0.0qlnWcmhSC.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 1.0.0qlnWcmhSC.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 13.0.0qlnWcmhSC.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 21.2.0qlnWcmhSC.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 21.2.0qlnWcmhSC.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 1.0.0qlnWcmhSC.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 1.0.0qlnWcmhSC.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 13.0.0qlnWcmhSC.exe.400000.3.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 8.0.0qlnWcmhSC.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 8.0.0qlnWcmhSC.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 8.0.0qlnWcmhSC.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 8.0.0qlnWcmhSC.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 13.0.0qlnWcmhSC.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 13.0.0qlnWcmhSC.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 8.0.0qlnWcmhSC.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 8.0.0qlnWcmhSC.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 13.0.0qlnWcmhSC.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 1.0.0qlnWcmhSC.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 9.2.0qlnWcmhSC.exe.42f15a0.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 9.2.0qlnWcmhSC.exe.42f15a0.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 10.0.0qlnWcmhSC.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 10.0.0qlnWcmhSC.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 8.0.0qlnWcmhSC.exe.400000.7.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 8.0.0qlnWcmhSC.exe.400000.7.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0.2.0qlnWcmhSC.exe.42d15a0.1.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 0.2.0qlnWcmhSC.exe.42d15a0.1.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 21.0.0qlnWcmhSC.exe.400000.9.raw.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 21.0.0qlnWcmhSC.exe.400000.9.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 13.0.0qlnWcmhSC.exe.400000.9.raw.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 13.0.0qlnWcmhSC.exe.400000.9.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 10.0.0qlnWcmhSC.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 10.0.0qlnWcmhSC.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 10.0.0qlnWcmhSC.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 8.0.0qlnWcmhSC.exe.400000.10.raw.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 8.0.0qlnWcmhSC.exe.400000.10.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 21.0.0qlnWcmhSC.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 21.0.0qlnWcmhSC.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 13.0.0qlnWcmhSC.exe.400000.7.raw.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 13.0.0qlnWcmhSC.exe.400000.7.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 10.0.0qlnWcmhSC.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 10.0.0qlnWcmhSC.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 21.0.0qlnWcmhSC.exe.400000.9.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 21.0.0qlnWcmhSC.exe.400000.9.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 1.2.0qlnWcmhSC.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 1.2.0qlnWcmhSC.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 1.2.0qlnWcmhSC.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 1.2.0qlnWcmhSC.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 10.0.0qlnWcmhSC.exe.400000.9.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 10.0.0qlnWcmhSC.exe.400000.9.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 21.0.0qlnWcmhSC.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 21.0.0qlnWcmhSC.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 21.0.0qlnWcmhSC.exe.400000.5.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 21.0.0qlnWcmhSC.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 21.0.0qlnWcmhSC.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 21.0.0qlnWcmhSC.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 21.0.0qlnWcmhSC.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 10.0.0qlnWcmhSC.exe.400000.10.raw.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 10.0.0qlnWcmhSC.exe.400000.10.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 10.0.0qlnWcmhSC.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 10.0.0qlnWcmhSC.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 10.0.0qlnWcmhSC.exe.400000.9.raw.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 10.0.0qlnWcmhSC.exe.400000.9.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 13.0.0qlnWcmhSC.exe.400000.5.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 13.0.0qlnWcmhSC.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 13.0.0qlnWcmhSC.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 8.2.0qlnWcmhSC.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 8.2.0qlnWcmhSC.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 13.0.0qlnWcmhSC.exe.400000.10.raw.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 13.0.0qlnWcmhSC.exe.400000.10.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 1.0.0qlnWcmhSC.exe.400000.7.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 1.0.0qlnWcmhSC.exe.400000.7.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 1.0.0qlnWcmhSC.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 1.0.0qlnWcmhSC.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 1.0.0qlnWcmhSC.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 9.2.0qlnWcmhSC.exe.42f15a0.1.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 9.2.0qlnWcmhSC.exe.42f15a0.1.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 1.0.0qlnWcmhSC.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 1.0.0qlnWcmhSC.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 10.0.0qlnWcmhSC.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 10.0.0qlnWcmhSC.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 13.0.0qlnWcmhSC.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 13.0.0qlnWcmhSC.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 13.0.0qlnWcmhSC.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 13.0.0qlnWcmhSC.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 21.0.0qlnWcmhSC.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 21.0.0qlnWcmhSC.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 1.0.0qlnWcmhSC.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 1.0.0qlnWcmhSC.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 8.0.0qlnWcmhSC.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 8.0.0qlnWcmhSC.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 8.0.0qlnWcmhSC.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 8.0.0qlnWcmhSC.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 13.2.0qlnWcmhSC.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 13.2.0qlnWcmhSC.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 13.0.0qlnWcmhSC.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 13.0.0qlnWcmhSC.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 20.2.0qlnWcmhSC.exe.42915a0.1.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 20.2.0qlnWcmhSC.exe.42915a0.1.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 21.0.0qlnWcmhSC.exe.400000.7.raw.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 21.0.0qlnWcmhSC.exe.400000.7.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 8.0.0qlnWcmhSC.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 8.0.0qlnWcmhSC.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 6.2.0qlnWcmhSC.exe.42c15a0.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 6.2.0qlnWcmhSC.exe.42c15a0.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000014.00000002.327652394.00000000041F2000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000015.00000000.323385297.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000015.00000000.323385297.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000009.00000002.304182399.00000000026DE000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000008.00000000.278663427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0000000D.00000000.297339138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000015.00000000.324597957.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000015.00000000.324597957.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0000000A.00000000.319421336.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 0000000A.00000000.319421336.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0000000A.00000000.316973990.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 0000000A.00000000.316973990.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000001.00000000.253006362.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000001.00000000.253006362.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000015.00000000.322747797.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000015.00000000.322747797.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000001.00000000.251005615.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000001.00000000.251005615.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0000000A.00000000.321324368.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 0000000A.00000000.321324368.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0000000D.00000000.297986626.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 0000000D.00000000.297986626.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000006.00000002.327195774.00000000042C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000015.00000000.325090580.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000015.00000000.325090580.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000008.00000002.286929685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000008.00000002.286929685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000014.00000002.327894580.0000000004290000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000008.00000000.280029578.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000008.00000000.280029578.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000001.00000000.249683666.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0000000A.00000000.320295591.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 0000000A.00000000.320295591.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000015.00000000.322244300.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000005.00000002.282884669.00000000027ED000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000006.00000002.325796786.00000000041EE000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000000D.00000002.315111035.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 0000000D.00000002.315111035.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000008.00000000.280526458.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000008.00000000.280526458.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0000000A.00000002.329549593.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 0000000A.00000002.329549593.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000001.00000000.250322502.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000001.00000000.250322502.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000008.00000000.279453243.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000008.00000000.279453243.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000001.00000002.260647827.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000001.00000002.260647827.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000005.00000002.283839825.0000000004320000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000000.00000002.254903919.0000000004190000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000008.00000000.278990352.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000008.00000000.278990352.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000001.00000000.251612299.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000001.00000000.251612299.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0000000D.00000000.301047779.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 0000000D.00000000.301047779.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0000000D.00000000.299793553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 0000000D.00000000.299793553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0000000A.00000000.322027544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 0000000A.00000000.322027544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0000000A.00000000.314313575.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0000000D.00000000.298661197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 0000000D.00000000.298661197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000015.00000002.332044267.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000015.00000002.332044267.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000008.00000000.281073813.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000008.00000000.281073813.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000001.00000000.252249739.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000001.00000000.252249739.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0000000D.00000000.300393397.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 0000000D.00000000.300393397.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000009.00000002.305843208.00000000042F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000000.00000002.255350583.00000000042D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000015.00000000.324034251.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000015.00000000.324034251.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: 0qlnWcmhSC.exe PID: 4220, type: MEMORYSTR Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: 0qlnWcmhSC.exe PID: 5912, type: MEMORYSTR Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: 0qlnWcmhSC.exe PID: 5296, type: MEMORYSTR Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: 0qlnWcmhSC.exe PID: 896, type: MEMORYSTR Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: 0qlnWcmhSC.exe PID: 5192, type: MEMORYSTR Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: 0qlnWcmhSC.exe PID: 5812, type: MEMORYSTR Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: 0qlnWcmhSC.exe PID: 5264, type: MEMORYSTR Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: 0qlnWcmhSC.exe PID: 2100, type: MEMORYSTR Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: 0qlnWcmhSC.exe PID: 480, type: MEMORYSTR Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: 0qlnWcmhSC.exe PID: 5300, type: MEMORYSTR Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Uses 32bit PE files
Source: 0qlnWcmhSC.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 10.0.0qlnWcmhSC.exe.400000.5.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 1.0.0qlnWcmhSC.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 1.0.0qlnWcmhSC.exe.400000.3.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 8.0.0qlnWcmhSC.exe.400000.5.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 1.0.0qlnWcmhSC.exe.400000.5.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 10.0.0qlnWcmhSC.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 10.0.0qlnWcmhSC.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 10.0.0qlnWcmhSC.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 10.0.0qlnWcmhSC.exe.400000.3.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 10.0.0qlnWcmhSC.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 13.0.0qlnWcmhSC.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 1.0.0qlnWcmhSC.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 1.0.0qlnWcmhSC.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 1.0.0qlnWcmhSC.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 1.0.0qlnWcmhSC.exe.400000.7.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 1.0.0qlnWcmhSC.exe.400000.7.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 1.0.0qlnWcmhSC.exe.400000.7.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 8.2.0qlnWcmhSC.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 8.2.0qlnWcmhSC.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 8.2.0qlnWcmhSC.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 1.0.0qlnWcmhSC.exe.400000.9.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 1.0.0qlnWcmhSC.exe.400000.9.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 1.0.0qlnWcmhSC.exe.400000.9.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 21.2.0qlnWcmhSC.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 21.2.0qlnWcmhSC.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 21.2.0qlnWcmhSC.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 13.0.0qlnWcmhSC.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 13.0.0qlnWcmhSC.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 13.0.0qlnWcmhSC.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 10.2.0qlnWcmhSC.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 10.2.0qlnWcmhSC.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 10.2.0qlnWcmhSC.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 5.2.0qlnWcmhSC.exe.43215a0.1.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 5.2.0qlnWcmhSC.exe.43215a0.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 5.2.0qlnWcmhSC.exe.43215a0.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 8.0.0qlnWcmhSC.exe.400000.9.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 8.0.0qlnWcmhSC.exe.400000.9.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 8.0.0qlnWcmhSC.exe.400000.9.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 21.0.0qlnWcmhSC.exe.400000.10.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 21.0.0qlnWcmhSC.exe.400000.10.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 21.0.0qlnWcmhSC.exe.400000.10.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0.2.0qlnWcmhSC.exe.42d15a0.1.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 0.2.0qlnWcmhSC.exe.42d15a0.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 0.2.0qlnWcmhSC.exe.42d15a0.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 8.0.0qlnWcmhSC.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 8.0.0qlnWcmhSC.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 8.0.0qlnWcmhSC.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 10.2.0qlnWcmhSC.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 10.2.0qlnWcmhSC.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 10.2.0qlnWcmhSC.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 5.2.0qlnWcmhSC.exe.43215a0.1.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 5.2.0qlnWcmhSC.exe.43215a0.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 5.2.0qlnWcmhSC.exe.43215a0.1.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 1.0.0qlnWcmhSC.exe.400000.9.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 1.0.0qlnWcmhSC.exe.400000.9.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 1.0.0qlnWcmhSC.exe.400000.9.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 21.0.0qlnWcmhSC.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 21.0.0qlnWcmhSC.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 21.0.0qlnWcmhSC.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 6.2.0qlnWcmhSC.exe.42c15a0.1.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 6.2.0qlnWcmhSC.exe.42c15a0.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 6.2.0qlnWcmhSC.exe.42c15a0.1.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 21.0.0qlnWcmhSC.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 21.0.0qlnWcmhSC.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 21.0.0qlnWcmhSC.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 8.0.0qlnWcmhSC.exe.400000.9.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 8.0.0qlnWcmhSC.exe.400000.9.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 8.0.0qlnWcmhSC.exe.400000.9.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 1.0.0qlnWcmhSC.exe.400000.10.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 1.0.0qlnWcmhSC.exe.400000.10.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 1.0.0qlnWcmhSC.exe.400000.10.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 13.0.0qlnWcmhSC.exe.400000.7.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 13.0.0qlnWcmhSC.exe.400000.7.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 13.0.0qlnWcmhSC.exe.400000.7.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 13.0.0qlnWcmhSC.exe.400000.9.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 13.0.0qlnWcmhSC.exe.400000.9.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 13.0.0qlnWcmhSC.exe.400000.9.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 10.0.0qlnWcmhSC.exe.400000.7.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 10.0.0qlnWcmhSC.exe.400000.7.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 10.0.0qlnWcmhSC.exe.400000.7.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 20.2.0qlnWcmhSC.exe.42915a0.1.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 20.2.0qlnWcmhSC.exe.42915a0.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 20.2.0qlnWcmhSC.exe.42915a0.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 21.0.0qlnWcmhSC.exe.400000.7.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 21.0.0qlnWcmhSC.exe.400000.7.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 21.0.0qlnWcmhSC.exe.400000.7.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 8.0.0qlnWcmhSC.exe.400000.7.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 8.0.0qlnWcmhSC.exe.400000.7.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 8.0.0qlnWcmhSC.exe.400000.7.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 13.2.0qlnWcmhSC.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 13.2.0qlnWcmhSC.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 13.2.0qlnWcmhSC.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 10.0.0qlnWcmhSC.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 10.0.0qlnWcmhSC.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 10.0.0qlnWcmhSC.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 10.0.0qlnWcmhSC.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 1.0.0qlnWcmhSC.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 1.0.0qlnWcmhSC.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 1.0.0qlnWcmhSC.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 13.0.0qlnWcmhSC.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 13.0.0qlnWcmhSC.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 13.0.0qlnWcmhSC.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 10.0.0qlnWcmhSC.exe.400000.7.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 10.0.0qlnWcmhSC.exe.400000.7.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 10.0.0qlnWcmhSC.exe.400000.7.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 1.0.0qlnWcmhSC.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 1.0.0qlnWcmhSC.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 1.0.0qlnWcmhSC.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 13.0.0qlnWcmhSC.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 21.2.0qlnWcmhSC.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 21.2.0qlnWcmhSC.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 21.2.0qlnWcmhSC.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 1.0.0qlnWcmhSC.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 1.0.0qlnWcmhSC.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 1.0.0qlnWcmhSC.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 13.0.0qlnWcmhSC.exe.400000.3.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 8.0.0qlnWcmhSC.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 8.0.0qlnWcmhSC.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 8.0.0qlnWcmhSC.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 8.0.0qlnWcmhSC.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 8.0.0qlnWcmhSC.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 8.0.0qlnWcmhSC.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 13.0.0qlnWcmhSC.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 13.0.0qlnWcmhSC.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 13.0.0qlnWcmhSC.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 8.0.0qlnWcmhSC.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 8.0.0qlnWcmhSC.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 8.0.0qlnWcmhSC.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 13.0.0qlnWcmhSC.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 1.0.0qlnWcmhSC.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 9.2.0qlnWcmhSC.exe.42f15a0.1.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 9.2.0qlnWcmhSC.exe.42f15a0.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 9.2.0qlnWcmhSC.exe.42f15a0.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 10.0.0qlnWcmhSC.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 10.0.0qlnWcmhSC.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 10.0.0qlnWcmhSC.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 8.0.0qlnWcmhSC.exe.400000.7.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 8.0.0qlnWcmhSC.exe.400000.7.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 8.0.0qlnWcmhSC.exe.400000.7.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0.2.0qlnWcmhSC.exe.42d15a0.1.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 0.2.0qlnWcmhSC.exe.42d15a0.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 0.2.0qlnWcmhSC.exe.42d15a0.1.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 21.0.0qlnWcmhSC.exe.400000.9.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 21.0.0qlnWcmhSC.exe.400000.9.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 21.0.0qlnWcmhSC.exe.400000.9.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 13.0.0qlnWcmhSC.exe.400000.9.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 13.0.0qlnWcmhSC.exe.400000.9.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 13.0.0qlnWcmhSC.exe.400000.9.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 10.0.0qlnWcmhSC.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 10.0.0qlnWcmhSC.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 10.0.0qlnWcmhSC.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 10.0.0qlnWcmhSC.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 8.0.0qlnWcmhSC.exe.400000.10.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 8.0.0qlnWcmhSC.exe.400000.10.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 8.0.0qlnWcmhSC.exe.400000.10.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 21.0.0qlnWcmhSC.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 21.0.0qlnWcmhSC.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 21.0.0qlnWcmhSC.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 13.0.0qlnWcmhSC.exe.400000.7.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 13.0.0qlnWcmhSC.exe.400000.7.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 13.0.0qlnWcmhSC.exe.400000.7.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 10.0.0qlnWcmhSC.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 10.0.0qlnWcmhSC.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 10.0.0qlnWcmhSC.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 21.0.0qlnWcmhSC.exe.400000.9.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 21.0.0qlnWcmhSC.exe.400000.9.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 21.0.0qlnWcmhSC.exe.400000.9.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 1.2.0qlnWcmhSC.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 1.2.0qlnWcmhSC.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 1.2.0qlnWcmhSC.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 1.2.0qlnWcmhSC.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 1.2.0qlnWcmhSC.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 1.2.0qlnWcmhSC.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 10.0.0qlnWcmhSC.exe.400000.9.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 10.0.0qlnWcmhSC.exe.400000.9.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 10.0.0qlnWcmhSC.exe.400000.9.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 21.0.0qlnWcmhSC.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 21.0.0qlnWcmhSC.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 21.0.0qlnWcmhSC.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 21.0.0qlnWcmhSC.exe.400000.5.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 21.0.0qlnWcmhSC.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 21.0.0qlnWcmhSC.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 21.0.0qlnWcmhSC.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 21.0.0qlnWcmhSC.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 21.0.0qlnWcmhSC.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 21.0.0qlnWcmhSC.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 10.0.0qlnWcmhSC.exe.400000.10.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 10.0.0qlnWcmhSC.exe.400000.10.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 10.0.0qlnWcmhSC.exe.400000.10.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 10.0.0qlnWcmhSC.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 10.0.0qlnWcmhSC.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 10.0.0qlnWcmhSC.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 10.0.0qlnWcmhSC.exe.400000.9.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 10.0.0qlnWcmhSC.exe.400000.9.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 10.0.0qlnWcmhSC.exe.400000.9.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 13.0.0qlnWcmhSC.exe.400000.5.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 13.0.0qlnWcmhSC.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 13.0.0qlnWcmhSC.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 13.0.0qlnWcmhSC.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 8.2.0qlnWcmhSC.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 8.2.0qlnWcmhSC.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 8.2.0qlnWcmhSC.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 13.0.0qlnWcmhSC.exe.400000.10.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 13.0.0qlnWcmhSC.exe.400000.10.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 13.0.0qlnWcmhSC.exe.400000.10.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 1.0.0qlnWcmhSC.exe.400000.7.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 1.0.0qlnWcmhSC.exe.400000.7.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 1.0.0qlnWcmhSC.exe.400000.7.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 1.0.0qlnWcmhSC.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 1.0.0qlnWcmhSC.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 1.0.0qlnWcmhSC.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 1.0.0qlnWcmhSC.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 9.2.0qlnWcmhSC.exe.42f15a0.1.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 9.2.0qlnWcmhSC.exe.42f15a0.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 9.2.0qlnWcmhSC.exe.42f15a0.1.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 1.0.0qlnWcmhSC.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 1.0.0qlnWcmhSC.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 1.0.0qlnWcmhSC.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 10.0.0qlnWcmhSC.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 10.0.0qlnWcmhSC.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 10.0.0qlnWcmhSC.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 13.0.0qlnWcmhSC.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 13.0.0qlnWcmhSC.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 13.0.0qlnWcmhSC.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 13.0.0qlnWcmhSC.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 13.0.0qlnWcmhSC.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 13.0.0qlnWcmhSC.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 21.0.0qlnWcmhSC.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 21.0.0qlnWcmhSC.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 21.0.0qlnWcmhSC.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 1.0.0qlnWcmhSC.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 1.0.0qlnWcmhSC.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 1.0.0qlnWcmhSC.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 8.0.0qlnWcmhSC.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 8.0.0qlnWcmhSC.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 8.0.0qlnWcmhSC.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 8.0.0qlnWcmhSC.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 8.0.0qlnWcmhSC.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 8.0.0qlnWcmhSC.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 13.2.0qlnWcmhSC.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 13.2.0qlnWcmhSC.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 13.2.0qlnWcmhSC.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 13.0.0qlnWcmhSC.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 13.0.0qlnWcmhSC.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 13.0.0qlnWcmhSC.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 20.2.0qlnWcmhSC.exe.42915a0.1.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 20.2.0qlnWcmhSC.exe.42915a0.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 20.2.0qlnWcmhSC.exe.42915a0.1.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 21.0.0qlnWcmhSC.exe.400000.7.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 21.0.0qlnWcmhSC.exe.400000.7.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 21.0.0qlnWcmhSC.exe.400000.7.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 8.0.0qlnWcmhSC.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 8.0.0qlnWcmhSC.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 8.0.0qlnWcmhSC.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 6.2.0qlnWcmhSC.exe.42c15a0.1.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 6.2.0qlnWcmhSC.exe.42c15a0.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 6.2.0qlnWcmhSC.exe.42c15a0.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000014.00000002.327652394.00000000041F2000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000015.00000000.323385297.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 00000015.00000000.323385297.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000015.00000000.323385297.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000009.00000002.304182399.00000000026DE000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000008.00000000.278663427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0000000D.00000000.297339138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000015.00000000.324597957.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 00000015.00000000.324597957.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000015.00000000.324597957.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0000000A.00000000.319421336.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 0000000A.00000000.319421336.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 0000000A.00000000.319421336.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0000000A.00000000.316973990.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 0000000A.00000000.316973990.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 0000000A.00000000.316973990.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000001.00000000.253006362.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 00000001.00000000.253006362.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000001.00000000.253006362.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000015.00000000.322747797.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 00000015.00000000.322747797.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000015.00000000.322747797.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000001.00000000.251005615.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 00000001.00000000.251005615.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000001.00000000.251005615.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0000000A.00000000.321324368.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 0000000A.00000000.321324368.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 0000000A.00000000.321324368.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0000000D.00000000.297986626.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 0000000D.00000000.297986626.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 0000000D.00000000.297986626.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000006.00000002.327195774.00000000042C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000015.00000000.325090580.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 00000015.00000000.325090580.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000015.00000000.325090580.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000008.00000002.286929685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 00000008.00000002.286929685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000008.00000002.286929685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000014.00000002.327894580.0000000004290000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000008.00000000.280029578.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 00000008.00000000.280029578.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000008.00000000.280029578.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000001.00000000.249683666.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0000000A.00000000.320295591.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 0000000A.00000000.320295591.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 0000000A.00000000.320295591.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000015.00000000.322244300.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000005.00000002.282884669.00000000027ED000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000006.00000002.325796786.00000000041EE000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000000D.00000002.315111035.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 0000000D.00000002.315111035.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 0000000D.00000002.315111035.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000008.00000000.280526458.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 00000008.00000000.280526458.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000008.00000000.280526458.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0000000A.00000002.329549593.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 0000000A.00000002.329549593.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 0000000A.00000002.329549593.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000001.00000000.250322502.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 00000001.00000000.250322502.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000001.00000000.250322502.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000008.00000000.279453243.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 00000008.00000000.279453243.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000008.00000000.279453243.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000001.00000002.260647827.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 00000001.00000002.260647827.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000001.00000002.260647827.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000005.00000002.283839825.0000000004320000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000000.00000002.254903919.0000000004190000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000008.00000000.278990352.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 00000008.00000000.278990352.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000008.00000000.278990352.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000001.00000000.251612299.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 00000001.00000000.251612299.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000001.00000000.251612299.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0000000D.00000000.301047779.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 0000000D.00000000.301047779.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 0000000D.00000000.301047779.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0000000D.00000000.299793553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 0000000D.00000000.299793553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 0000000D.00000000.299793553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0000000A.00000000.322027544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 0000000A.00000000.322027544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 0000000A.00000000.322027544.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0000000A.00000000.314313575.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0000000D.00000000.298661197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 0000000D.00000000.298661197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 0000000D.00000000.298661197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000015.00000002.332044267.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 00000015.00000002.332044267.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000015.00000002.332044267.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000008.00000000.281073813.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 00000008.00000000.281073813.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000008.00000000.281073813.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000001.00000000.252249739.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 00000001.00000000.252249739.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000001.00000000.252249739.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0000000D.00000000.300393397.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 0000000D.00000000.300393397.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 0000000D.00000000.300393397.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000009.00000002.305843208.00000000042F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000000.00000002.255350583.00000000042D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000015.00000000.324034251.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 00000015.00000000.324034251.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000015.00000000.324034251.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: 0qlnWcmhSC.exe PID: 4220, type: MEMORYSTR Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: 0qlnWcmhSC.exe PID: 5912, type: MEMORYSTR Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: 0qlnWcmhSC.exe PID: 5296, type: MEMORYSTR Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: 0qlnWcmhSC.exe PID: 896, type: MEMORYSTR Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: 0qlnWcmhSC.exe PID: 5192, type: MEMORYSTR Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: 0qlnWcmhSC.exe PID: 5812, type: MEMORYSTR Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: 0qlnWcmhSC.exe PID: 5264, type: MEMORYSTR Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: 0qlnWcmhSC.exe PID: 2100, type: MEMORYSTR Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: 0qlnWcmhSC.exe PID: 480, type: MEMORYSTR Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: 0qlnWcmhSC.exe PID: 5300, type: MEMORYSTR Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Detected potential crypto function
Source: C:\Users\user\Desktop\0qlnWcmhSC.exe Code function: 1_2_0040D240 1_2_0040D240
Source: C:\Users\user\Desktop\0qlnWcmhSC.exe Code function: 1_2_00419F90 1_2_00419F90
Source: C:\Users\user\Desktop\0qlnWcmhSC.exe Code function: 1_2_0040C070 1_2_0040C070
Source: C:\Users\user\Desktop\0qlnWcmhSC.exe Code function: 1_2_0042E003 1_2_0042E003
Source: C:\Users\user\Desktop\0qlnWcmhSC.exe Code function: 1_2_0042F010 1_2_0042F010
Source: C:\Users\user\Desktop\0qlnWcmhSC.exe Code function: 1_2_00410160 1_2_00410160
Source: C:\Users\user\Desktop\0qlnWcmhSC.exe Code function: 1_2_0044237E 1_2_0044237E
Source: C:\Users\user\Desktop\0qlnWcmhSC.exe Code function: 1_2_004344FF 1_2_004344FF
Source: C:\Users\user\Desktop\0qlnWcmhSC.exe Code function: 1_2_00449506 1_2_00449506
Source: C:\Users\user\Desktop\0qlnWcmhSC.exe Code function: 1_2_0043E5A3 1_2_0043E5A3
Source: C:\Users\user\Desktop\0qlnWcmhSC.exe Code function: 1_2_0044B5B1 1_2_0044B5B1
Source: C:\Users\user\Desktop\0qlnWcmhSC.exe Code function: 1_2_0040A660 1_2_0040A660
Source: C:\Users\user\Desktop\0qlnWcmhSC.exe Code function: 1_2_0041E690 1_2_0041E690
Source: C:\Users\user\Desktop\0qlnWcmhSC.exe Code function: 1_2_0040274E 1_2_0040274E
Source: C:\Users\user\Desktop\0qlnWcmhSC.exe Code function: 1_2_0040A710 1_2_0040A710
Source: C:\Users\user\Desktop\0qlnWcmhSC.exe Code function: 1_2_0040F730 1_2_0040F730
Source: C:\Users\user\Desktop\0qlnWcmhSC.exe Code function: 1_2_0044D7A1 1_2_0044D7A1
Source: C:\Users\user\Desktop\0qlnWcmhSC.exe Code function: 1_2_0042C804 1_2_0042C804
Source: C:\Users\user\Desktop\0qlnWcmhSC.exe Code function: 1_2_0044D9DC 1_2_0044D9DC
Source: C:\Users\user\Desktop\0qlnWcmhSC.exe Code function: 1_2_00449A71 1_2_00449A71
Source: C:\Users\user\Desktop\0qlnWcmhSC.exe Code function: 1_2_00443B40 1_2_00443B40
Source: C:\Users\user\Desktop\0qlnWcmhSC.exe Code function: 1_2_0044ACFF 1_2_0044ACFF
Source: C:\Users\user\Desktop\0qlnWcmhSC.exe Code function: 1_2_0040DD40 1_2_0040DD40
Source: C:\Users\user\Desktop\0qlnWcmhSC.exe Code function: 1_2_0040BDC0 1_2_0040BDC0
Source: C:\Users\user\Desktop\0qlnWcmhSC.exe Code function: 1_2_0042CE51 1_2_0042CE51
Source: C:\Users\user\Desktop\0qlnWcmhSC.exe Code function: 1_2_00420F30 1_2_00420F30
Source: C:\Users\user\Desktop\0qlnWcmhSC.exe Code function: 1_2_00449FE3 1_2_00449FE3
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\0qlnWcmhSC.exe Code function: String function: 0042F7C0 appears 37 times
Source: C:\Users\user\Desktop\0qlnWcmhSC.exe Code function: String function: 0044F23E appears 44 times
Source: C:\Users\user\Desktop\0qlnWcmhSC.exe Code function: String function: 00428520 appears 51 times
Source: C:\Users\user\Desktop\0qlnWcmhSC.exe Code function: String function: 004547A0 appears 31 times
PE file contains strange resources
Source: 0qlnWcmhSC.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 0qlnWcmhSC.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 0qlnWcmhSC.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 0qlnWcmhSC.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 0qlnWcmhSC.exe.1.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 0qlnWcmhSC.exe.1.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 0qlnWcmhSC.exe.1.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 0qlnWcmhSC.exe.1.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 0qlnWcmhSC.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 0qlnWcmhSC.exe.1.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 0qlnWcmhSC.exe Virustotal: Detection: 53%
Source: 0qlnWcmhSC.exe ReversingLabs: Detection: 56%
Source: C:\Users\user\Desktop\0qlnWcmhSC.exe File read: C:\Users\user\Desktop\0qlnWcmhSC.exe Jump to behavior
Source: 0qlnWcmhSC.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\0qlnWcmhSC.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\0qlnWcmhSC.exe "C:\Users\user\Desktop\0qlnWcmhSC.exe"
Source: C:\Users\user\Desktop\0qlnWcmhSC.exe Process created: C:\Users\user\Desktop\0qlnWcmhSC.exe "C:\Users\user\Desktop\0qlnWcmhSC.exe"
Source: C:\Users\user\Desktop\0qlnWcmhSC.exe Process created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Users\user\AppData\Local\a728bb78-6259-4af3-b6ac-e10b42e567f7" /deny *S-1-1-0:(OI)(CI)(DE,DC)
Source: C:\Users\user\Desktop\0qlnWcmhSC.exe Process created: C:\Users\user\Desktop\0qlnWcmhSC.exe "C:\Users\user\Desktop\0qlnWcmhSC.exe" --Admin IsNotAutoStart IsNotTask
Source: unknown Process created: C:\Users\user\AppData\Local\a728bb78-6259-4af3-b6ac-e10b42e567f7\0qlnWcmhSC.exe C:\Users\user\AppData\Local\a728bb78-6259-4af3-b6ac-e10b42e567f7\0qlnWcmhSC.exe --Task
Source: C:\Users\user\Desktop\0qlnWcmhSC.exe Process created: C:\Users\user\Desktop\0qlnWcmhSC.exe "C:\Users\user\Desktop\0qlnWcmhSC.exe" --Admin IsNotAutoStart IsNotTask
Source: unknown Process created: C:\Users\user\AppData\Local\a728bb78-6259-4af3-b6ac-e10b42e567f7\0qlnWcmhSC.exe "C:\Users\user\AppData\Local\a728bb78-6259-4af3-b6ac-e10b42e567f7\0qlnWcmhSC.exe" --AutoStart
Source: C:\Users\user\AppData\Local\a728bb78-6259-4af3-b6ac-e10b42e567f7\0qlnWcmhSC.exe Process created: C:\Users\user\AppData\Local\a728bb78-6259-4af3-b6ac-e10b42e567f7\0qlnWcmhSC.exe C:\Users\user\AppData\Local\a728bb78-6259-4af3-b6ac-e10b42e567f7\0qlnWcmhSC.exe --Task
Source: C:\Users\user\AppData\Local\a728bb78-6259-4af3-b6ac-e10b42e567f7\0qlnWcmhSC.exe Process created: C:\Users\user\AppData\Local\a728bb78-6259-4af3-b6ac-e10b42e567f7\0qlnWcmhSC.exe "C:\Users\user\AppData\Local\a728bb78-6259-4af3-b6ac-e10b42e567f7\0qlnWcmhSC.exe" --AutoStart
Source: unknown Process created: C:\Users\user\AppData\Local\a728bb78-6259-4af3-b6ac-e10b42e567f7\0qlnWcmhSC.exe "C:\Users\user\AppData\Local\a728bb78-6259-4af3-b6ac-e10b42e567f7\0qlnWcmhSC.exe" --AutoStart
Source: C:\Users\user\AppData\Local\a728bb78-6259-4af3-b6ac-e10b42e567f7\0qlnWcmhSC.exe Process created: C:\Users\user\AppData\Local\a728bb78-6259-4af3-b6ac-e10b42e567f7\0qlnWcmhSC.exe "C:\Users\user\AppData\Local\a728bb78-6259-4af3-b6ac-e10b42e567f7\0qlnWcmhSC.exe" --AutoStart
Source: C:\Users\user\Desktop\0qlnWcmhSC.exe Process created: C:\Users\user\Desktop\0qlnWcmhSC.exe "C:\Users\user\Desktop\0qlnWcmhSC.exe" Jump to behavior
Source: C:\Users\user\Desktop\0qlnWcmhSC.exe Process created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Users\user\AppData\Local\a728bb78-6259-4af3-b6ac-e10b42e567f7" /deny *S-1-1-0:(OI)(CI)(DE,DC) Jump to behavior
Source: C:\Users\user\Desktop\0qlnWcmhSC.exe Process created: C:\Users\user\Desktop\0qlnWcmhSC.exe "C:\Users\user\Desktop\0qlnWcmhSC.exe" --Admin IsNotAutoStart IsNotTask Jump to behavior
Source: C:\Users\user\Desktop\0qlnWcmhSC.exe Process created: C:\Users\user\Desktop\0qlnWcmhSC.exe "C:\Users\user\Desktop\0qlnWcmhSC.exe" --Admin IsNotAutoStart IsNotTask Jump to behavior
Source: C:\Users\user\AppData\Local\a728bb78-6259-4af3-b6ac-e10b42e567f7\0qlnWcmhSC.exe Process created: C:\Users\user\AppData\Local\a728bb78-6259-4af3-b6ac-e10b42e567f7\0qlnWcmhSC.exe C:\Users\user\AppData\Local\a728bb78-6259-4af3-b6ac-e10b42e567f7\0qlnWcmhSC.exe --Task Jump to behavior
Source: C:\Users\user\AppData\Local\a728bb78-6259-4af3-b6ac-e10b42e567f7\0qlnWcmhSC.exe Process created: C:\Users\user\AppData\Local\a728bb78-6259-4af3-b6ac-e10b42e567f7\0qlnWcmhSC.exe "C:\Users\user\AppData\Local\a728bb78-6259-4af3-b6ac-e10b42e567f7\0qlnWcmhSC.exe" --AutoStart Jump to behavior
Source: C:\Users\user\AppData\Local\a728bb78-6259-4af3-b6ac-e10b42e567f7\0qlnWcmhSC.exe Process created: C:\Users\user\AppData\Local\a728bb78-6259-4af3-b6ac-e10b42e567f7\0qlnWcmhSC.exe "C:\Users\user\AppData\Local\a728bb78-6259-4af3-b6ac-e10b42e567f7\0qlnWcmhSC.exe" --AutoStart Jump to behavior
Source: C:\Users\user\Desktop\0qlnWcmhSC.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\0qlnWcmhSC.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\geo[1].json Jump to behavior
Source: classification engine Classification label: mal100.rans.troj.evad.winEXE@18/3@5/2
Source: C:\Users\user\Desktop\0qlnWcmhSC.exe Code function: 1_2_0040D240 CoInitialize,CoInitializeSecurity,CoCreateInstance,VariantInit,VariantInit,VariantInit,VariantInit,VariantInit,VariantClear,VariantClear,VariantClear,VariantClear,CoUninitialize,CoUninitialize,CoUninitialize,__time64,_wcsftime,VariantInit,VariantInit,VariantClear,VariantClear,VariantClear,VariantClear,swprintf,CoUninitialize,CoUninitialize, 1_2_0040D240
Source: C:\Users\user\Desktop\0qlnWcmhSC.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\0qlnWcmhSC.exe Code function: 1_2_00411900 GetLastError,FormatMessageW,lstrlenW,lstrlenW,lstrlenW,LocalAlloc,lstrcpyW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,_memset,lstrcpynW,MessageBoxW,LocalFree,LocalFree,LocalFree, 1_2_00411900
Source: C:\Users\user\Desktop\0qlnWcmhSC.exe Code function: 0_2_041907C6 CreateToolhelp32Snapshot,Module32First, 0_2_041907C6
Source: 0qlnWcmhSC.exe String found in binary or memory: set-addPolicy
Source: 0qlnWcmhSC.exe String found in binary or memory: id-cmc-addExtensions
Source: C:\Users\user\Desktop\0qlnWcmhSC.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\0qlnWcmhSC.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\0qlnWcmhSC.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\0qlnWcmhSC.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\a728bb78-6259-4af3-b6ac-e10b42e567f7\0qlnWcmhSC.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\a728bb78-6259-4af3-b6ac-e10b42e567f7\0qlnWcmhSC.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\a728bb78-6259-4af3-b6ac-e10b42e567f7\0qlnWcmhSC.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\a728bb78-6259-4af3-b6ac-e10b42e567f7\0qlnWcmhSC.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\a728bb78-6259-4af3-b6ac-e10b42e567f7\0qlnWcmhSC.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\a728bb78-6259-4af3-b6ac-e10b42e567f7\0qlnWcmhSC.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: 0qlnWcmhSC.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb source: 0qlnWcmhSC.exe, 0qlnWcmhSC.exe, 00000001.00000000.253006362.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 0qlnWcmhSC.exe, 00000001.00000002.260647827.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 0qlnWcmhSC.exe, 00000001.00000000.250322502.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 0qlnWcmhSC.exe, 00000005.00000002.283839825.0000000004320000.00000040.00001000.00020000.00000000.sdmp, 0qlnWcmhSC.exe, 00000006.00000002.327195774.00000000042C0000.00000040.00001000.00020000.00000000.sdmp, 0qlnWcmhSC.exe, 00000008.00000000.280029578.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 0qlnWcmhSC.exe, 00000008.00000002.286929685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 0qlnWcmhSC.exe, 00000008.00000000.278990352.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 0qlnWcmhSC.exe, 00000009.00000002.305843208.00000000042F0000.00000040.00001000.00020000.00000000.sdmp, 0qlnWcmhSC.exe, 0000000A.00000000.319421336.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 0qlnWcmhSC.exe, 0000000A.00000000.316973990.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 0qlnWcmhSC.exe, 0000000A.00000002.329549593.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 0qlnWcmhSC.exe, 0000000D.00000000.301047779.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 0qlnWcmhSC.exe, 0000000D.00000000.297986626.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 0qlnWcmhSC.exe, 0000000D.00000002.315111035.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 0qlnWcmhSC.exe, 00000014.00000002.327894580.0000000004290000.00000040.00001000.00020000.00000000.sdmp, 0qlnWcmhSC.exe, 00000015.00000000.323385297.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 0qlnWcmhSC.exe, 00000015.00000000.322747797.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 0qlnWcmhSC.exe, 00000015.00000002.332044267.0000000000400000.00000040.00000400.00020000.00000000.sdmp
Source: Binary string: C:\moxutohoxani.pdb source: 0qlnWcmhSC.exe, 0qlnWcmhSC.exe.1.dr
Source: Binary string: _C:\moxutohoxani.pdb` source: 0qlnWcmhSC.exe, 0qlnWcmhSC.exe.1.dr
Source: Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdbI source: 0qlnWcmhSC.exe, 00000000.00000002.255350583.00000000042D0000.00000040.00001000.00020000.00000000.sdmp, 0qlnWcmhSC.exe, 00000001.00000000.253006362.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 0qlnWcmhSC.exe, 00000001.00000002.260647827.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 0qlnWcmhSC.exe, 00000001.00000000.250322502.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 0qlnWcmhSC.exe, 00000005.00000002.283839825.0000000004320000.00000040.00001000.00020000.00000000.sdmp, 0qlnWcmhSC.exe, 00000006.00000002.327195774.00000000042C0000.00000040.00001000.00020000.00000000.sdmp, 0qlnWcmhSC.exe, 00000008.00000000.280029578.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 0qlnWcmhSC.exe, 00000008.00000002.286929685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 0qlnWcmhSC.exe, 00000008.00000000.278990352.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 0qlnWcmhSC.exe, 00000009.00000002.305843208.00000000042F0000.00000040.00001000.00020000.00000000.sdmp, 0qlnWcmhSC.exe, 0000000A.00000000.319421336.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 0qlnWcmhSC.exe, 0000000A.00000000.316973990.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 0qlnWcmhSC.exe, 0000000A.00000002.329549593.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 0qlnWcmhSC.exe, 0000000D.00000000.301047779.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 0qlnWcmhSC.exe, 0000000D.00000000.297986626.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 0qlnWcmhSC.exe, 0000000D.00000002.315111035.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 0qlnWcmhSC.exe, 00000014.00000002.327894580.0000000004290000.00000040.00001000.00020000.00000000.sdmp, 0qlnWcmhSC.exe, 00000015.00000000.323385297.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 0qlnWcmhSC.exe, 00000015.00000000.322747797.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 0qlnWcmhSC.exe, 00000015.00000002.332044267.0000000000400000.00000040.00000400.00020000.00000000.sdmp
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\0qlnWcmhSC.exe Code function: 0_2_041930AF push ecx; retf 0_2_041930B2
Source: C:\Users\user\Desktop\0qlnWcmhSC.exe Code function: 1_2_00428565 push ecx; ret 1_2_00428578
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\0qlnWcmhSC.exe Code function: 1_2_00412220 GetCommandLineW,CommandLineToArgvW,PathFindFileNameW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,K32EnumProcesses,OpenProcess,K32EnumProcessModules,K32GetModuleBaseNameW,CloseHandle, 1_2_00412220
Source: initial sample Static PE information: section name: .text entropy: 7.945325516115354
Source: initial sample Static PE information: section name: .text entropy: 7.945325516115354
Drops PE files
Source: C:\Users\user\Desktop\0qlnWcmhSC.exe File created: C:\Users\user\AppData\Local\a728bb78-6259-4af3-b6ac-e10b42e567f7\0qlnWcmhSC.exe Jump to dropped file
Source: C:\Users\user\Desktop\0qlnWcmhSC.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run SysHelper Jump to behavior
Source: C:\Users\user\Desktop\0qlnWcmhSC.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run SysHelper Jump to behavior
Uses cacls to modify the permissions of files
Source: C:\Users\user\Desktop\0qlnWcmhSC.exe Process created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Users\user\AppData\Local\a728bb78-6259-4af3-b6ac-e10b42e567f7" /deny *S-1-1-0:(OI)(CI)(DE,DC)
Source: C:\Users\user\Desktop\0qlnWcmhSC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Found evasive API chain (may stop execution after checking a module file name)
Source: C:\Users\user\Desktop\0qlnWcmhSC.exe Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\0qlnWcmhSC.exe Code function: 0_2_0419171C rdtsc 0_2_0419171C
Contains functionality to query network adapater information
Source: C:\Users\user\Desktop\0qlnWcmhSC.exe Code function: _malloc,_malloc,_wprintf,_free,GetAdaptersInfo,_free,_malloc,GetAdaptersInfo,_sprintf,_wprintf,_wprintf,_free, 1_2_0040E670
Source: C:\Users\user\Desktop\0qlnWcmhSC.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\0qlnWcmhSC.exe Code function: 1_2_00410160 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,FindNextFileW,FindClose, 1_2_00410160
Source: C:\Users\user\Desktop\0qlnWcmhSC.exe Code function: 1_2_0040F730 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,_wcsstr,_wcsstr,FindNextFileW,FindClose, 1_2_0040F730
Source: C:\Users\user\Desktop\0qlnWcmhSC.exe API call chain: ExitProcess graph end node
Source: 0qlnWcmhSC.exe, 00000001.00000002.260892722.000000000071D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\0qlnWcmhSC.exe Code function: 1_2_00424168 _memset,IsDebuggerPresent, 1_2_00424168
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\user\Desktop\0qlnWcmhSC.exe Code function: 1_2_0042A57A EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 1_2_0042A57A
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\0qlnWcmhSC.exe Code function: 1_2_00412220 GetCommandLineW,CommandLineToArgvW,PathFindFileNameW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,K32EnumProcesses,OpenProcess,K32EnumProcessModules,K32GetModuleBaseNameW,CloseHandle, 1_2_00412220
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\0qlnWcmhSC.exe Code function: 1_2_00447CAC __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock, 1_2_00447CAC
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\0qlnWcmhSC.exe Code function: 0_2_0419171C rdtsc 0_2_0419171C
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\0qlnWcmhSC.exe Code function: 0_2_041900A3 push dword ptr fs:[00000030h] 0_2_041900A3
Source: C:\Users\user\Desktop\0qlnWcmhSC.exe Code function: 1_2_004329EC SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_004329EC
Source: C:\Users\user\Desktop\0qlnWcmhSC.exe Code function: 1_2_004329BB SetUnhandledExceptionFilter, 1_2_004329BB

HIPS / PFW / Operating System Protection Evasion
barindex
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\0qlnWcmhSC.exe Memory written: C:\Users\user\Desktop\0qlnWcmhSC.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\0qlnWcmhSC.exe Memory written: C:\Users\user\Desktop\0qlnWcmhSC.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Local\a728bb78-6259-4af3-b6ac-e10b42e567f7\0qlnWcmhSC.exe Memory written: C:\Users\user\AppData\Local\a728bb78-6259-4af3-b6ac-e10b42e567f7\0qlnWcmhSC.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Local\a728bb78-6259-4af3-b6ac-e10b42e567f7\0qlnWcmhSC.exe Memory written: C:\Users\user\AppData\Local\a728bb78-6259-4af3-b6ac-e10b42e567f7\0qlnWcmhSC.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Local\a728bb78-6259-4af3-b6ac-e10b42e567f7\0qlnWcmhSC.exe Memory written: C:\Users\user\AppData\Local\a728bb78-6259-4af3-b6ac-e10b42e567f7\0qlnWcmhSC.exe base: 400000 value starts with: 4D5A Jump to behavior
Contains functionality to launch a program with higher privileges
Source: C:\Users\user\Desktop\0qlnWcmhSC.exe Code function: 1_2_00419F90 GetCurrentProcess,GetLastError,GetLastError,SetPriorityClass,GetLastError,GetModuleFileNameW,PathRemoveFileSpecW,GetCommandLineW,CommandLineToArgvW,lstrcpyW,lstrcmpW,lstrcmpW,lstrcpyW,lstrcpyW,lstrcmpW,lstrcmpW,GlobalFree,lstrcpyW,lstrcpyW,OpenProcess,WaitForSingleObject,CloseHandle,Sleep,GlobalFree,GetCurrentProcess,GetExitCodeProcess,TerminateProcess,CloseHandle,lstrcatW,GetVersion,lstrcpyW,lstrcatW,lstrcatW,_memset,ShellExecuteExW,CreateThread,lstrlenA,lstrcatW,_malloc,lstrcatW,_memset,lstrcatW,MultiByteToWideChar,lstrcatW,lstrlenW,CreateThread,WaitForSingleObject,CreateMutexA,CreateMutexA,lstrlenA,lstrcpyA,_memmove,_memmove,_memmove,GetUserNameW,GetMessageW,GetMessageW,DispatchMessageW,TranslateMessage,TranslateMessage,DispatchMessageW,GetMessageW,PostThreadMessageW,PeekMessageW,PostThreadMessageW,PeekMessageW,DispatchMessageW,PeekMessageW,WaitForSingleObject,PostThreadMessageW,PeekMessageW,DispatchMessageW,PeekMessageW,WaitForSingleObject,CloseHandle, 1_2_00419F90
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\0qlnWcmhSC.exe Process created: C:\Users\user\Desktop\0qlnWcmhSC.exe "C:\Users\user\Desktop\0qlnWcmhSC.exe" Jump to behavior
Source: C:\Users\user\Desktop\0qlnWcmhSC.exe Process created: C:\Users\user\Desktop\0qlnWcmhSC.exe "C:\Users\user\Desktop\0qlnWcmhSC.exe" --Admin IsNotAutoStart IsNotTask Jump to behavior
Source: C:\Users\user\Desktop\0qlnWcmhSC.exe Process created: C:\Users\user\Desktop\0qlnWcmhSC.exe "C:\Users\user\Desktop\0qlnWcmhSC.exe" --Admin IsNotAutoStart IsNotTask Jump to behavior
Source: C:\Users\user\AppData\Local\a728bb78-6259-4af3-b6ac-e10b42e567f7\0qlnWcmhSC.exe Process created: C:\Users\user\AppData\Local\a728bb78-6259-4af3-b6ac-e10b42e567f7\0qlnWcmhSC.exe C:\Users\user\AppData\Local\a728bb78-6259-4af3-b6ac-e10b42e567f7\0qlnWcmhSC.exe --Task Jump to behavior
Source: C:\Users\user\AppData\Local\a728bb78-6259-4af3-b6ac-e10b42e567f7\0qlnWcmhSC.exe Process created: C:\Users\user\AppData\Local\a728bb78-6259-4af3-b6ac-e10b42e567f7\0qlnWcmhSC.exe "C:\Users\user\AppData\Local\a728bb78-6259-4af3-b6ac-e10b42e567f7\0qlnWcmhSC.exe" --AutoStart Jump to behavior
Source: C:\Users\user\AppData\Local\a728bb78-6259-4af3-b6ac-e10b42e567f7\0qlnWcmhSC.exe Process created: C:\Users\user\AppData\Local\a728bb78-6259-4af3-b6ac-e10b42e567f7\0qlnWcmhSC.exe "C:\Users\user\AppData\Local\a728bb78-6259-4af3-b6ac-e10b42e567f7\0qlnWcmhSC.exe" --AutoStart Jump to behavior
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\0qlnWcmhSC.exe Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtLCMapStringA,___crtLCMapStringA,___crtGetStringTypeA,_free,_free,_free,_free,_free,_free,_free,_free,_free, 1_2_0043404A
Source: C:\Users\user\Desktop\0qlnWcmhSC.exe Code function: _LcidFromHexString,GetLocaleInfoW,_TestDefaultLanguage, 1_2_00438178
Source: C:\Users\user\Desktop\0qlnWcmhSC.exe Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat, 1_2_00440116
Source: C:\Users\user\Desktop\0qlnWcmhSC.exe Code function: _wcscmp,_wcscmp,GetLocaleInfoW,GetLocaleInfoW,GetACP, 1_2_004382A2
Source: C:\Users\user\Desktop\0qlnWcmhSC.exe Code function: GetLocaleInfoW,_GetPrimaryLen, 1_2_0043834F
Source: C:\Users\user\Desktop\0qlnWcmhSC.exe Code function: _memset,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_GetLcidFromCountry,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,___crtDownlevelLCIDToLocaleName,___crtDownlevelLCIDToLocaleName,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,__itow_s, 1_2_00438423
Source: C:\Users\user\Desktop\0qlnWcmhSC.exe Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo, 1_2_004335E7
Source: C:\Users\user\Desktop\0qlnWcmhSC.exe Code function: EnumSystemLocalesW, 1_2_004387C8
Source: C:\Users\user\Desktop\0qlnWcmhSC.exe Code function: GetLocaleInfoW, 1_2_0043884E
Source: C:\Users\user\Desktop\0qlnWcmhSC.exe Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,_free,_free, 1_2_00432B6D
Source: C:\Users\user\Desktop\0qlnWcmhSC.exe Code function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,__invoke_watson,_LcidFromHexString,GetLocaleInfoW, 1_2_00437BB3
Source: C:\Users\user\Desktop\0qlnWcmhSC.exe Code function: EnumSystemLocalesW, 1_2_00437E27
Source: C:\Users\user\Desktop\0qlnWcmhSC.exe Code function: _GetPrimaryLen,EnumSystemLocalesW, 1_2_00437E83
Source: C:\Users\user\Desktop\0qlnWcmhSC.exe Code function: _GetPrimaryLen,EnumSystemLocalesW, 1_2_00437F00
Source: C:\Users\user\Desktop\0qlnWcmhSC.exe Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,__invoke_watson, 1_2_0042BF17
Source: C:\Users\user\Desktop\0qlnWcmhSC.exe Code function: _LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,_TestDefaultLanguage, 1_2_00437F83
Source: C:\Users\user\Desktop\0qlnWcmhSC.exe Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_free,_free,_free,_free, 1_2_00432FAD
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\0qlnWcmhSC.exe Code function: 1_2_00427756 cpuid 1_2_00427756
Source: C:\Users\user\Desktop\0qlnWcmhSC.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\Desktop\0qlnWcmhSC.exe Code function: 0_2_0049EBFB GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 0_2_0049EBFB
Source: C:\Users\user\Desktop\0qlnWcmhSC.exe Code function: 1_2_0042FE47 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte, 1_2_0042FE47
Source: C:\Users\user\Desktop\0qlnWcmhSC.exe Code function: 1_2_00419F90 GetCurrentProcess,GetLastError,GetLastError,SetPriorityClass,GetLastError,GetModuleFileNameW,PathRemoveFileSpecW,GetCommandLineW,CommandLineToArgvW,lstrcpyW,lstrcmpW,lstrcmpW,lstrcpyW,lstrcpyW,lstrcmpW,lstrcmpW,GlobalFree,lstrcpyW,lstrcpyW,OpenProcess,WaitForSingleObject,CloseHandle,Sleep,GlobalFree,GetCurrentProcess,GetExitCodeProcess,TerminateProcess,CloseHandle,lstrcatW,GetVersion,lstrcpyW,lstrcatW,lstrcatW,_memset,ShellExecuteExW,CreateThread,lstrlenA,lstrcatW,_malloc,lstrcatW,_memset,lstrcatW,MultiByteToWideChar,lstrcatW,lstrlenW,CreateThread,WaitForSingleObject,CreateMutexA,CreateMutexA,lstrlenA,lstrcpyA,_memmove,_memmove,_memmove,GetUserNameW,GetMessageW,GetMessageW,DispatchMessageW,TranslateMessage,TranslateMessage,DispatchMessageW,GetMessageW,PostThreadMessageW,PeekMessageW,PostThreadMessageW,PeekMessageW,DispatchMessageW,PeekMessageW,WaitForSingleObject,PostThreadMessageW,PeekMessageW,DispatchMessageW,PeekMessageW,WaitForSingleObject,CloseHandle, 1_2_00419F90
Source: C:\Users\user\Desktop\0qlnWcmhSC.exe Code function: 1_2_00419F90 GetCurrentProcess,GetLastError,GetLastError,SetPriorityClass,GetLastError,GetModuleFileNameW,PathRemoveFileSpecW,GetCommandLineW,CommandLineToArgvW,lstrcpyW,lstrcmpW,lstrcmpW,lstrcpyW,lstrcpyW,lstrcmpW,lstrcmpW,GlobalFree,lstrcpyW,lstrcpyW,OpenProcess,WaitForSingleObject,CloseHandle,Sleep,GlobalFree,GetCurrentProcess,GetExitCodeProcess,TerminateProcess,CloseHandle,lstrcatW,GetVersion,lstrcpyW,lstrcatW,lstrcatW,_memset,ShellExecuteExW,CreateThread,lstrlenA,lstrcatW,_malloc,lstrcatW,_memset,lstrcatW,MultiByteToWideChar,lstrcatW,lstrlenW,CreateThread,WaitForSingleObject,CreateMutexA,CreateMutexA,lstrlenA,lstrcpyA,_memmove,_memmove,_memmove,GetUserNameW,GetMessageW,GetMessageW,DispatchMessageW,TranslateMessage,TranslateMessage,DispatchMessageW,GetMessageW,PostThreadMessageW,PeekMessageW,PostThreadMessageW,PeekMessageW,DispatchMessageW,PeekMessageW,WaitForSingleObject,PostThreadMessageW,PeekMessageW,DispatchMessageW,PeekMessageW,WaitForSingleObject,CloseHandle, 1_2_00419F90
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 679111 Sample: 0qlnWcmhSC.exe Startdate: 05/08/2022 Architecture: WINDOWS Score: 100 45 Multi AV Scanner detection for domain / URL 2->45 47 Malicious sample detected (through community Yara rule) 2->47 49 Antivirus detection for URL or domain 2->49 51 4 other signatures 2->51 8 0qlnWcmhSC.exe 2->8         started        11 0qlnWcmhSC.exe 2->11         started        13 0qlnWcmhSC.exe 2->13         started        15 0qlnWcmhSC.exe 2->15         started        process3 signatures4 53 Injects a PE file into a foreign processes 8->53 17 0qlnWcmhSC.exe 1 17 8->17         started        55 Multi AV Scanner detection for dropped file 11->55 57 Machine Learning detection for dropped file 11->57 21 0qlnWcmhSC.exe 13 11->21         started        23 0qlnWcmhSC.exe 13 13->23         started        25 0qlnWcmhSC.exe 13 15->25         started        process5 dnsIp6 43 api.2ip.ua 162.0.217.254, 443, 49756, 49757 ACPCA Canada 17->43 35 C:\Users\user\AppData\...\0qlnWcmhSC.exe, PE32 17->35 dropped 37 C:\Users\...\0qlnWcmhSC.exe:Zone.Identifier, ASCII 17->37 dropped 27 0qlnWcmhSC.exe 17->27         started        30 icacls.exe 17->30         started        file7 process8 signatures9 59 Injects a PE file into a foreign processes 27->59 32 0qlnWcmhSC.exe 13 27->32         started        process10 dnsIp11 39 192.168.2.1 unknown unknown 32->39 41 api.2ip.ua 32->41
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
162.0.217.254
 api.2ip.ua Canada
35893 ACPCA false

Private

IP
192.168.2.1

Contacted Domains

Name IP Active
api.2ip.ua 162.0.217.254 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://acacaca.org/test2/get.php true
  • 18%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
https://api.2ip.ua/geo.json false
    		high