Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
bP5g4FsSJk.exe

Overview

General Information

Sample Name:bP5g4FsSJk.exe
Analysis ID:679166
MD5:28fb096cbce32cf1f87719254452014f
SHA1:50ceaddc379e1376a579e4c9d4465fd3c734c277
SHA256:1918cc07f0b41a9e9dc18e715e5862a68ca49d61fdad7d76126953629c05be98
Tags:exeStop
Infos:

Detection

Djvu
Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected Djvu Ransomware
Antivirus detection for URL or domain
Machine Learning detection for sample
Injects a PE file into a foreign processes
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
PE file contains strange resources
Contains functionality to read the PEB
Contains functionality to launch a program with higher privileges
Found evaded block containing many API calls
Found large amount of non-executed APIs
Uses Microsoft's Enhanced Cryptographic Provider
Contains functionality to query network adapater information
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • bP5g4FsSJk.exe (PID: 5468 cmdline: "C:\Users\user\Desktop\bP5g4FsSJk.exe" MD5: 28FB096CBCE32CF1F87719254452014F)
    • bP5g4FsSJk.exe (PID: 5604 cmdline: "C:\Users\user\Desktop\bP5g4FsSJk.exe" MD5: 28FB096CBCE32CF1F87719254452014F)
  • cleanup

Malware Configuration

Threatname: Djvu

{"Download URLs": ["http://rgyui.top/dl/build2.exe", "http://acacaca.org/files/1/build3.exe"], "C2 url": "http://acacaca.org/test2/get.php", "Ransom note file": "_readme.txt", "Ransom note": "ATTENTION!\r\n\r\nDon't worry, you can return all your files!\r\nAll your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key.\r\nThe only method of recovering files is to purchase decrypt tool and unique key for you.\r\nThis software will decrypt all your encrypted files.\r\nWhat guarantees you have?\r\nYou can send one of your encrypted file from your PC and we decrypt it for free.\r\nBut we can decrypt only 1 file for free. File must not contain valuable information.\r\nYou can get and look video overview decrypt tool:\r\nhttps://we.tl/t-QsoSRIeAK6\r\nPrice of private key and decrypt software is $980.\r\nDiscount 50% available if you contact us first 72 hours, that's price for you is $490.\r\nPlease note that you'll never restore your data without payment.\r\nCheck your e-mail \"Spam\" or \"Junk\" folder if you don't get answer more than 6 hours.\r\n\r\n\r\nTo get this software you need write on our e-mail:\r\nsupport@bestyourmail.ch\r\n\r\nReserve e-mail address to contact us:\r\ndatarestorehelp@airmail.cc\r\n\r\nYour personal ID:\r\n0531Jhyjd", "Ignore Files": ["ntuser.dat", "ntuser.dat.LOG1", "ntuser.dat.LOG2", "ntuser.pol", ".sys", ".ini", ".DLL", ".dll", ".blf", ".bat", ".lnk", ".regtrans-ms", "C:\\SystemID\\", "C:\\Users\\Default User\\", "C:\\Users\\Public\\", "C:\\Users\\All Users\\", "C:\\Users\\Default\\", "C:\\Documents and Settings\\", "C:\\ProgramData\\", "C:\\Recovery\\", "C:\\System Volume Information\\", "C:\\Users\\%username%\\AppData\\Roaming\\", "C:\\Users\\%username%\\AppData\\Local\\", "C:\\Windows\\", "C:\\PerfLogs\\", "C:\\ProgramData\\Microsoft\\", "C:\\ProgramData\\Package Cache\\", "C:\\Users\\Public\\", "C:\\$Recycle.Bin\\", "C:\\$WINDOWS.~BT\\", "C:\\dell\\", "C:\\Intel\\", "C:\\MSOCache\\", "C:\\Program Files\\", "C:\\Program Files (x86)\\", "C:\\Games\\", "C:\\Windows.old\\", "D:\\Users\\%username%\\AppData\\Roaming\\", "D:\\Users\\%username%\\AppData\\Local\\", "D:\\Windows\\", "D:\\PerfLogs\\", "D:\\ProgramData\\Desktop\\", "D:\\ProgramData\\Microsoft\\", "D:\\ProgramData\\Package Cache\\", "D:\\Users\\Public\\", "D:\\$Recycle.Bin\\", "D:\\$WINDOWS.~BT\\", "D:\\dell\\", "D:\\Intel\\", "D:\\MSOCache\\", "D:\\Program Files\\", "D:\\Program Files (x86)\\", "D:\\Games\\", "E:\\Users\\%username%\\AppData\\Roaming\\", "E:\\Users\\%username%\\AppData\\Local\\", "E:\\Windows\\", "E:\\PerfLogs\\", "E:\\ProgramData\\Desktop\\", "E:\\ProgramData\\Microsoft\\", "E:\\ProgramData\\Package Cache\\", "E:\\Users\\Public\\", "E:\\$Recycle.Bin\\", "E:\\$WINDOWS.~BT\\", "E:\\dell\\", "E:\\Intel\\", "E:\\MSOCache\\", "E:\\Program Files\\", "E:\\Program Files (x86)\\", "E:\\Games\\", "F:\\Users\\%username%\\AppData\\Roaming\\", "F:\\Users\\%username%\\AppData\\Local\\", "F:\\Windows\\", "F:\\PerfLogs\\", "F:\\ProgramData\\Desktop\\", "F:\\ProgramData\\Microsoft\\", "F:\\Users\\Public\\", "F:\\$Recycle.Bin\\", "F:\\$WINDOWS.~BT\\", "F:\\dell\\", "F:\\Intel\\"], "Public Key": "-----BEGIN PUBLIC KEY-----\\\\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwX6oUNb4mk19lyNBxK80\\\\nWDzdQgJ9XMg2LdYk3Hm0F0zP2rWDuKVpyAbosbOzGKbJOkVa\\/1XbytFAm8RYfkB\\/\\\\nnfEgGh5OGcw\\/CcqqOL3R4Vpd7slLVXc56FLkTWEMSShzg1sNxgIiQm8VcaXOgUk8\\\\ntvWKcUIV9ujXmn5UBSy\\/ICDPveI3QCaxZod7kIBwZzszO\\/3CvNwAy3eejgJ6j8ie\\\\nmwJ9pjskzLjmq92yhDGUQygWfGw0tL1KtSiqUy2M7KNdmD4FX1aVeutZC9bggvn8\\\\nV4ksJChvMxI521ms58donyKjwBAbKXBfVRaXUV2k34bI0NQqhLz5OeGIRhn67oe+\\\\njwIDAQAB\\\\n-----END PUBLIC KEY-----"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000000.271002067.0000000000400000.00000040.00000400.00020000.00000000.sdmpWindows_Ransomware_Stop_1e8d48ffunknownunknown
  • 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000000.00000002.278389009.0000000004235000.00000040.00000800.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_ed346e4cunknownunknown
  • 0x798:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000001.00000000.272056178.0000000000400000.00000040.00000400.00020000.00000000.sdmpSUSP_XORed_URL_in_EXEDetects an XORed URL in an executableFlorian Roth
  • 0xe23ea:$s1: http://
  • 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
  • 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
  • 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
  • 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
  • 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF
  • 0xe23ea:$f1: http://
00000001.00000000.272056178.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_DjvuYara detected Djvu RansomwareJoe Security
    00000001.00000000.272056178.0000000000400000.00000040.00000400.00020000.00000000.sdmpMALWARE_Win_STOPDetects STOP ransomwareditekSHen
    • 0xffe88:$x1: C:\SystemID\PersonalID.txt
    • 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC)
    • 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\
    • 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\
    • 0x1002ec:$s1: " --AutoStart
    • 0x100300:$s1: " --AutoStart
    • 0x103f48:$s2: --ForNetRes
    • 0x103f10:$s3: --Admin
    • 0x104390:$s4: %username%
    • 0x1044b4:$s5: ?pid=
    • 0x1044c0:$s6: &first=true
    • 0x1044d8:$s6: &first=false
    • 0x1003f4:$s7: delself.bat
    • 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}
    • 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1}
    • 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
    Click to see the 27 entries

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    1.0.bP5g4FsSJk.exe.400000.2.unpackWindows_Ransomware_Stop_1e8d48ffunknownunknown
    • 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
    1.0.bP5g4FsSJk.exe.400000.0.unpackWindows_Ransomware_Stop_1e8d48ffunknownunknown
    • 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
    1.0.bP5g4FsSJk.exe.400000.3.unpackWindows_Ransomware_Stop_1e8d48ffunknownunknown
    • 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
    1.0.bP5g4FsSJk.exe.400000.1.unpackWindows_Ransomware_Stop_1e8d48ffunknownunknown
    • 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
    1.0.bP5g4FsSJk.exe.400000.5.raw.unpackWindows_Ransomware_Stop_1e8d48ffunknownunknown
    • 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
    Click to see the 64 entries

    Sigma Signatures

    No Sigma rule has matched

    Snort Signatures

    No Snort rule has matched

    Joe Sandbox Signatures

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Multi AV Scanner detection for submitted file
    Source: bP5g4FsSJk.exeReversingLabs: Detection: 52%
    Antivirus detection for URL or domain
    Source: http://acacaca.org/test2/get.phpAvira URL Cloud: Label: malware
    Machine Learning detection for sample
    Source: bP5g4FsSJk.exeJoe Sandbox ML: detected
    Source: 1.0.bP5g4FsSJk.exe.400000.8.unpackMalware Configuration Extractor: Djvu {"Download URLs": ["http://rgyui.top/dl/build2.exe", "http://acacaca.org/files/1/build3.exe"], "C2 url": "http://acacaca.org/test2/get.php", "Ransom note file": "_readme.txt", "Ransom note": "ATTENTION!\r\n\r\nDon't worry, you can return all your files!\r\nAll your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key.\r\nThe only method of recovering files is to purchase decrypt tool and unique key for you.\r\nThis software will decrypt all your encrypted files.\r\nWhat guarantees you have?\r\nYou can send one of your encrypted file from your PC and we decrypt it for free.\r\nBut we can decrypt only 1 file for free. File must not contain valuable information.\r\nYou can get and look video overview decrypt tool:\r\nhttps://we.tl/t-QsoSRIeAK6\r\nPrice of private key and decrypt software is $980.\r\nDiscount 50% available if you contact us first 72 hours, that's price for you is $490.\r\nPlease note that you'll never restore your data without payment.\r\nCheck your e-mail \"Spam\" or \"Junk\" folder if you don't get answer more than 6 hours.\r\n\r\n\r\nTo get this software you need write on our e-mail:\r\nsupport@bestyourmail.ch\r\n\r\nReserve e-mail address to contact us:\r\ndatarestorehelp@airmail.cc\r\n\r\nYour personal ID:\r\n0531Jhyjd", "Ignore Files": ["ntuser.dat", "ntuser.dat.LOG1", "ntuser.dat.LOG2", "ntuser.pol", ".sys", ".ini", ".DLL", ".dll", ".blf", ".bat", ".lnk", ".regtrans-ms", "C:\\SystemID\\", "C:\\Users\\Default User\\", "C:\\Users\\Public\\", "C:\\Users\\All Users\\", "C:\\Users\\Default\\", "C:\\Documents and Settings\\", "C:\\ProgramData\\", "C:\\Recovery\\", "C:\\System Volume Information\\", "C:\\Users\\%username%\\AppData\\Roaming\\", "C:\\Users\\%username%\\AppData\\Local\\", "C:\\Windows\\", "C:\\PerfLogs\\", "C:\\ProgramData\\Microsoft\\", "C:\\ProgramData\\Package Cache\\", "C:\\Users\\Public\\", "C:\\$Recycle.Bin\\", "C:\\$WINDOWS.~BT\\", "C:\\dell\\", "C:\\Intel\\", "C:\\MSOCache\\", "C:\\Program Files\\", "C:\\Program Files (x86)\\", "C:\\Games\\", "C:\\Windows.old\\", "D:\\Users\\%username%\\AppData\\Roaming\\", "D:\\Users\\%username%\\AppData\\Local\\", "D:\\Windows\\", "D:\\PerfLogs\\", "D:\\ProgramData\\Desktop\\", "D:\\ProgramData\\Microsoft\\", "D:\\ProgramData\\Package Cache\\", "D:\\Users\\Public\\", "D:\\$Recycle.Bin\\", "D:\\$WINDOWS.~BT\\", "D:\\dell\\", "D:\\Intel\\", "D:\\MSOCache\\", "D:\\Program Files\\", "D:\\Program Files (x86)\\", "D:\\Games\\", "E:\\Users\\%username%\\AppData\\Roaming\\", "E:\\Users\\%username%\\AppData\\Local\\", "E:\\Windows\\", "E:\\PerfLogs\\", "E:\\ProgramData\\Desktop\\", "E:\\ProgramData\\Microsoft\\", "E:\\ProgramData\\Package Cache\\", "E:\\Users\\Public\\", "E:\\$Recycle.Bin\\", "E:\\$WINDOWS.~BT\\", "E:\\dell\\", "E:\\Intel\\", "E:\\MSOCache\\", "E:\\Program Files\\", "E:\\Program Files (x86)\\", "E:\\Games\\", "F:\\Users\\%username%\\AppData\\Roaming\\", "F:\\Users\\%username%\\AppData\\Local\\", "F:\\W
    Source: C:\Users\user\Desktop\bP5g4FsSJk.exeCode function: 1_2_0040E870 CryptAcquireContextW,__CxxThrowException@8,CryptCreateHash,__CxxThrowException@8,CryptHashData,__CxxThrowException@8,CryptGetHashParam,CryptGetHashParam,__CxxThrowException@8,_memset,CryptGetHashParam,__CxxThrowException@8,_sprintf,CryptDestroyHash,CryptReleaseContext,
    Source: C:\Users\user\Desktop\bP5g4FsSJk.exeCode function: 1_2_0040EAA0 CryptAcquireContextW,__CxxThrowException@8,CryptCreateHash,__CxxThrowException@8,CryptHashData,__CxxThrowException@8,CryptGetHashParam,CryptGetHashParam,__CxxThrowException@8,_memset,CryptGetHashParam,__CxxThrowException@8,_sprintf,CryptDestroyHash,CryptReleaseContext,
    Source: C:\Users\user\Desktop\bP5g4FsSJk.exeCode function: 1_2_00410FC0 CryptAcquireContextW,__CxxThrowException@8,CryptCreateHash,__CxxThrowException@8,lstrlenA,CryptHashData,__CxxThrowException@8,CryptGetHashParam,CryptGetHashParam,__CxxThrowException@8,_memset,CryptGetHashParam,__CxxThrowException@8,CryptGetHashParam,_malloc,CryptGetHashParam,_memset,_sprintf,lstrcatA,CryptDestroyHash,CryptReleaseContext,
    Source: bP5g4FsSJk.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
    Source: unknownHTTPS traffic detected: 162.0.217.254:443 -> 192.168.2.3:49737 version: TLS 1.2
    Source: Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb source: bP5g4FsSJk.exe, bP5g4FsSJk.exe, 00000001.00000002.281265111.0000000000400000.00000040.00000400.00020000.00000000.sdmp, bP5g4FsSJk.exe, 00000001.00000000.273505881.0000000000400000.00000040.00000400.00020000.00000000.sdmp, bP5g4FsSJk.exe, 00000001.00000000.272056178.0000000000400000.00000040.00000400.00020000.00000000.sdmp
    Source: Binary string: 9IC:\nedunesa\gihex\gakubeki53_gaboru\lulod mamere\hexumax.pdb` source: bP5g4FsSJk.exe
    Source: Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdbI source: bP5g4FsSJk.exe, 00000000.00000002.278746171.00000000042D0000.00000040.00001000.00020000.00000000.sdmp, bP5g4FsSJk.exe, 00000001.00000002.281265111.0000000000400000.00000040.00000400.00020000.00000000.sdmp, bP5g4FsSJk.exe, 00000001.00000000.273505881.0000000000400000.00000040.00000400.00020000.00000000.sdmp, bP5g4FsSJk.exe, 00000001.00000000.272056178.0000000000400000.00000040.00000400.00020000.00000000.sdmp
    Source: Binary string: C:\nedunesa\gihex\gakubeki53_gaboru\lulod mamere\hexumax.pdb source: bP5g4FsSJk.exe
    Source: C:\Users\user\Desktop\bP5g4FsSJk.exeCode function: 1_2_00410160 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,FindNextFileW,FindClose,
    Source: C:\Users\user\Desktop\bP5g4FsSJk.exeCode function: 1_2_0040F730 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,_wcsstr,_wcsstr,FindNextFileW,FindClose,

    Networking

    barindex
    C2 URLs / IPs found in malware configuration
    Source: Malware configuration extractorURLs: http://acacaca.org/test2/get.php
    Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
    Source: Joe Sandbox ViewIP Address: 162.0.217.254 162.0.217.254
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
    Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
    Source: bP5g4FsSJk.exe, 00000001.00000003.278926665.000000000093D000.00000004.00000020.00020000.00000000.sdmp, bP5g4FsSJk.exe, 00000001.00000003.278864310.000000000093D000.00000004.00000020.00020000.00000000.sdmp, bP5g4FsSJk.exe, 00000001.00000002.287027145.000000000093D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
    Source: bP5g4FsSJk.exe, 00000000.00000002.278746171.00000000042D0000.00000040.00001000.00020000.00000000.sdmp, bP5g4FsSJk.exe, 00000001.00000002.281265111.0000000000400000.00000040.00000400.00020000.00000000.sdmp, bP5g4FsSJk.exe, 00000001.00000000.273505881.0000000000400000.00000040.00000400.00020000.00000000.sdmp, bP5g4FsSJk.exe, 00000001.00000000.272056178.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://https://ns1.kriston.ugns2.chalekin.ugns3.unalelath.ugns4.andromath.ug/Error
    Source: bP5g4FsSJk.exe, 00000001.00000000.272056178.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://www.openssl.org/support/faq.html
    Source: bP5g4FsSJk.exe, 00000001.00000002.286817281.000000000090D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.2ip.ua/
    Source: bP5g4FsSJk.exe, 00000001.00000002.286817281.000000000090D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.2ip.ua/Y%
    Source: bP5g4FsSJk.exe, 00000001.00000002.286593471.00000000008EF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.2ip.ua/geo.json
    Source: bP5g4FsSJk.exe, 00000001.00000002.286414138.00000000008C7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.2ip.ua/geo.json6
    Source: bP5g4FsSJk.exe, 00000001.00000002.286593471.00000000008EF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.2ip.ua/geo.jsonY
    Source: bP5g4FsSJk.exe, 00000001.00000002.286593471.00000000008EF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.2ip.ua/geo.jsong
    Source: bP5g4FsSJk.exe, 00000001.00000002.286414138.00000000008C7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.2ip.ua/geo.jsons
    Source: bP5g4FsSJk.exe, 00000001.00000002.286414138.00000000008C7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.2ip.ua/geo.jsont
    Source: unknownDNS traffic detected: queries for: api.2ip.ua
    Source: C:\Users\user\Desktop\bP5g4FsSJk.exeCode function: 1_2_0040CF10 _memset,InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,
    Source: global trafficHTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
    Source: unknownHTTPS traffic detected: 162.0.217.254:443 -> 192.168.2.3:49737 version: TLS 1.2

    Spam, unwanted Advertisements and Ransom Demands

    barindex
    Yara detected Djvu Ransomware
    Source: Yara matchFile source: 1.0.bP5g4FsSJk.exe.400000.6.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.2.bP5g4FsSJk.exe.400000.0.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.bP5g4FsSJk.exe.42d15a0.1.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.0.bP5g4FsSJk.exe.400000.10.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.0.bP5g4FsSJk.exe.400000.9.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.0.bP5g4FsSJk.exe.400000.8.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.0.bP5g4FsSJk.exe.400000.10.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.0.bP5g4FsSJk.exe.400000.7.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.bP5g4FsSJk.exe.42d15a0.1.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.0.bP5g4FsSJk.exe.400000.7.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.0.bP5g4FsSJk.exe.400000.5.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.0.bP5g4FsSJk.exe.400000.6.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.2.bP5g4FsSJk.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.0.bP5g4FsSJk.exe.400000.4.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.0.bP5g4FsSJk.exe.400000.8.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.0.bP5g4FsSJk.exe.400000.9.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 00000001.00000000.272056178.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000001.00000000.275253694.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000001.00000002.281265111.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000001.00000000.273505881.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000001.00000000.272842398.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.278746171.00000000042D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000001.00000000.274561888.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: bP5g4FsSJk.exe PID: 5468, type: MEMORYSTR
    Source: Yara matchFile source: Process Memory Space: bP5g4FsSJk.exe PID: 5604, type: MEMORYSTR

    System Summary

    barindex
    Malicious sample detected (through community Yara rule)
    Source: 1.0.bP5g4FsSJk.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
    Source: 1.0.bP5g4FsSJk.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
    Source: 1.0.bP5g4FsSJk.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
    Source: 1.0.bP5g4FsSJk.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
    Source: 1.0.bP5g4FsSJk.exe.400000.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
    Source: 1.0.bP5g4FsSJk.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects STOP ransomware Author: ditekSHen
    Source: 1.0.bP5g4FsSJk.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
    Source: 1.2.bP5g4FsSJk.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects STOP ransomware Author: ditekSHen
    Source: 1.2.bP5g4FsSJk.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
    Source: 0.2.bP5g4FsSJk.exe.42d15a0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects STOP ransomware Author: ditekSHen
    Source: 0.2.bP5g4FsSJk.exe.42d15a0.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
    Source: 1.0.bP5g4FsSJk.exe.400000.10.raw.unpack, type: UNPACKEDPEMatched rule: Detects STOP ransomware Author: ditekSHen
    Source: 1.0.bP5g4FsSJk.exe.400000.10.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
    Source: 1.0.bP5g4FsSJk.exe.400000.9.unpack, type: UNPACKEDPEMatched rule: Detects STOP ransomware Author: ditekSHen
    Source: 1.0.bP5g4FsSJk.exe.400000.9.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
    Source: 1.0.bP5g4FsSJk.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: Detects STOP ransomware Author: ditekSHen
    Source: 1.0.bP5g4FsSJk.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
    Source: 1.0.bP5g4FsSJk.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Detects STOP ransomware Author: ditekSHen
    Source: 1.0.bP5g4FsSJk.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
    Source: 1.0.bP5g4FsSJk.exe.400000.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects STOP ransomware Author: ditekSHen
    Source: 1.0.bP5g4FsSJk.exe.400000.7.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
    Source: 0.2.bP5g4FsSJk.exe.42d15a0.1.unpack, type: UNPACKEDPEMatched rule: Detects STOP ransomware Author: ditekSHen
    Source: 0.2.bP5g4FsSJk.exe.42d15a0.1.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
    Source: 1.0.bP5g4FsSJk.exe.400000.7.unpack, type: UNPACKEDPEMatched rule: Detects STOP ransomware Author: ditekSHen
    Source: 1.0.bP5g4FsSJk.exe.400000.7.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
    Source: 1.0.bP5g4FsSJk.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: Detects STOP ransomware Author: ditekSHen
    Source: 1.0.bP5g4FsSJk.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
    Source: 1.0.bP5g4FsSJk.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Detects STOP ransomware Author: ditekSHen
    Source: 1.0.bP5g4FsSJk.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
    Source: 1.2.bP5g4FsSJk.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects STOP ransomware Author: ditekSHen
    Source: 1.2.bP5g4FsSJk.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
    Source: 1.0.bP5g4FsSJk.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Detects STOP ransomware Author: ditekSHen
    Source: 1.0.bP5g4FsSJk.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
    Source: 1.0.bP5g4FsSJk.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Detects STOP ransomware Author: ditekSHen
    Source: 1.0.bP5g4FsSJk.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
    Source: 1.0.bP5g4FsSJk.exe.400000.9.raw.unpack, type: UNPACKEDPEMatched rule: Detects STOP ransomware Author: ditekSHen
    Source: 1.0.bP5g4FsSJk.exe.400000.9.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
    Source: 00000001.00000000.271002067.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
    Source: 00000000.00000002.278389009.0000000004235000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
    Source: 00000001.00000000.272056178.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects STOP ransomware Author: ditekSHen
    Source: 00000001.00000000.272056178.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
    Source: 00000001.00000000.275253694.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects STOP ransomware Author: ditekSHen
    Source: 00000001.00000000.275253694.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
    Source: 00000001.00000002.281265111.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects STOP ransomware Author: ditekSHen
    Source: 00000001.00000002.281265111.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
    Source: 00000001.00000000.273505881.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects STOP ransomware Author: ditekSHen
    Source: 00000001.00000000.273505881.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
    Source: 00000001.00000000.272842398.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects STOP ransomware Author: ditekSHen
    Source: 00000001.00000000.272842398.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
    Source: 00000000.00000002.278746171.00000000042D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
    Source: 00000001.00000000.274561888.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects STOP ransomware Author: ditekSHen
    Source: 00000001.00000000.274561888.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
    Source: Process Memory Space: bP5g4FsSJk.exe PID: 5468, type: MEMORYSTRMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
    Source: Process Memory Space: bP5g4FsSJk.exe PID: 5604, type: MEMORYSTRMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
    Source: bP5g4FsSJk.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
    Source: 1.0.bP5g4FsSJk.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
    Source: 1.0.bP5g4FsSJk.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
    Source: 1.0.bP5g4FsSJk.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
    Source: 1.0.bP5g4FsSJk.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
    Source: 1.0.bP5g4FsSJk.exe.400000.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
    Source: 1.0.bP5g4FsSJk.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
    Source: 1.0.bP5g4FsSJk.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
    Source: 1.0.bP5g4FsSJk.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
    Source: 1.2.bP5g4FsSJk.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
    Source: 1.2.bP5g4FsSJk.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
    Source: 1.2.bP5g4FsSJk.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
    Source: 0.2.bP5g4FsSJk.exe.42d15a0.1.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
    Source: 0.2.bP5g4FsSJk.exe.42d15a0.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
    Source: 0.2.bP5g4FsSJk.exe.42d15a0.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
    Source: 1.0.bP5g4FsSJk.exe.400000.10.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
    Source: 1.0.bP5g4FsSJk.exe.400000.10.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
    Source: 1.0.bP5g4FsSJk.exe.400000.10.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
    Source: 1.0.bP5g4FsSJk.exe.400000.9.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
    Source: 1.0.bP5g4FsSJk.exe.400000.9.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
    Source: 1.0.bP5g4FsSJk.exe.400000.9.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
    Source: 1.0.bP5g4FsSJk.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
    Source: 1.0.bP5g4FsSJk.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
    Source: 1.0.bP5g4FsSJk.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
    Source: 1.0.bP5g4FsSJk.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
    Source: 1.0.bP5g4FsSJk.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
    Source: 1.0.bP5g4FsSJk.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
    Source: 1.0.bP5g4FsSJk.exe.400000.7.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
    Source: 1.0.bP5g4FsSJk.exe.400000.7.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
    Source: 1.0.bP5g4FsSJk.exe.400000.7.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
    Source: 0.2.bP5g4FsSJk.exe.42d15a0.1.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
    Source: 0.2.bP5g4FsSJk.exe.42d15a0.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
    Source: 0.2.bP5g4FsSJk.exe.42d15a0.1.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
    Source: 1.0.bP5g4FsSJk.exe.400000.7.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
    Source: 1.0.bP5g4FsSJk.exe.400000.7.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
    Source: 1.0.bP5g4FsSJk.exe.400000.7.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
    Source: 1.0.bP5g4FsSJk.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
    Source: 1.0.bP5g4FsSJk.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
    Source: 1.0.bP5g4FsSJk.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
    Source: 1.0.bP5g4FsSJk.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
    Source: 1.0.bP5g4FsSJk.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
    Source: 1.0.bP5g4FsSJk.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
    Source: 1.2.bP5g4FsSJk.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
    Source: 1.2.bP5g4FsSJk.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
    Source: 1.2.bP5g4FsSJk.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
    Source: 1.0.bP5g4FsSJk.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
    Source: 1.0.bP5g4FsSJk.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
    Source: 1.0.bP5g4FsSJk.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
    Source: 1.0.bP5g4FsSJk.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
    Source: 1.0.bP5g4FsSJk.exe.400000.9.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
    Source: 1.0.bP5g4FsSJk.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
    Source: 1.0.bP5g4FsSJk.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
    Source: 1.0.bP5g4FsSJk.exe.400000.9.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
    Source: 1.0.bP5g4FsSJk.exe.400000.9.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
    Source: 00000001.00000000.271002067.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
    Source: 00000000.00000002.278389009.0000000004235000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
    Source: 00000001.00000000.272056178.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
    Source: 00000001.00000000.272056178.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
    Source: 00000001.00000000.272056178.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
    Source: 00000001.00000000.275253694.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
    Source: 00000001.00000000.275253694.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
    Source: 00000001.00000000.275253694.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
    Source: 00000001.00000002.281265111.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
    Source: 00000001.00000002.281265111.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
    Source: 00000001.00000002.281265111.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
    Source: 00000001.00000000.273505881.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
    Source: 00000001.00000000.273505881.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
    Source: 00000001.00000000.273505881.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
    Source: 00000001.00000000.272842398.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
    Source: 00000001.00000000.272842398.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
    Source: 00000001.00000000.272842398.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
    Source: 00000000.00000002.278746171.00000000042D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
    Source: 00000001.00000000.274561888.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
    Source: 00000001.00000000.274561888.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
    Source: 00000001.00000000.274561888.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
    Source: Process Memory Space: bP5g4FsSJk.exe PID: 5468, type: MEMORYSTRMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
    Source: Process Memory Space: bP5g4FsSJk.exe PID: 5604, type: MEMORYSTRMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
    Source: C:\Users\user\Desktop\bP5g4FsSJk.exeCode function: 1_2_00419F90
    Source: C:\Users\user\Desktop\bP5g4FsSJk.exeCode function: 1_2_0040C070
    Source: C:\Users\user\Desktop\bP5g4FsSJk.exeCode function: 1_2_0042E003
    Source: C:\Users\user\Desktop\bP5g4FsSJk.exeCode function: 1_2_0042F010
    Source: C:\Users\user\Desktop\bP5g4FsSJk.exeCode function: 1_2_00410160
    Source: C:\Users\user\Desktop\bP5g4FsSJk.exeCode function: 1_2_0040D240
    Source: C:\Users\user\Desktop\bP5g4FsSJk.exeCode function: 1_2_0044237E
    Source: C:\Users\user\Desktop\bP5g4FsSJk.exeCode function: 1_2_004344FF
    Source: C:\Users\user\Desktop\bP5g4FsSJk.exeCode function: 1_2_00449506
    Source: C:\Users\user\Desktop\bP5g4FsSJk.exeCode function: 1_2_0043E5A3
    Source: C:\Users\user\Desktop\bP5g4FsSJk.exeCode function: 1_2_0044B5B1
    Source: C:\Users\user\Desktop\bP5g4FsSJk.exeCode function: 1_2_0040A660
    Source: C:\Users\user\Desktop\bP5g4FsSJk.exeCode function: 1_2_0041E690
    Source: C:\Users\user\Desktop\bP5g4FsSJk.exeCode function: 1_2_0040274E
    Source: C:\Users\user\Desktop\bP5g4FsSJk.exeCode function: 1_2_0040A710
    Source: C:\Users\user\Desktop\bP5g4FsSJk.exeCode function: 1_2_0040F730
    Source: C:\Users\user\Desktop\bP5g4FsSJk.exeCode function: 1_2_0044D7A1
    Source: C:\Users\user\Desktop\bP5g4FsSJk.exeCode function: 1_2_0042C804
    Source: C:\Users\user\Desktop\bP5g4FsSJk.exeCode function: 1_2_0044D9DC
    Source: C:\Users\user\Desktop\bP5g4FsSJk.exeCode function: 1_2_00449A71
    Source: C:\Users\user\Desktop\bP5g4FsSJk.exeCode function: 1_2_00443B40
    Source: C:\Users\user\Desktop\bP5g4FsSJk.exeCode function: 1_2_0044ACFF
    Source: C:\Users\user\Desktop\bP5g4FsSJk.exeCode function: 1_2_0040DD40
    Source: C:\Users\user\Desktop\bP5g4FsSJk.exeCode function: 1_2_0040BDC0
    Source: C:\Users\user\Desktop\bP5g4FsSJk.exeCode function: 1_2_0042CE51
    Source: C:\Users\user\Desktop\bP5g4FsSJk.exeCode function: 1_2_00420F30
    Source: C:\Users\user\Desktop\bP5g4FsSJk.exeCode function: 1_2_00449FE3
    Source: C:\Users\user\Desktop\bP5g4FsSJk.exeCode function: String function: 0042F7C0 appears 37 times
    Source: C:\Users\user\Desktop\bP5g4FsSJk.exeCode function: String function: 0044F23E appears 44 times
    Source: C:\Users\user\Desktop\bP5g4FsSJk.exeCode function: String function: 00428520 appears 51 times
    Source: C:\Users\user\Desktop\bP5g4FsSJk.exeCode function: String function: 004547A0 appears 31 times
    Source: bP5g4FsSJk.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: bP5g4FsSJk.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: bP5g4FsSJk.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: bP5g4FsSJk.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: bP5g4FsSJk.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    Source: bP5g4FsSJk.exeReversingLabs: Detection: 52%
    Source: bP5g4FsSJk.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\bP5g4FsSJk.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
    Source: unknownProcess created: C:\Users\user\Desktop\bP5g4FsSJk.exe "C:\Users\user\Desktop\bP5g4FsSJk.exe"
    Source: C:\Users\user\Desktop\bP5g4FsSJk.exeProcess created: C:\Users\user\Desktop\bP5g4FsSJk.exe "C:\Users\user\Desktop\bP5g4FsSJk.exe"
    Source: C:\Users\user\Desktop\bP5g4FsSJk.exeProcess created: C:\Users\user\Desktop\bP5g4FsSJk.exe "C:\Users\user\Desktop\bP5g4FsSJk.exe"
    Source: C:\Users\user\Desktop\bP5g4FsSJk.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32
    Source: classification engineClassification label: mal84.rans.troj.evad.winEXE@3/0@1/1
    Source: C:\Users\user\Desktop\bP5g4FsSJk.exeCode function: 1_2_0040D240 CoInitialize,CoInitializeSecurity,CoCreateInstance,VariantInit,VariantInit,VariantInit,VariantInit,VariantInit,VariantClear,VariantClear,VariantClear,VariantClear,CoUninitialize,CoUninitialize,CoUninitialize,__time64,_wcsftime,VariantInit,VariantInit,VariantClear,VariantClear,VariantClear,VariantClear,swprintf,CoUninitialize,CoUninitialize,
    Source: C:\Users\user\Desktop\bP5g4FsSJk.exeCode function: 1_2_00411900 GetLastError,FormatMessageW,lstrlenW,lstrlenW,lstrlenW,LocalAlloc,lstrcpyW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,_memset,lstrcpynW,MessageBoxW,LocalFree,LocalFree,LocalFree,
    Source: C:\Users\user\Desktop\bP5g4FsSJk.exeCode function: 0_2_042357C6 CreateToolhelp32Snapshot,Module32First,
    Source: bP5g4FsSJk.exeString found in binary or memory: set-addPolicy
    Source: bP5g4FsSJk.exeString found in binary or memory: id-cmc-addExtensions
    Source: C:\Users\user\Desktop\bP5g4FsSJk.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: C:\Users\user\Desktop\bP5g4FsSJk.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: bP5g4FsSJk.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
    Source: Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb source: bP5g4FsSJk.exe, bP5g4FsSJk.exe, 00000001.00000002.281265111.0000000000400000.00000040.00000400.00020000.00000000.sdmp, bP5g4FsSJk.exe, 00000001.00000000.273505881.0000000000400000.00000040.00000400.00020000.00000000.sdmp, bP5g4FsSJk.exe, 00000001.00000000.272056178.0000000000400000.00000040.00000400.00020000.00000000.sdmp
    Source: Binary string: 9IC:\nedunesa\gihex\gakubeki53_gaboru\lulod mamere\hexumax.pdb` source: bP5g4FsSJk.exe
    Source: Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdbI source: bP5g4FsSJk.exe, 00000000.00000002.278746171.00000000042D0000.00000040.00001000.00020000.00000000.sdmp, bP5g4FsSJk.exe, 00000001.00000002.281265111.0000000000400000.00000040.00000400.00020000.00000000.sdmp, bP5g4FsSJk.exe, 00000001.00000000.273505881.0000000000400000.00000040.00000400.00020000.00000000.sdmp, bP5g4FsSJk.exe, 00000001.00000000.272056178.0000000000400000.00000040.00000400.00020000.00000000.sdmp
    Source: Binary string: C:\nedunesa\gihex\gakubeki53_gaboru\lulod mamere\hexumax.pdb source: bP5g4FsSJk.exe
    Source: C:\Users\user\Desktop\bP5g4FsSJk.exeCode function: 0_2_042380AF push ecx; retf
    Source: C:\Users\user\Desktop\bP5g4FsSJk.exeCode function: 1_2_00428565 push ecx; ret
    Source: C:\Users\user\Desktop\bP5g4FsSJk.exeCode function: 1_2_00412220 GetCommandLineW,CommandLineToArgvW,PathFindFileNameW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,K32EnumProcesses,OpenProcess,K32EnumProcessModules,K32GetModuleBaseNameW,CloseHandle,
    Source: initial sampleStatic PE information: section name: .text entropy: 7.945996199237986
    Source: C:\Users\user\Desktop\bP5g4FsSJk.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
    Source: C:\Users\user\Desktop\bP5g4FsSJk.exeCode function: 0_2_0423671C rdtsc
    Source: C:\Users\user\Desktop\bP5g4FsSJk.exeEvaded block: after key decision
    Source: C:\Users\user\Desktop\bP5g4FsSJk.exeAPI coverage: 6.8 %
    Source: C:\Users\user\Desktop\bP5g4FsSJk.exeCode function: _malloc,_malloc,_wprintf,_free,GetAdaptersInfo,_free,_malloc,GetAdaptersInfo,_sprintf,_wprintf,_wprintf,_free,
    Source: C:\Users\user\Desktop\bP5g4FsSJk.exeProcess information queried: ProcessInformation
    Source: C:\Users\user\Desktop\bP5g4FsSJk.exeCode function: 1_2_00410160 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,FindNextFileW,FindClose,
    Source: C:\Users\user\Desktop\bP5g4FsSJk.exeCode function: 1_2_0040F730 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,_wcsstr,_wcsstr,FindNextFileW,FindClose,
    Source: C:\Users\user\Desktop\bP5g4FsSJk.exeAPI call chain: ExitProcess graph end node
    Source: bP5g4FsSJk.exe, 00000001.00000002.286856498.000000000091A000.00000004.00000020.00020000.00000000.sdmp, bP5g4FsSJk.exe, 00000001.00000002.286593471.00000000008EF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
    Source: C:\Users\user\Desktop\bP5g4FsSJk.exeCode function: 1_2_00424168 _memset,IsDebuggerPresent,
    Source: C:\Users\user\Desktop\bP5g4FsSJk.exeCode function: 1_2_0042A57A EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,
    Source: C:\Users\user\Desktop\bP5g4FsSJk.exeCode function: 1_2_00412220 GetCommandLineW,CommandLineToArgvW,PathFindFileNameW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,K32EnumProcesses,OpenProcess,K32EnumProcessModules,K32GetModuleBaseNameW,CloseHandle,
    Source: C:\Users\user\Desktop\bP5g4FsSJk.exeCode function: 1_2_00447CAC __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,
    Source: C:\Users\user\Desktop\bP5g4FsSJk.exeCode function: 0_2_0423671C rdtsc
    Source: C:\Users\user\Desktop\bP5g4FsSJk.exeCode function: 0_2_042350A3 push dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\bP5g4FsSJk.exeCode function: 1_2_004329EC SetUnhandledExceptionFilter,UnhandledExceptionFilter,
    Source: C:\Users\user\Desktop\bP5g4FsSJk.exeCode function: 1_2_004329BB SetUnhandledExceptionFilter,

    HIPS / PFW / Operating System Protection Evasion

    barindex
    Injects a PE file into a foreign processes
    Source: C:\Users\user\Desktop\bP5g4FsSJk.exeMemory written: C:\Users\user\Desktop\bP5g4FsSJk.exe base: 400000 value starts with: 4D5A
    Source: C:\Users\user\Desktop\bP5g4FsSJk.exeCode function: 1_2_00419F90 GetCurrentProcess,GetLastError,GetLastError,SetPriorityClass,GetLastError,GetModuleFileNameW,PathRemoveFileSpecW,GetCommandLineW,CommandLineToArgvW,lstrcpyW,lstrcmpW,lstrcmpW,lstrcpyW,lstrcpyW,lstrcmpW,lstrcmpW,GlobalFree,lstrcpyW,lstrcpyW,OpenProcess,WaitForSingleObject,CloseHandle,Sleep,GlobalFree,GetCurrentProcess,GetExitCodeProcess,TerminateProcess,CloseHandle,lstrcatW,GetVersion,lstrcpyW,lstrcatW,lstrcatW,_memset,ShellExecuteExW,CreateThread,lstrlenA,lstrcatW,_malloc,lstrcatW,_memset,lstrcatW,MultiByteToWideChar,lstrcatW,lstrlenW,CreateThread,WaitForSingleObject,CreateMutexA,CreateMutexA,lstrlenA,lstrcpyA,_memmove,_memmove,_memmove,GetUserNameW,GetMessageW,GetMessageW,DispatchMessageW,TranslateMessage,TranslateMessage,DispatchMessageW,GetMessageW,PostThreadMessageW,PeekMessageW,PostThreadMessageW,PeekMessageW,DispatchMessageW,PeekMessageW,WaitForSingleObject,PostThreadMessageW,PeekMessageW,DispatchMessageW,PeekMessageW,WaitForSingleObject,CloseHandle,
    Source: C:\Users\user\Desktop\bP5g4FsSJk.exeProcess created: C:\Users\user\Desktop\bP5g4FsSJk.exe "C:\Users\user\Desktop\bP5g4FsSJk.exe"
    Source: C:\Users\user\Desktop\bP5g4FsSJk.exeCode function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtLCMapStringA,___crtLCMapStringA,___crtGetStringTypeA,_free,_free,_free,_free,_free,_free,_free,_free,_free,
    Source: C:\Users\user\Desktop\bP5g4FsSJk.exeCode function: _LcidFromHexString,GetLocaleInfoW,_TestDefaultLanguage,
    Source: C:\Users\user\Desktop\bP5g4FsSJk.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,
    Source: C:\Users\user\Desktop\bP5g4FsSJk.exeCode function: _wcscmp,_wcscmp,GetLocaleInfoW,GetLocaleInfoW,GetACP,
    Source: C:\Users\user\Desktop\bP5g4FsSJk.exeCode function: GetLocaleInfoW,_GetPrimaryLen,
    Source: C:\Users\user\Desktop\bP5g4FsSJk.exeCode function: _memset,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_GetLcidFromCountry,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,___crtDownlevelLCIDToLocaleName,___crtDownlevelLCIDToLocaleName,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,__itow_s,
    Source: C:\Users\user\Desktop\bP5g4FsSJk.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,
    Source: C:\Users\user\Desktop\bP5g4FsSJk.exeCode function: EnumSystemLocalesW,
    Source: C:\Users\user\Desktop\bP5g4FsSJk.exeCode function: GetLocaleInfoW,
    Source: C:\Users\user\Desktop\bP5g4FsSJk.exeCode function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,_free,_free,
    Source: C:\Users\user\Desktop\bP5g4FsSJk.exeCode function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,__invoke_watson,_LcidFromHexString,GetLocaleInfoW,
    Source: C:\Users\user\Desktop\bP5g4FsSJk.exeCode function: EnumSystemLocalesW,
    Source: C:\Users\user\Desktop\bP5g4FsSJk.exeCode function: _GetPrimaryLen,EnumSystemLocalesW,
    Source: C:\Users\user\Desktop\bP5g4FsSJk.exeCode function: _GetPrimaryLen,EnumSystemLocalesW,
    Source: C:\Users\user\Desktop\bP5g4FsSJk.exeCode function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,__invoke_watson,
    Source: C:\Users\user\Desktop\bP5g4FsSJk.exeCode function: _LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,_TestDefaultLanguage,
    Source: C:\Users\user\Desktop\bP5g4FsSJk.exeCode function: __calloc_crt,__malloc_crt,_free,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_free,_free,_free,_free,
    Source: C:\Users\user\Desktop\bP5g4FsSJk.exeCode function: 1_2_00427756 cpuid
    Source: C:\Users\user\Desktop\bP5g4FsSJk.exeCode function: 0_2_0049EDAB GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,
    Source: C:\Users\user\Desktop\bP5g4FsSJk.exeCode function: 1_2_0042FE47 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,
    Source: C:\Users\user\Desktop\bP5g4FsSJk.exeCode function: 1_2_00419F90 GetCurrentProcess,GetLastError,GetLastError,SetPriorityClass,GetLastError,GetModuleFileNameW,PathRemoveFileSpecW,GetCommandLineW,CommandLineToArgvW,lstrcpyW,lstrcmpW,lstrcmpW,lstrcpyW,lstrcpyW,lstrcmpW,lstrcmpW,GlobalFree,lstrcpyW,lstrcpyW,OpenProcess,WaitForSingleObject,CloseHandle,Sleep,GlobalFree,GetCurrentProcess,GetExitCodeProcess,TerminateProcess,CloseHandle,lstrcatW,GetVersion,lstrcpyW,lstrcatW,lstrcatW,_memset,ShellExecuteExW,CreateThread,lstrlenA,lstrcatW,_malloc,lstrcatW,_memset,lstrcatW,MultiByteToWideChar,lstrcatW,lstrlenW,CreateThread,WaitForSingleObject,CreateMutexA,CreateMutexA,lstrlenA,lstrcpyA,_memmove,_memmove,_memmove,GetUserNameW,GetMessageW,GetMessageW,DispatchMessageW,TranslateMessage,TranslateMessage,DispatchMessageW,GetMessageW,PostThreadMessageW,PeekMessageW,PostThreadMessageW,PeekMessageW,DispatchMessageW,PeekMessageW,WaitForSingleObject,PostThreadMessageW,PeekMessageW,DispatchMessageW,PeekMessageW,WaitForSingleObject,CloseHandle,
    Source: C:\Users\user\Desktop\bP5g4FsSJk.exeCode function: 1_2_00419F90 GetCurrentProcess,GetLastError,GetLastError,SetPriorityClass,GetLastError,GetModuleFileNameW,PathRemoveFileSpecW,GetCommandLineW,CommandLineToArgvW,lstrcpyW,lstrcmpW,lstrcmpW,lstrcpyW,lstrcpyW,lstrcmpW,lstrcmpW,GlobalFree,lstrcpyW,lstrcpyW,OpenProcess,WaitForSingleObject,CloseHandle,Sleep,GlobalFree,GetCurrentProcess,GetExitCodeProcess,TerminateProcess,CloseHandle,lstrcatW,GetVersion,lstrcpyW,lstrcatW,lstrcatW,_memset,ShellExecuteExW,CreateThread,lstrlenA,lstrcatW,_malloc,lstrcatW,_memset,lstrcatW,MultiByteToWideChar,lstrcatW,lstrlenW,CreateThread,WaitForSingleObject,CreateMutexA,CreateMutexA,lstrlenA,lstrcpyA,_memmove,_memmove,_memmove,GetUserNameW,GetMessageW,GetMessageW,DispatchMessageW,TranslateMessage,TranslateMessage,DispatchMessageW,GetMessageW,PostThreadMessageW,PeekMessageW,PostThreadMessageW,PeekMessageW,DispatchMessageW,PeekMessageW,WaitForSingleObject,PostThreadMessageW,PeekMessageW,DispatchMessageW,PeekMessageW,WaitForSingleObject,CloseHandle,

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid Accounts2
    Command and Scripting Interpreter    		Path Interception1
    Exploitation for Privilege Escalation    		111
    Process Injection    		OS Credential Dumping2
    System Time Discovery    		Remote Services1
    Archive Collected Data    		Exfiltration Over Other Network Medium21
    Encrypted Channel    		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default Accounts3
    Native API    		Boot or Logon Initialization Scripts111
    Process Injection    		1
    Deobfuscate/Decode Files or Information    		LSASS Memory41
    Security Software Discovery    		Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth2
    Ingress Tool Transfer    		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)3
    Obfuscated Files or Information    		Security Account Manager2
    Process Discovery    		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration2
    Non-Application Layer Protocol    		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)2
    Software Packing    		NTDS1
    Account Discovery    		Distributed Component Object ModelInput CaptureScheduled Transfer13
    Application Layer Protocol    		SIM Card SwapCarrier Billing Fraud
    Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets1
    System Owner/User Discovery    		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
    Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain Credentials1
    Remote System Discovery    		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
    External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSync1
    System Network Configuration Discovery    		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
    Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem1
    File and Directory Discovery    		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
    Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadow23
    System Information Discovery    		Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    bP5g4FsSJk.exe53%ReversingLabsWin32.Trojan.Azorult
    bP5g4FsSJk.exe100%Joe Sandbox ML

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    SourceDetectionScannerLabelLinkDownload
    1.0.bP5g4FsSJk.exe.400000.8.unpack100%AviraHEUR/AGEN.1223627Download File
    0.2.bP5g4FsSJk.exe.400000.0.unpack100%AviraHEUR/AGEN.1229097Download File
    1.0.bP5g4FsSJk.exe.400000.5.unpack100%AviraHEUR/AGEN.1223627Download File
    1.0.bP5g4FsSJk.exe.400000.6.unpack100%AviraHEUR/AGEN.1223627Download File
    1.0.bP5g4FsSJk.exe.400000.7.unpack100%AviraHEUR/AGEN.1223627Download File
    1.0.bP5g4FsSJk.exe.400000.10.unpack100%AviraHEUR/AGEN.1223627Download File
    1.0.bP5g4FsSJk.exe.400000.9.unpack100%AviraHEUR/AGEN.1223627Download File
    1.2.bP5g4FsSJk.exe.400000.0.unpack100%AviraHEUR/AGEN.1223627Download File
    1.0.bP5g4FsSJk.exe.400000.4.unpack100%AviraHEUR/AGEN.1223627Download File

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    http://acacaca.org/test2/get.php100%Avira URL Cloudmalware
    http://https://ns1.kriston.ugns2.chalekin.ugns3.unalelath.ugns4.andromath.ug/Error0%Avira URL Cloudsafe

    Domains and IPs

    Contacted Domains

    NameIPActiveMaliciousAntivirus DetectionReputation
    api.2ip.ua
    		162.0.217.254
    		truefalse
      		high

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      http://acacaca.org/test2/get.phptrue
      • Avira URL Cloud: malware
      		unknown
      https://api.2ip.ua/geo.jsonfalse
        		high

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        http://https://ns1.kriston.ugns2.chalekin.ugns3.unalelath.ugns4.andromath.ug/ErrorbP5g4FsSJk.exe, 00000000.00000002.278746171.00000000042D0000.00000040.00001000.00020000.00000000.sdmp, bP5g4FsSJk.exe, 00000001.00000002.281265111.0000000000400000.00000040.00000400.00020000.00000000.sdmp, bP5g4FsSJk.exe, 00000001.00000000.273505881.0000000000400000.00000040.00000400.00020000.00000000.sdmp, bP5g4FsSJk.exe, 00000001.00000000.272056178.0000000000400000.00000040.00000400.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		low
        https://api.2ip.ua/geo.jsonYbP5g4FsSJk.exe, 00000001.00000002.286593471.00000000008EF000.00000004.00000020.00020000.00000000.sdmpfalse
          		high
          https://api.2ip.ua/bP5g4FsSJk.exe, 00000001.00000002.286817281.000000000090D000.00000004.00000020.00020000.00000000.sdmpfalse
            		high
            https://api.2ip.ua/geo.jsontbP5g4FsSJk.exe, 00000001.00000002.286414138.00000000008C7000.00000004.00000020.00020000.00000000.sdmpfalse
              		high
              https://api.2ip.ua/geo.jsongbP5g4FsSJk.exe, 00000001.00000002.286593471.00000000008EF000.00000004.00000020.00020000.00000000.sdmpfalse
                		high
                https://api.2ip.ua/geo.json6bP5g4FsSJk.exe, 00000001.00000002.286414138.00000000008C7000.00000004.00000020.00020000.00000000.sdmpfalse
                  		high
                  http://www.openssl.org/support/faq.htmlbP5g4FsSJk.exe, 00000001.00000000.272056178.0000000000400000.00000040.00000400.00020000.00000000.sdmpfalse
                    		high
                    https://api.2ip.ua/geo.jsonsbP5g4FsSJk.exe, 00000001.00000002.286414138.00000000008C7000.00000004.00000020.00020000.00000000.sdmpfalse
                      		high
                      https://api.2ip.ua/Y%bP5g4FsSJk.exe, 00000001.00000002.286817281.000000000090D000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high

                        World Map of Contacted IPs

                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs

                        Public IPs

                        IPDomainCountryFlagASNASN NameMalicious
                        162.0.217.254
                        		api.2ip.uaCanada
                        		35893ACPCAfalse

                        General Information

                        Joe Sandbox Version:35.0.0 Citrine
                        Analysis ID:679166
                        Start date and time: 05/08/202211:11:072022-08-05 11:11:07 +02:00
                        Joe Sandbox Product:CloudBasic
                        Overall analysis duration:0h 7m 53s
                        Hypervisor based Inspection enabled:false
                        Report type:light
                        Sample file name:bP5g4FsSJk.exe
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                        Number of analysed new started processes analysed:28
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • HDC enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Detection:MAL
                        Classification:mal84.rans.troj.evad.winEXE@3/0@1/1
                        EGA Information:
                        • Successful, ratio: 100%
                        HDC Information:
                        • Successful, ratio: 91.7% (good quality ratio 84.8%)
                        • Quality average: 79.9%
                        • Quality standard deviation: 30.9%
                        HCA Information:
                        • Successful, ratio: 60%
                        • Number of executed functions: 0
                        • Number of non-executed functions: 0
                        Cookbook Comments:
                        • Found application associated with file extension: .exe
                        • Adjust boot time
                        • Enable AMSI

                        Warnings

                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe
                        • Excluded IPs from analysis (whitelisted): 23.211.6.115
                        • Excluded domains from analysis (whitelisted): www.bing.com, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, fs.microsoft.com, login.live.com, store-images.s-microsoft.com, sls.update.microsoft.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
                        • Not all processes where analyzed, report is missing behavior information
                        • Report creation exceeded maximum time and may have missing disassembly code information.
                        • Report size getting too big, too many NtOpenKeyEx calls found.
                        • Report size getting too big, too many NtQueryValueKey calls found.
                        • Report size getting too big, too many NtReadVirtualMemory calls found.
                        • VT rate limit hit for: bP5g4FsSJk.exe

                        Simulations

                        Behavior and APIs

                        No simulations

                        Joe Sandbox View / Context

                        IPs

                        No context

                        Domains

                        No context

                        ASNs

                        No context

                        JA3 Fingerprints

                        No context

                        Dropped Files

                        No context

                        Created / dropped Files

                        No created / dropped files found

                        Static File Info

                        General

                        File type:PE32 executable (GUI) Intel 80386, for MS Windows
                        Entropy (8bit):7.841901633749817
                        TrID:
                        • Win32 Executable (generic) a (10002005/4) 99.96%
                        • Generic Win/DOS Executable (2004/3) 0.02%
                        • DOS Executable Generic (2002/1) 0.02%
                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                        File name:bP5g4FsSJk.exe
                        File size:748032
                        MD5:28fb096cbce32cf1f87719254452014f
                        SHA1:50ceaddc379e1376a579e4c9d4465fd3c734c277
                        SHA256:1918cc07f0b41a9e9dc18e715e5862a68ca49d61fdad7d76126953629c05be98
                        SHA512:eb5468f817ca4dee892eb200e920796e175298667fc86f934912c6bd304aa54d39ad4535fa12bdd0c803ac7ee164281372dc364ad97542585209fa39447b5a9f
                        SSDEEP:12288:+5v3qTuu7zbgLsSFKUilhkehB/MLfSTOIPAU+dmb:+5vo1SogidMLZHmb
                        TLSH:18F4123032E1C036E1B61238447D8FA51ABEFC222BB4898767D42A1D6E677C05E7975F
                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ADK. *.. *.. *..V... *..V... *..X... *.. +.f *..V... *..V... *..V... *.Rich. *.........................PE..L...!.K`...........

                        File Icon

                        Icon Hash:8a9099a9ca8cd2f2

                        Static PE Info

                        General

                        Entrypoint:0x498550
                        Entrypoint Section:.text
                        Digitally signed:false
                        Imagebase:0x400000
                        Subsystem:windows gui
                        Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                        DLL Characteristics:TERMINAL_SERVER_AWARE
                        Time Stamp:0x604BC821 [Fri Mar 12 19:59:29 2021 UTC]
                        TLS Callbacks:
                        CLR (.Net) Version:
                        OS Version Major:5
                        OS Version Minor:1
                        File Version Major:5
                        File Version Minor:1
                        Subsystem Version Major:5
                        Subsystem Version Minor:1
                        Import Hash:52981a63110ae9001dc5c79717e57d47

                        Entrypoint Preview

                        Instruction
                        call 00007FB788BC00DBh
                        jmp 00007FB788BB970Eh
                        int3
                        int3
                        int3
                        int3
                        int3
                        int3
                        call 00007FB788BB98BCh
                        xchg cl, ch
                        jmp 00007FB788BB98A4h
                        call 00007FB788BB98B3h
                        fxch st(0), st(1)
                        jmp 00007FB788BB989Bh
                        fabs
                        fld1
                        mov ch, cl
                        xor cl, cl
                        jmp 00007FB788BB9891h
                        mov byte ptr [ebp-00000090h], FFFFFFFEh
                        fabs
                        fxch st(0), st(1)
                        fabs
                        fxch st(0), st(1)
                        fpatan
                        or cl, cl
                        je 00007FB788BB9886h
                        fldpi
                        fsubrp st(1), st(0)
                        or ch, ch
                        je 00007FB788BB9884h
                        fchs
                        ret
                        fabs
                        fld st(0), st(0)
                        fld st(0), st(0)
                        fld1
                        fsubrp st(1), st(0)
                        fxch st(0), st(1)
                        fld1
                        faddp st(1), st(0)
                        fmulp st(1), st(0)
                        ftst
                        wait
                        fstsw word ptr [ebp-000000A0h]
                        wait
                        test byte ptr [ebp-0000009Fh], 00000001h
                        jne 00007FB788BB9887h
                        xor ch, ch
                        fsqrt
                        ret
                        pop eax
                        jmp 00007FB788BC02AFh
                        fstp st(0)
                        fld tbyte ptr [004024DAh]
                        ret
                        fstp st(0)
                        or cl, cl
                        je 00007FB788BB988Dh
                        fstp st(0)
                        fldpi
                        or ch, ch
                        je 00007FB788BB9884h
                        fchs
                        ret
                        fstp st(0)
                        fldz
                        or ch, ch
                        je 00007FB788BB9879h
                        fchs
                        ret
                        fstp st(0)
                        jmp 00007FB788BC0285h
                        fstp st(0)
                        mov cl, ch
                        jmp 00007FB788BB9882h
                        call 00007FB788BB984Eh
                        jmp 00007FB788BC0290h
                        int3
                        int3
                        int3
                        int3
                        int3
                        int3
                        int3
                        int3
                        push ebp
                        mov ebp, esp
                        add esp, 00FFFD30h

                        Rich Headers

                        Programming Language:
                        • [ASM] VS2010 build 30319
                        • [ C ] VS2010 build 30319
                        • [IMP] VS2008 SP1 build 30729
                        • [C++] VS2010 build 30319
                        • [RES] VS2010 build 30319
                        • [LNK] VS2010 build 30319

                        Data Directories

                        NameVirtual AddressVirtual Size Is in Section
                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IMPORT0xa638c0x3c.text
                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x212e0000xd568.rsrc
                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                        IMAGE_DIRECTORY_ENTRY_DEBUG0x12300x1c.text
                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x36900x40.text
                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IAT0x10000x1e0.text
                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                        Sections

                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                        .text0x10000xa5eb40xa6000False0.9462317041603916data7.945996199237986IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        .data0xa70000x20861cc0x3000unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        .rsrc0x212e0000xd5680xd600False0.6642997955607477data6.526730178678878IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                        Resources

                        NameRVASizeTypeLanguageCountry
                        RT_ICON0x212e4e00xea8dataKannadaKanada
                        RT_ICON0x212f3880x8a8dataKannadaKanada
                        RT_ICON0x212fc300x568GLS_BINARY_LSB_FIRSTKannadaKanada
                        RT_ICON0x21301980x25a8dataKannadaKanada
                        RT_ICON0x21327400x10a8dataKannadaKanada
                        RT_ICON0x21337e80x988dataKannadaKanada
                        RT_ICON0x21341700x468GLS_BINARY_LSB_FIRSTKannadaKanada
                        RT_ICON0x21346400xea8dataKannadaKanada
                        RT_ICON0x21354e80x8a8dataKannadaKanada
                        RT_ICON0x2135d900x6c8dataKannadaKanada
                        RT_ICON0x21364580x568GLS_BINARY_LSB_FIRSTKannadaKanada
                        RT_ICON0x21369c00x25a8dataKannadaKanada
                        RT_ICON0x2138f680x10a8dataKannadaKanada
                        RT_ICON0x213a0100x468GLS_BINARY_LSB_FIRSTKannadaKanada
                        RT_DIALOG0x213a6880x78data
                        RT_STRING0x213a7000x67adataFrenchSwitzerland
                        RT_STRING0x213ad800x464dataFrenchSwitzerland
                        RT_STRING0x213b1e80x380dataFrenchSwitzerland
                        RT_GROUP_ICON0x21345d80x68dataKannadaKanada
                        RT_GROUP_ICON0x213a4780x68dataKannadaKanada
                        RT_VERSION0x213a4f00x194data
                        None0x213a4e00xadata

                        Imports

                        DLLImport
                        KERNEL32.dllGetModuleFileNameA, FoldStringA, GetLocalTime, InterlockedDecrement, GetLocaleInfoA, InterlockedCompareExchange, _hwrite, CancelWaitableTimer, GetSystemDirectoryW, CreateEventW, ReadConsoleA, BuildCommDCBA, GetConsoleAliasExesLengthW, SetSystemTimeAdjustment, PeekConsoleInputW, EnumDateFormatsA, CreateFileW, RegisterWaitForSingleObjectEx, LoadLibraryW, VerifyVersionInfoW, WaitNamedPipeA, GetEnvironmentStrings, FindResourceExA, VirtualProtect, GetFirmwareEnvironmentVariableW, BeginUpdateResourceW, GetConsoleAliasExesLengthA, WriteConsoleA, EnumCalendarInfoExA, WriteConsoleW, DeleteFileW, FillConsoleOutputCharacterA, GetProcAddress, GetModuleHandleW, GetUserDefaultLCID, FindFirstChangeNotificationW, GetFileAttributesExA, GetCalendarInfoA, SetConsoleTitleA, GetBinaryTypeW, GlobalAlloc, GetComputerNameExA, FindNextFileA, OpenJobObjectA, HeapSize, _lclose, GetComputerNameW, TlsGetValue, SetCalendarInfoW, SetComputerNameW, CreateDirectoryExA, InitializeCriticalSectionAndSpinCount, FindFirstChangeNotificationA, GetVolumePathNameA, LoadLibraryA, GetProcessHandleCount, GetThreadLocale, GetSystemDefaultLangID, GetCurrentProcess, ReadFile, HeapFree, GetDiskFreeSpaceW, GetProcessHeap, RaiseException, RtlUnwind, MultiByteToWideChar, GetCommandLineW, HeapSetInformation, GetStartupInfoW, EncodePointer, HeapAlloc, GetLastError, IsProcessorFeaturePresent, DecodePointer, TlsAlloc, TlsSetValue, TlsFree, InterlockedIncrement, SetLastError, GetCurrentThreadId, SetHandleCount, GetStdHandle, GetFileType, DeleteCriticalSection, SetFilePointer, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, TerminateProcess, EnterCriticalSection, LeaveCriticalSection, ExitProcess, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, CloseHandle, WriteFile, GetModuleFileNameW, FreeEnvironmentStringsW, GetEnvironmentStringsW, HeapCreate, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, Sleep, SetStdHandle, WideCharToMultiByte, GetConsoleCP, GetConsoleMode, FlushFileBuffers, CreateFileA, LCMapStringW, GetStringTypeW, HeapReAlloc, SetEndOfFile
                        USER32.dllClientToScreen

                        Possible Origin

                        Language of compilation systemCountry where language is spokenMap
                        KannadaKanada
                        FrenchSwitzerland

                        Network Behavior

                        Network Port Distribution

                        TCP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Aug 5, 2022 11:12:25.482526064 CEST49737443192.168.2.3162.0.217.254
                        Aug 5, 2022 11:12:25.482600927 CEST44349737162.0.217.254192.168.2.3
                        Aug 5, 2022 11:12:25.482718945 CEST49737443192.168.2.3162.0.217.254
                        Aug 5, 2022 11:12:25.501522064 CEST49737443192.168.2.3162.0.217.254
                        Aug 5, 2022 11:12:25.501563072 CEST44349737162.0.217.254192.168.2.3
                        Aug 5, 2022 11:12:25.570105076 CEST44349737162.0.217.254192.168.2.3
                        Aug 5, 2022 11:12:25.570306063 CEST49737443192.168.2.3162.0.217.254
                        Aug 5, 2022 11:12:26.063847065 CEST49737443192.168.2.3162.0.217.254
                        Aug 5, 2022 11:12:26.063880920 CEST44349737162.0.217.254192.168.2.3
                        Aug 5, 2022 11:12:26.064246893 CEST44349737162.0.217.254192.168.2.3
                        Aug 5, 2022 11:12:26.064321041 CEST49737443192.168.2.3162.0.217.254
                        Aug 5, 2022 11:12:26.068742037 CEST49737443192.168.2.3162.0.217.254
                        Aug 5, 2022 11:12:26.103678942 CEST44349737162.0.217.254192.168.2.3
                        Aug 5, 2022 11:12:26.103773117 CEST44349737162.0.217.254192.168.2.3
                        Aug 5, 2022 11:12:26.103781939 CEST49737443192.168.2.3162.0.217.254
                        Aug 5, 2022 11:12:26.103825092 CEST49737443192.168.2.3162.0.217.254
                        Aug 5, 2022 11:12:26.187181950 CEST49737443192.168.2.3162.0.217.254
                        Aug 5, 2022 11:12:26.187218904 CEST44349737162.0.217.254192.168.2.3

                        UDP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Aug 5, 2022 11:12:25.400958061 CEST6485153192.168.2.38.8.8.8
                        Aug 5, 2022 11:12:25.428997040 CEST53648518.8.8.8192.168.2.3

                        DNS Queries

                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                        Aug 5, 2022 11:12:25.400958061 CEST192.168.2.38.8.8.80x62d8Standard query (0)api.2ip.uaA (IP address)IN (0x0001)

                        DNS Answers

                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                        Aug 5, 2022 11:12:25.428997040 CEST8.8.8.8192.168.2.30x62d8No error (0)api.2ip.ua162.0.217.254A (IP address)IN (0x0001)

                        HTTP Request Dependency Graph

                        • api.2ip.ua

                        HTTPS Proxied Packets

                        Session IDSource IPSource PortDestination IPDestination PortProcess
                        0192.168.2.349737162.0.217.254443C:\Users\user\Desktop\bP5g4FsSJk.exe
                        TimestampkBytes transferredDirectionData
                        2022-08-05 09:12:26 UTC0OUTGET /geo.json HTTP/1.1
                        User-Agent: Microsoft Internet Explorer
                        Host: api.2ip.ua
                        2022-08-05 09:12:26 UTC0INHTTP/1.1 429 Too Many Requests
                        Date: Fri, 05 Aug 2022 09:12:26 GMT
                        Server: Apache
                        Strict-Transport-Security: max-age=63072000; preload
                        X-Frame-Options: SAMEORIGIN
                        X-Content-Type-Options: nosniff
                        X-XSS-Protection: 1; mode=block; report=...
                        Access-Control-Allow-Origin: *
                        Access-Control-Allow-Methods: POST, GET, PUT, OPTIONS, PATCH, DELETE
                        Access-Control-Allow-Headers: X-Accept-Charset,X-Accept,Content-Type
                        Upgrade: h2,h2c
                        Connection: Upgrade, close
                        Transfer-Encoding: chunked
                        Content-Type: text/html; charset=UTF-8
                        2022-08-05 09:12:26 UTC0INData Raw: 32 32 61 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 63 6c 61 73 73 65 73 2f 73 74 79 6c 65 2e 63 73 73 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 2f 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 65 72 72 6f 72 22 3e 0a 09 09 09 09 4c 69 6d 69 74 20 6f 66 20 72 65 74 75 72 6e 65 64 20 6f 62 6a 65 63 74 73 20 68 61 73 20 62 65 65 6e 20 72 65 61 63 68 65 64 2e 20 46 6f 72 20 6d 6f 72 65 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 20 70 6c 65 61 73 65 20 63 6f 6e 74 61 63 74 20 62 79 20 65 6d 61 69 6c 20 3c 61 20 68 72 65 66 3d 22 6d 61 69 6c 74 6f 3a 68 65 6c 70 40 32 69 70 2e 6d 65 3f 73 75 62 6a 65 63 74 3d 32 69 70 2e 6d 65 22 3e 68 65 6c 70 40 32 69 70 2e 6d 65 3c 2f 61 3e 2e 20 3c 62 72 3e 3c 62 72 3e 20 d0
                        Data Ascii: 22a<link rel="stylesheet" href="classes/style.css" type="text/css" /><div class="error">Limit of returned objects has been reached. For more information please contact by email <a href="mailto:help@2ip.me?subject=2ip.me">help@2ip.me</a>. <br><br>


                        Statistics

                        Behavior

                        Click to jump to process

                        System Behavior

                        General

                        Target ID:0
                        Start time:11:12:11
                        Start date:05/08/2022
                        Path:C:\Users\user\Desktop\bP5g4FsSJk.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Users\user\Desktop\bP5g4FsSJk.exe"
                        Imagebase:0x400000
                        File size:748032 bytes
                        MD5 hash:28FB096CBCE32CF1F87719254452014F
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.278389009.0000000004235000.00000040.00000800.00020000.00000000.sdmp, Author: unknown
                        • Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000000.00000002.278746171.00000000042D0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000000.00000002.278746171.00000000042D0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                        Reputation:low

                        General

                        Target ID:1
                        Start time:11:12:18
                        Start date:05/08/2022
                        Path:C:\Users\user\Desktop\bP5g4FsSJk.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Users\user\Desktop\bP5g4FsSJk.exe"
                        Imagebase:0x400000
                        File size:748032 bytes
                        MD5 hash:28FB096CBCE32CF1F87719254452014F
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000001.00000000.271002067.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                        • Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 00000001.00000000.272056178.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
                        • Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000001.00000000.272056178.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 00000001.00000000.272056178.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                        • Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000001.00000000.272056178.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                        • Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 00000001.00000000.275253694.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
                        • Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000001.00000000.275253694.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 00000001.00000000.275253694.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                        • Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000001.00000000.275253694.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                        • Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 00000001.00000002.281265111.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
                        • Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000001.00000002.281265111.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 00000001.00000002.281265111.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                        • Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000001.00000002.281265111.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                        • Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 00000001.00000000.273505881.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
                        • Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000001.00000000.273505881.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 00000001.00000000.273505881.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                        • Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000001.00000000.273505881.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                        • Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 00000001.00000000.272842398.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
                        • Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000001.00000000.272842398.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 00000001.00000000.272842398.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                        • Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000001.00000000.272842398.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                        • Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 00000001.00000000.274561888.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
                        • Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000001.00000000.274561888.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 00000001.00000000.274561888.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                        • Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000001.00000000.274561888.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                        Reputation:low

                        Disassembly

                        No disassembly