Edit tour

Windows Analysis Report
02107799.exe

Overview

General Information

Sample Name:	02107799.exe
Analysis ID:	877000
MD5:	6017e7c6f19de9e3b0aae0965fe25603
SHA1:	605250b6dabafb86252272b757a1713078c6ae79
SHA256:	c421418b410ea4bf78ef47c8edb75c8fc96220043573ba6d8268bca900a4c041
Infos:

Detection

Amadey, Babuk, Clipboard Hijacker, Djvu, SmokeLoader, Vidar

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected Amadeys stealer DLL

Detected unpacking (overwrites its own PE header)

Found ransom note / readme

Yara detected Babuk Ransomware

Yara detected SmokeLoader

Yara detected Amadey bot

System process connects to network (likely due to code injection or exploit)

Detected unpacking (changes PE section rights)

Antivirus detection for URL or domain

Antivirus detection for dropped file

Yara detected Clipboard Hijacker

Found malware configuration

Multi AV Scanner detection for submitted file

Benign windows process drops PE files

Malicious sample detected (through community Yara rule)

Yara detected Djvu Ransomware

Yara detected Vidar stealer

Multi AV Scanner detection for dropped file

Maps a DLL or memory area into another process

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Machine Learning detection for sample

Modifies existing user documents (likely ransomware behavior)

Injects a PE file into a foreign processes

Deletes itself after installation

Writes a notice file (html or txt) to demand a ransom

Creates a thread in another existing process (thread injection)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Sample uses string decryption to hide its real strings

Uses schtasks.exe or at.exe to add and modify task schedules

Checks if the current machine is a virtual machine (disk enumeration)

Tries to harvest and steal browser information (history, passwords, etc)

Sample uses process hollowing technique

Tries to harvest and steal ftp login credentials

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Creates an undocumented autostart registry key

Machine Learning detection for dropped file

C2 URLs / IPs found in malware configuration

Tries to steal Instant Messenger accounts or passwords

One or more processes crash

Contains functionality to query locales information (e.g. system language)

May sleep (evasive loops) to hinder dynamic analysis

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to dynamically determine API calls

Contains long sleeps (>= 3 min)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Drops files with a non-matching file extension (content does not match file extension)

Drops PE files

Contains functionality to read the PEB

Checks if the current process is being debugged

PE file contains more sections than normal

Dropped file seen in connection with other malware

Creates a process in suspended mode (likely to inject code)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Contains functionality to check if a debugger is running (IsDebuggerPresent)

PE file contains sections with non-standard names

Found potential string decryption / allocating functions

Yara detected Credential Stealer

Contains functionality to call native functions

Found dropped PE file which has not been started or loaded

PE file contains executable resources (Code or Archives)

IP address seen in connection with other malware

Contains functionality for execution timing, often used to detect debuggers

Creates a DirectInput object (often for capturing keystrokes)

PE file contains an invalid checksum

Uses cacls to modify the permissions of files

Connects to several IPs in different countries

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Classification

Process Tree

System is w10x64

02107799.exe (PID: 7160 cmdline: C:\Users\user\Desktop\02107799.exe MD5: 6017E7C6F19DE9E3B0AAE0965FE25603)

explorer.exe (PID: 3324 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)

BDC0.exe (PID: 6912 cmdline: C:\Users\user\AppData\Local\Temp\BDC0.exe MD5: 6944FCA258A9009F9D3B7212CDB4874D)

BDC0.exe (PID: 7044 cmdline: C:\Users\user\AppData\Local\Temp\BDC0.exe MD5: 6944FCA258A9009F9D3B7212CDB4874D)

icacls.exe (PID: 4744 cmdline: icacls "C:\Users\user\AppData\Local\9af1d69e-1bc5-4008-ad08-a746f07a48e8" /deny *S-1-1-0:(OI)(CI)(DE,DC) MD5: FF0D1D4317A44C951240FAE75075D501)

BDC0.exe (PID: 1516 cmdline: "C:\Users\user\AppData\Local\Temp\BDC0.exe" --Admin IsNotAutoStart IsNotTask MD5: 6944FCA258A9009F9D3B7212CDB4874D)

BDC0.exe (PID: 2900 cmdline: "C:\Users\user\AppData\Local\Temp\BDC0.exe" --Admin IsNotAutoStart IsNotTask MD5: 6944FCA258A9009F9D3B7212CDB4874D)

build2.exe (PID: 4724 cmdline: "C:\Users\user\AppData\Local\205aa591-8aa8-4e2c-a5b1-c9b7aaf860cf\build2.exe" MD5: B888EFE68F257AA2335ED9CBD63C1343)

AD22.exe (PID: 4724 cmdline: C:\Users\user\AppData\Local\Temp\AD22.exe MD5: 7A8E3D000FBA0F5765B98E2D78EB9D12)

WerFault.exe (PID: 3356 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4724 -s 520 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

dllhost.exe (PID: 5456 cmdline: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} MD5: 2528137C6745C4EADD87817A1909677E)

223E.exe (PID: 2952 cmdline: C:\Users\user\AppData\Local\Temp\223E.exe MD5: 2AF03D52F9CF9E53DFFC1183B403E1B7)

aafg31.exe (PID: 2280 cmdline: "C:\Users\user\AppData\Local\Temp\aafg31.exe" MD5: B4F79B3194235084A3EC85711EDFBD38)

NewPlayer.exe (PID: 2284 cmdline: "C:\Users\user\AppData\Local\Temp\NewPlayer.exe" MD5: 08240E71429B32855B418A4ACF0E38EC)

mnolyk.exe (PID: 6916 cmdline: "C:\Users\user\AppData\Local\Temp\6d73a97b0c\mnolyk.exe" MD5: 08240E71429B32855B418A4ACF0E38EC)

schtasks.exe (PID: 4696 cmdline: "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN mnolyk.exe /TR "C:\Users\user\AppData\Local\Temp\6d73a97b0c\mnolyk.exe" /F MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 1280 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 5052 cmdline: "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "mnolyk.exe" /P "user:N"&&CACLS "mnolyk.exe" /P "user:R" /E&&echo Y|CACLS "..\6d73a97b0c" /P "user:N"&&CACLS "..\6d73a97b0c" /P "user:R" /E&&Exit MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 4360 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 1092 cmdline: C:\Windows\system32\cmd.exe /S /D /c" echo Y" MD5: F3BDBE3BB6F734E357235F4D5898582D)

cacls.exe (PID: 3356 cmdline: CACLS "mnolyk.exe" /P "user:N" MD5: 4CBB1C027DF71C53A8EE4C855FD35B25)

cacls.exe (PID: 4580 cmdline: CACLS "mnolyk.exe" /P "user:R" /E MD5: 4CBB1C027DF71C53A8EE4C855FD35B25)

cmd.exe (PID: 5536 cmdline: C:\Windows\system32\cmd.exe /S /D /c" echo Y" MD5: F3BDBE3BB6F734E357235F4D5898582D)

rundll32.exe (PID: 5672 cmdline: "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\07c6bc37dc5087\cred64.dll, Main MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 5812 cmdline: "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\07c6bc37dc5087\cred64.dll, Main MD5: 73C519F050C20580F8A62C849D49215A)

XandETC.exe (PID: 4980 cmdline: "C:\Users\user\AppData\Local\Temp\XandETC.exe" MD5: 3006B49F3A30A80BB85074C279ACC7DF)

BDC0.exe (PID: 256 cmdline: "C:\Users\user\AppData\Local\9af1d69e-1bc5-4008-ad08-a746f07a48e8\BDC0.exe" --AutoStart MD5: 6944FCA258A9009F9D3B7212CDB4874D)

946D.exe (PID: 2064 cmdline: C:\Users\user\AppData\Local\Temp\946D.exe MD5: 6944FCA258A9009F9D3B7212CDB4874D)

946D.exe (PID: 4576 cmdline: C:\Users\user\AppData\Local\Temp\946D.exe MD5: 6944FCA258A9009F9D3B7212CDB4874D)

8DD2.exe (PID: 6048 cmdline: C:\Users\user\AppData\Local\Temp\8DD2.exe MD5: 15BC205C2CAF7196EE2267087C3B2BB8)

8DD2.exe (PID: 5312 cmdline: C:\Users\user\AppData\Local\Temp\8DD2.exe MD5: 15BC205C2CAF7196EE2267087C3B2BB8)

794C.exe (PID: 5236 cmdline: C:\Users\user\AppData\Local\Temp\794C.exe MD5: 15BC205C2CAF7196EE2267087C3B2BB8)

794C.exe (PID: 5660 cmdline: C:\Users\user\AppData\Local\Temp\794C.exe MD5: 15BC205C2CAF7196EE2267087C3B2BB8)

DC0A.exe (PID: 4596 cmdline: C:\Users\user\AppData\Local\Temp\DC0A.exe MD5: 7A8E3D000FBA0F5765B98E2D78EB9D12)

cuwsgii (PID: 5704 cmdline: C:\Users\user\AppData\Roaming\cuwsgii MD5: 6017E7C6F19DE9E3B0AAE0965FE25603)

svchost.exe (PID: 3276 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: 32569E403279B3FD2EDB7EBD036273FA)

WerFault.exe (PID: 256 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4724 -ip 4724 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

BDC0.exe (PID: 5184 cmdline: "C:\Users\user\AppData\Local\9af1d69e-1bc5-4008-ad08-a746f07a48e8\BDC0.exe" --AutoStart MD5: 6944FCA258A9009F9D3B7212CDB4874D)

BDC0.exe (PID: 4248 cmdline: C:\Users\user\AppData\Local\9af1d69e-1bc5-4008-ad08-a746f07a48e8\BDC0.exe --Task MD5: 6944FCA258A9009F9D3B7212CDB4874D)

BDC0.exe (PID: 5484 cmdline: C:\Users\user\AppData\Local\9af1d69e-1bc5-4008-ad08-a746f07a48e8\BDC0.exe --Task MD5: 6944FCA258A9009F9D3B7212CDB4874D)

mnolyk.exe (PID: 5892 cmdline: C:\Users\user\AppData\Local\Temp\6d73a97b0c\mnolyk.exe MD5: 08240E71429B32855B418A4ACF0E38EC)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Amadey	Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.	No Attribution	https://asec.ahnlab.com/en/36634/ https://asec.ahnlab.com/en/41450/ https://asec.ahnlab.com/en/44504/ https://blog.cyble.com/2023/01/25/the-rise-of-amadey-bot-a-growing-concern-for-internet-security/ https://blog.minerva-labs.com/underminer-exploit-kit-the-more-you-check-the-more-evasive-you-become	https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey

Name	Description	Attribution	Blogpost URLs	Link
Babuk	Babuk Ransomware is a sophisticated ransomware compiled for several platforms. Windows and ARM for Linux are the most used compiled versions, but ESX and a 32bit old PE executable were observed over time. as well It uses an Elliptic Curve Algorithm (Montgomery Algorithm) to build the encryption keys.	No Attribution	http://chuongdong.com/reverse%20engineering/2021/01/03/BabukRansomware/ https://blog.cyble.com/2022/05/06/rebranded-babuk-ransomware-in-action-darkangels-ransomware-performs-targeted-attack/ https://blog.morphisec.com/babuk-ransomware-variant-major-attack https://blog.talosintelligence.com/2021/11/babuk-exploits-exchange.html https://chuongdong.com/reverse%20engineering/2021/01/16/BabukRansomware-v3/	https://malpedia.caad.fkie.fraunhofer.de/details/win.babuk

Name	Description	Attribution	Blogpost URLs	Link
STOP, Djvu	STOP Djvu Ransomware it is a ransomware which encrypts user data through AES-256 and adds one of the dozen available extensions as marker to the encrypted file's name. It is not used to encrypt the entire file but only the first 5 MB. In its original version it was able to run offline and, in that case, it used a hard-coded key which could be extracted to decrypt files.	No Attribution	https://angle.ankura.com/post/102het9/the-stop-ransomware-variant https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/ https://cybergeeks.tech/a-detailed-analysis-of-the-stop-djvu-ransomware/ https://cybleinc.com/2021/06/21/djvu-malware-of-stop-ransomware-family-back-with-new-variant/ https://github.com/vithakur/detections/blob/main/STOP-ransomware-djvu/IOC-list	https://malpedia.caad.fkie.fraunhofer.de/details/win.stop

Name	Description	Attribution	Blogpost URLs	Link
SmokeLoader	The SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body.	SMOKY SPIDER	http://security.neurolabs.club/2019/08/smokeloaders-hardcoded-domains-sneaky.html http://security.neurolabs.club/2019/10/dynamic-imports-and-working-around.html http://security.neurolabs.club/2020/04/diffing-malware-samples-using-bindiff.html http://security.neurolabs.club/2020/06/unpacking-smokeloader-and.html https://0xc0decafe.com/2020/12/23/detect-rc4-in-malicious-binaries	https://malpedia.caad.fkie.fraunhofer.de/details/win.smokeloader

Name	Description	Attribution	Blogpost URLs	Link
Vidar	Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.	No Attribution	https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/ https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-2/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/vidar-stealer-h-and-m-campaign https://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/ https://asec.ahnlab.com/en/22932/	https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Malware Configuration

Threatname: Amadey

{"C2 url": "45.9.74.80/0bjdn2Z/index.php", "Version": "3.67"}

Threatname: Djvu

{"Download URLs": ["http://colisumy.com/dl/build2.exe", "http://zexeq.com/files/1/build3.exe"], "C2 url": "http://zexeq.com/raud/get.php", "Ransom note file": "_readme.txt", "Ransom note": "ATTENTION!\r\n\r\nDon't worry, you can return all your files!\r\nAll your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key.\r\nThe only method of recovering files is to purchase decrypt tool and unique key for you.\r\nThis software will decrypt all your encrypted files.\r\nWhat guarantees you have?\r\nYou can send one of your encrypted file from your PC and we decrypt it for free.\r\nBut we can decrypt only 1 file for free. File must not contain valuable information.\r\nYou can get and look video overview decrypt tool:\r\nhttps://we.tl/t-tnzomMj6HU\r\nPrice of private key and decrypt software is $980.\r\nDiscount 50% available if you contact us first 72 hours, that's price for you is $490.\r\nPlease note that you'll never restore your data without payment.\r\nCheck your e-mail \"Spam\" or \"Junk\" folder if you don't get answer more than 6 hours.\r\n\r\n\r\nTo get this software you need write on our e-mail:\r\nsupport@freshmail.top\r\n\r\nReserve e-mail address to contact us:\r\ndatarestorehelp@airmail.cc\r\n\r\nYour personal ID:\r\n0717JOsie", "Ignore Files": ["ntuser.dat", "ntuser.dat.LOG1", "ntuser.dat.LOG2", "ntuser.pol", ".sys", ".ini", ".DLL", ".dll", ".blf", ".bat", ".lnk", ".regtrans-ms", "C:\\SystemID\\", "C:\\Users\\Default User\\", "C:\\Users\\Public\\", "C:\\Users\\All Users\\", "C:\\Users\\Default\\", "C:\\Documents and Settings\\", "C:\\ProgramData\\", "C:\\Recovery\\", "C:\\System Volume Information\\", "C:\\Users\\%username%\\AppData\\Roaming\\", "C:\\Users\\%username%\\AppData\\Local\\", "C:\\Windows\\", "C:\\PerfLogs\\", "C:\\ProgramData\\Microsoft\\", "C:\\ProgramData\\Package Cache\\", "C:\\Users\\Public\\", "C:\\$Recycle.Bin\\", "C:\\$WINDOWS.~BT\\", "C:\\dell\\", "C:\\Intel\\", "C:\\MSOCache\\", "C:\\Program Files\\", "C:\\Program Files (x86)\\", "C:\\Games\\", "C:\\Windows.old\\", "D:\\Users\\%username%\\AppData\\Roaming\\", "D:\\Users\\%username%\\AppData\\Local\\", "D:\\Windows\\", "D:\\PerfLogs\\", "D:\\ProgramData\\Desktop\\", "D:\\ProgramData\\Microsoft\\", "D:\\ProgramData\\Package Cache\\", "D:\\Users\\Public\\", "D:\\$Recycle.Bin\\", "D:\\$WINDOWS.~BT\\", "D:\\dell\\", "D:\\Intel\\", "D:\\MSOCache\\", "D:\\Program Files\\", "D:\\Program Files (x86)\\", "D:\\Games\\", "E:\\Users\\%username%\\AppData\\Roaming\\", "E:\\Users\\%username%\\AppData\\Local\\", "E:\\Windows\\", "E:\\PerfLogs\\", "E:\\ProgramData\\Desktop\\", "E:\\ProgramData\\Microsoft\\", "E:\\ProgramData\\Package Cache\\", "E:\\Users\\Public\\", "E:\\$Recycle.Bin\\", "E:\\$WINDOWS.~BT\\", "E:\\dell\\", "E:\\Intel\\", "E:\\MSOCache\\", "E:\\Program Files\\", "E:\\Program Files (x86)\\", "E:\\Games\\", "F:\\Users\\%username%\\AppData\\Roaming\\", "F:\\Users\\%username%\\AppData\\Local\\", "F:\\Windows\\", "F:\\PerfLogs\\", "F:\\ProgramData\\Desktop\\", "F:\\ProgramData\\Microsoft\\", "F:\\Users\\Public\\", "F:\\$Recycle.Bin\\", "F:\\$WINDOWS.~BT\\", "F:\\dell\\", "F:\\Intel\\"], "Public Key": "-----BEGIN PUBLIC KEY-----\\\\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA50iTgpK4WqHRCxsCP+Ko\\\\ni6Rfb9WWM4K\\/vgKVvZi\\/+pA7wR6QvFBURdJ1Z9mdw8kYkafMfVuTEgbW+j4RDepy\\\\nRMc6ZcYdxsu2f4+XgrCWmwJw8wVmodWyLZqqeb1k4FONQs+uAP0AxLLTUbcAfP75\\\\ngGAW9KhqPhoYKVhzDqtFOqCvYqMylrgCNwHpTp75Bv5up3OfAE5h6+t\\/TfjQjDFJ\\\\nJY0Tgum721KiGGppZfsBDqY1Zv\\/F45h+MVk9mhfvBd3UZNJUZI5ewP1zbnOU1llz\\\\ndETA6WbQWWm4u4pamw3U0ZLnFDJQkUgOAbxOfVM4xpi0lrPyV+oTCXnpOgcF4YvU\\\\n2wIDAQAB\\\\n-----END PUBLIC KEY-----"}

Threatname: SmokeLoader

{"Version": 2022, "C2 list": ["http://toobussy.com/tmp/", "http://wuc11.com/tmp/", "http://ladogatur.ru/tmp/", "http://kingpirate.ru/tmp/"]}

Threatname: Vidar

{"C2 url": ["https://steamcommunity.com/profiles/76561199508624021", "https://t.me/looking_glassbot"], "Botnet": "e44c96dfdf315ccf17cdd4b93cfe6e48"}

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\build3[1].exe	JoeSecurity_Clipboard_Hijacker	Yara detected Clipboard Hijacker	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\build3[1].exe	Windows_Trojan_Clipbanker_f9f9e79d	unknown	unknown	0x1203:$a1: 7E 7E 0F B7 04 77 83 F8 41 74 69 83 F8 42 74 64 83 F8 43 74 5F 83
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\build3[1].exe	Windows_Trojan_Clipbanker_787b130b	unknown	unknown	0xefa:$mutex_setup: 55 8B EC 83 EC 18 53 56 57 E8 F8 F4 FF FF 68 30 30 40 00 6A 00 6A 00 FF 15 40 40 40 00 FF 15 2C 40 40 00 3D B7 00 00 00 75 08 6A 00 FF 15 10 30 40 00 0xf87:$new_line_check: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0xf87:$regex1: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0x12ad:$regex2: 6A 34 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E 66 3B C1 74 19 83 F8 35 74 14 83 F8 36 74 0F 83 F8 37 74 ... 0x1335:$regex3: 56 8B F1 56 FF 15 20 40 40 00 83 F8 5F 0F 85 84 00 00 00 6A 38 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E ...
C:\Users\user\AppData\Local\205aa591-8aa8-4e2c-a5b1-c9b7aaf860cf\build3.exe	JoeSecurity_Clipboard_Hijacker	Yara detected Clipboard Hijacker	Joe Security
C:\Users\user\AppData\Local\205aa591-8aa8-4e2c-a5b1-c9b7aaf860cf\build3.exe	Windows_Trojan_Clipbanker_f9f9e79d	unknown	unknown	0x1203:$a1: 7E 7E 0F B7 04 77 83 F8 41 74 69 83 F8 42 74 64 83 F8 43 74 5F 83
C:\Users\user\AppData\Local\205aa591-8aa8-4e2c-a5b1-c9b7aaf860cf\build3.exe	Windows_Trojan_Clipbanker_787b130b	unknown	unknown	0xefa:$mutex_setup: 55 8B EC 83 EC 18 53 56 57 E8 F8 F4 FF FF 68 30 30 40 00 6A 00 6A 00 FF 15 40 40 40 00 FF 15 2C 40 40 00 3D B7 00 00 00 75 08 6A 00 FF 15 10 30 40 00 0xf87:$new_line_check: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0xf87:$regex1: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0x12ad:$regex2: 6A 34 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E 66 3B C1 74 19 83 F8 35 74 14 83 F8 36 74 0F 83 F8 37 74 ... 0x1335:$regex3: 56 8B F1 56 FF 15 20 40 40 00 83 F8 5F 0F 85 84 00 00 00 6A 38 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E ...
C:\Users\user\AppData\Local\Temp\NewPlayer.exe	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
C:\Users\user\AppData\Local\Temp\6d73a97b0c\mnolyk.exe	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\cred64[1].dll	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\cred64[1].dll	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\cred64[1].dll	OlympicDestroyer_1	OlympicDestroyer Payload	kevoreilly	0xe88c0:$string1: SELECT origin_url, username_value, password_value FROM logins 0xde8b0:$string2: API call with %s database connection pointer 0xdf5b8:$string3: os_win.c:%d: (%lu) %s(%s) - %s
C:\Users\user\AppData\Roaming\07c6bc37dc5087\cred64.dll	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
C:\Users\user\AppData\Roaming\07c6bc37dc5087\cred64.dll	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
C:\Users\user\AppData\Roaming\07c6bc37dc5087\cred64.dll	OlympicDestroyer_1	OlympicDestroyer Payload	kevoreilly	0xe88c0:$string1: SELECT origin_url, username_value, password_value FROM logins 0xde8b0:$string2: API call with %s database connection pointer 0xdf5b8:$string3: os_win.c:%d: (%lu) %s(%s) - %s
C:\Users\user\AppData\Local\Temp\EB26.exe	MALWARE_Win_DLInjector04	Detects downloader / injector	ditekSHen	0x4e2e9c:$s1: Runner 0x4e3001:$s3: RunOnStartup 0x4e2eb0:$a1: Antis 0x4e2edd:$a2: antiVM 0x4e2ee4:$a3: antiSandbox 0x4e2ef0:$a4: antiDebug 0x4e2efa:$a5: antiEmulator 0x4e2f07:$a6: enablePersistence 0x4e2f19:$a7: enableFakeError 0x4e302a:$a8: DetectVirtualMachine 0x4e304f:$a9: DetectSandboxie 0x4e307a:$a10: DetectDebugger 0x4e3089:$a11: CheckEmulator
C:\Users\user\AppData\Local\Temp\223E.exe	MALWARE_Win_DLInjector04	Detects downloader / injector	ditekSHen	0x4e2e9c:$s1: Runner 0x4e3001:$s3: RunOnStartup 0x4e2eb0:$a1: Antis 0x4e2edd:$a2: antiVM 0x4e2ee4:$a3: antiSandbox 0x4e2ef0:$a4: antiDebug 0x4e2efa:$a5: antiEmulator 0x4e2f07:$a6: enablePersistence 0x4e2f19:$a7: enableFakeError 0x4e302a:$a8: DetectVirtualMachine 0x4e304f:$a9: DetectSandboxie 0x4e307a:$a10: DetectDebugger 0x4e3089:$a11: CheckEmulator
C:\Users\user\AppData\Local\Temp\4445.exe	MALWARE_Win_DLInjector04	Detects downloader / injector	ditekSHen	0x4e2e9c:$s1: Runner 0x4e3001:$s3: RunOnStartup 0x4e2eb0:$a1: Antis 0x4e2edd:$a2: antiVM 0x4e2ee4:$a3: antiSandbox 0x4e2ef0:$a4: antiDebug 0x4e2efa:$a5: antiEmulator 0x4e2f07:$a6: enablePersistence 0x4e2f19:$a7: enableFakeError 0x4e302a:$a8: DetectVirtualMachine 0x4e304f:$a9: DetectSandboxie 0x4e307a:$a10: DetectDebugger 0x4e3089:$a11: CheckEmulator
C:\Users\user\AppData\Local\Temp\78BB.exe	MALWARE_Win_DLInjector04	Detects downloader / injector	ditekSHen	0x4e2e9c:$s1: Runner 0x4e3001:$s3: RunOnStartup 0x4e2eb0:$a1: Antis 0x4e2edd:$a2: antiVM 0x4e2ee4:$a3: antiSandbox 0x4e2ef0:$a4: antiDebug 0x4e2efa:$a5: antiEmulator 0x4e2f07:$a6: enablePersistence 0x4e2f19:$a7: enableFakeError 0x4e302a:$a8: DetectVirtualMachine 0x4e304f:$a9: DetectSandboxie 0x4e307a:$a10: DetectDebugger 0x4e3089:$a11: CheckEmulator
Click to see the 13 entries

Memory Dumps

Source	Rule	Description	Author	Strings
00000017.00000003.507221089.0000000000877000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Amadey	Yara detected Amadey bot	Joe Security
00000029.00000002.507218040.0000000000830000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000029.00000002.507218040.0000000000830000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x644:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000007.00000002.466741568.00000000006E0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000007.00000002.466859544.0000000000818000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x74f1:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000012.00000002.463532414.0000000002410000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000012.00000002.463532414.0000000002410000.00000040.00001000.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105ac8:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xe38f:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000004.00000002.460136042.00000000007E0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000004.00000002.460449041.00000000022E1000.00000004.10000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000004.00000002.460449041.00000000022E1000.00000004.10000000.00040000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x3d4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000021.00000002.506259651.000000000234D000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x798:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000000.00000002.397201524.0000000000840000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000024.00000002.497942098.00000000023CD000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x798:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000000.00000002.397221431.0000000000871000.00000004.10000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000000.00000002.397221431.0000000000871000.00000004.10000000.00040000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x3d4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000004.00000002.460185114.00000000007F0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000004.00000002.460185114.00000000007F0000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x7d4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000005.00000002.453783695.0000000002510000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000005.00000002.453783695.0000000002510000.00000040.00001000.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105ac8:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xe38f:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000012.00000002.463290987.0000000002349000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x798:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000025.00000002.507378893.0000000000400000.00000040.00000400.00020000.00000000.sdmp	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth (Nextron Systems)	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4e:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472e:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
00000025.00000002.507378893.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000025.00000002.507378893.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
00000025.00000002.507378893.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
0000001A.00000002.500648966.00000000022CF000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x798:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000021.00000002.508427363.0000000002520000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000021.00000002.508427363.0000000002520000.00000040.00001000.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105ac8:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xe38f:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000027.00000002.512282252.0000000000400000.00000040.00000400.00020000.00000000.sdmp	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth (Nextron Systems)	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4e:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472e:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
00000027.00000002.512282252.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000027.00000002.512282252.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
00000027.00000002.512282252.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000029.00000002.507318867.0000000002321000.00000004.10000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000029.00000002.507318867.0000000002321000.00000004.10000000.00040000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x244:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000004.00000002.460041377.00000000006E8000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x7451:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000029.00000002.507033636.00000000006B8000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x7371:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000006.00000002.461344715.0000000000400000.00000040.00000400.00020000.00000000.sdmp	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth (Nextron Systems)	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4e:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472e:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
00000006.00000002.461344715.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000006.00000002.461344715.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
00000006.00000002.461344715.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
0000002C.00000002.513002003.0000000000061000.00000020.00000001.01000000.00000012.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000011.00000002.895547083.0000000000400000.00000040.00000400.00020000.00000000.sdmp	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth (Nextron Systems)	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4e:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472e:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
00000011.00000002.895547083.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000011.00000002.895547083.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
00000011.00000002.895547083.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
0000001E.00000002.490394408.00000000024B0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
0000001E.00000002.490394408.00000000024B0000.00000040.00001000.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105ac8:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xe38f:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
0000002A.00000002.503393275.0000000000728000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x1170:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000014.00000002.513841779.00000000040C5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000000.00000002.397292566.0000000000939000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x74d9:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000013.00000002.895386251.0000000000400000.00000040.00000400.00020000.00000000.sdmp	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth (Nextron Systems)	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4e:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472e:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
00000013.00000002.895386251.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000013.00000002.895386251.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
00000013.00000002.895386251.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000024.00000002.498086364.0000000002460000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000024.00000002.498086364.0000000002460000.00000040.00001000.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105ac8:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xe38f:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
0000000B.00000002.463353305.000000000232B000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x798:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000017.00000000.475587099.0000000000061000.00000020.00000001.01000000.00000012.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000016.00000000.473283405.0000000000FF1000.00000020.00000001.01000000.00000011.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0000002C.00000000.492656572.0000000000061000.00000020.00000001.01000000.00000012.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0000000B.00000002.463587041.0000000002480000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
0000000B.00000002.463587041.0000000002480000.00000040.00001000.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105ac8:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xe38f:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
0000001E.00000002.489953243.000000000240F000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x798:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000020.00000002.509612718.0000000000400000.00000040.00000400.00020000.00000000.sdmp	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth (Nextron Systems)	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4e:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472e:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
00000020.00000002.509612718.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000020.00000002.509612718.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
00000020.00000002.509612718.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000029.00000002.507203480.0000000000820000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
0000002A.00000002.506376694.00000000022F0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000005.00000002.453528210.00000000023BD000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x798:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000000.00000002.397209073.0000000000850000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000000.00000002.397209073.0000000000850000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x7d4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
0000001F.00000002.497982449.0000000000400000.00000040.00000400.00020000.00000000.sdmp	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth (Nextron Systems)	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4e:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472e:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
0000001F.00000002.497982449.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
0000001F.00000002.497982449.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
0000001F.00000002.497982449.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000016.00000002.476001535.0000000000FF1000.00000020.00000001.01000000.00000011.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0000001A.00000002.502966627.0000000002470000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
0000001A.00000002.502966627.0000000002470000.00000040.00001000.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105ac8:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xe38f:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
Process Memory Space: BDC0.exe PID: 6912	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
Process Memory Space: BDC0.exe PID: 6912	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x33025:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
Process Memory Space: BDC0.exe PID: 7044	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
Process Memory Space: BDC0.exe PID: 7044	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x3f9c6:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
Process Memory Space: BDC0.exe PID: 4248	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
Process Memory Space: BDC0.exe PID: 4248	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x4932c:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
Process Memory Space: BDC0.exe PID: 5484	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
Process Memory Space: BDC0.exe PID: 5484	JoeSecurity_babuk	Yara detected Babuk Ransomware	Joe Security
Process Memory Space: BDC0.exe PID: 5484	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x46074:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
Process Memory Space: BDC0.exe PID: 1516	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
Process Memory Space: BDC0.exe PID: 1516	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x3110c:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
Process Memory Space: BDC0.exe PID: 2900	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
Process Memory Space: BDC0.exe PID: 2900	JoeSecurity_babuk	Yara detected Babuk Ransomware	Joe Security
Process Memory Space: BDC0.exe PID: 2900	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x4e778:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
Click to see the 87 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
23.0.mnolyk.exe.60000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
22.0.NewPlayer.exe.ff0000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
39.2.794C.exe.400000.0.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth (Nextron Systems)	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4e:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472e:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
39.2.794C.exe.400000.0.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
39.2.794C.exe.400000.0.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
39.2.794C.exe.400000.0.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
31.2.BDC0.exe.400000.0.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth (Nextron Systems)	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54e:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312e:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
31.2.BDC0.exe.400000.0.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
31.2.BDC0.exe.400000.0.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
31.2.BDC0.exe.400000.0.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
26.2.BDC0.exe.24715a0.1.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth (Nextron Systems)	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54e:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312e:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
26.2.BDC0.exe.24715a0.1.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
26.2.BDC0.exe.24715a0.1.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
26.2.BDC0.exe.24715a0.1.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
17.2.BDC0.exe.400000.0.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth (Nextron Systems)	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4e:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472e:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
17.2.BDC0.exe.400000.0.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
17.2.BDC0.exe.400000.0.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
17.2.BDC0.exe.400000.0.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
37.2.8DD2.exe.400000.0.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth (Nextron Systems)	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4e:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472e:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
37.2.8DD2.exe.400000.0.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
37.2.8DD2.exe.400000.0.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
37.2.8DD2.exe.400000.0.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
20.2.223E.exe.42def90.1.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
31.2.BDC0.exe.400000.0.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth (Nextron Systems)	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4e:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472e:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
31.2.BDC0.exe.400000.0.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
31.2.BDC0.exe.400000.0.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
31.2.BDC0.exe.400000.0.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
36.2.794C.exe.24615a0.1.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth (Nextron Systems)	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54e:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312e:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
36.2.794C.exe.24615a0.1.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
36.2.794C.exe.24615a0.1.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
36.2.794C.exe.24615a0.1.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
17.2.BDC0.exe.400000.0.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth (Nextron Systems)	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54e:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312e:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
17.2.BDC0.exe.400000.0.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
17.2.BDC0.exe.400000.0.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
17.2.BDC0.exe.400000.0.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
26.2.BDC0.exe.24715a0.1.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth (Nextron Systems)	0xdf7ea:$s1: http:// 0xfd898:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xfdf28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xfdf4e:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101b2e:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xffa26:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xdf7ea:$f1: http://
26.2.BDC0.exe.24715a0.1.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
26.2.BDC0.exe.24715a0.1.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfd288:$x1: C:\SystemID\PersonalID.txt 0xfd734:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfd0f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x102f28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfd6ec:$s1: " --AutoStart 0xfd700:$s1: " --AutoStart 0x101348:$s2: --ForNetRes 0x101310:$s3: --Admin 0x101790:$s4: %username% 0x1018b4:$s5: ?pid= 0x1018c0:$s6: &first=true 0x1018d8:$s6: &first=false 0xfd7f4:$s7: delself.bat 0x1017f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x101820:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x101848:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
26.2.BDC0.exe.24715a0.1.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x102f28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xc1ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
44.0.mnolyk.exe.60000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
18.2.BDC0.exe.24115a0.1.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth (Nextron Systems)	0xdf7ea:$s1: http:// 0xfd898:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xfdf28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xfdf4e:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101b2e:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xffa26:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xdf7ea:$f1: http://
18.2.BDC0.exe.24115a0.1.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
18.2.BDC0.exe.24115a0.1.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfd288:$x1: C:\SystemID\PersonalID.txt 0xfd734:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfd0f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x102f28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfd6ec:$s1: " --AutoStart 0xfd700:$s1: " --AutoStart 0x101348:$s2: --ForNetRes 0x101310:$s3: --Admin 0x101790:$s4: %username% 0x1018b4:$s5: ?pid= 0x1018c0:$s6: &first=true 0x1018d8:$s6: &first=false 0xfd7f4:$s7: delself.bat 0x1017f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x101820:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x101848:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
18.2.BDC0.exe.24115a0.1.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x102f28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xc1ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
11.2.BDC0.exe.24815a0.1.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth (Nextron Systems)	0xdf7ea:$s1: http:// 0xfd898:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xfdf28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xfdf4e:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101b2e:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xffa26:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xdf7ea:$f1: http://
11.2.BDC0.exe.24815a0.1.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
11.2.BDC0.exe.24815a0.1.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfd288:$x1: C:\SystemID\PersonalID.txt 0xfd734:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfd0f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x102f28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfd6ec:$s1: " --AutoStart 0xfd700:$s1: " --AutoStart 0x101348:$s2: --ForNetRes 0x101310:$s3: --Admin 0x101790:$s4: %username% 0x1018b4:$s5: ?pid= 0x1018c0:$s6: &first=true 0x1018d8:$s6: &first=false 0xfd7f4:$s7: delself.bat 0x1017f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x101820:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x101848:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
11.2.BDC0.exe.24815a0.1.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x102f28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xc1ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
42.2.build2.exe.22f15a0.1.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
19.2.BDC0.exe.400000.0.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth (Nextron Systems)	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4e:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472e:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
19.2.BDC0.exe.400000.0.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
19.2.BDC0.exe.400000.0.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
19.2.BDC0.exe.400000.0.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
42.2.build2.exe.22f15a0.1.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
6.2.BDC0.exe.400000.0.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth (Nextron Systems)	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4e:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472e:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
6.2.BDC0.exe.400000.0.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
6.2.BDC0.exe.400000.0.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
6.2.BDC0.exe.400000.0.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
30.2.946D.exe.24b15a0.1.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth (Nextron Systems)	0xdf7ea:$s1: http:// 0xfd898:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xfdf28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xfdf4e:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101b2e:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xffa26:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xdf7ea:$f1: http://
30.2.946D.exe.24b15a0.1.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
30.2.946D.exe.24b15a0.1.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfd288:$x1: C:\SystemID\PersonalID.txt 0xfd734:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfd0f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x102f28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfd6ec:$s1: " --AutoStart 0xfd700:$s1: " --AutoStart 0x101348:$s2: --ForNetRes 0x101310:$s3: --Admin 0x101790:$s4: %username% 0x1018b4:$s5: ?pid= 0x1018c0:$s6: &first=true 0x1018d8:$s6: &first=false 0xfd7f4:$s7: delself.bat 0x1017f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x101820:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x101848:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
30.2.946D.exe.24b15a0.1.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x102f28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xc1ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
32.2.946D.exe.400000.0.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth (Nextron Systems)	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4e:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472e:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
32.2.946D.exe.400000.0.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
32.2.946D.exe.400000.0.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
32.2.946D.exe.400000.0.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
19.2.BDC0.exe.400000.0.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth (Nextron Systems)	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54e:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312e:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
19.2.BDC0.exe.400000.0.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
19.2.BDC0.exe.400000.0.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
19.2.BDC0.exe.400000.0.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
11.2.BDC0.exe.24815a0.1.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth (Nextron Systems)	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54e:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312e:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
11.2.BDC0.exe.24815a0.1.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
11.2.BDC0.exe.24815a0.1.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
11.2.BDC0.exe.24815a0.1.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
44.2.mnolyk.exe.60000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
18.2.BDC0.exe.24115a0.1.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth (Nextron Systems)	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54e:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312e:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
18.2.BDC0.exe.24115a0.1.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
18.2.BDC0.exe.24115a0.1.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
18.2.BDC0.exe.24115a0.1.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
6.2.BDC0.exe.400000.0.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth (Nextron Systems)	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54e:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312e:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
6.2.BDC0.exe.400000.0.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
6.2.BDC0.exe.400000.0.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
6.2.BDC0.exe.400000.0.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
22.2.NewPlayer.exe.ff0000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
5.2.BDC0.exe.25115a0.1.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth (Nextron Systems)	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54e:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312e:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
5.2.BDC0.exe.25115a0.1.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
5.2.BDC0.exe.25115a0.1.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
5.2.BDC0.exe.25115a0.1.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
39.2.794C.exe.400000.0.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth (Nextron Systems)	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54e:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312e:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
39.2.794C.exe.400000.0.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
39.2.794C.exe.400000.0.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
39.2.794C.exe.400000.0.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
33.2.8DD2.exe.25215a0.1.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth (Nextron Systems)	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54e:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312e:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
33.2.8DD2.exe.25215a0.1.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
33.2.8DD2.exe.25215a0.1.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
33.2.8DD2.exe.25215a0.1.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
20.2.223E.exe.42def90.1.raw.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
33.2.8DD2.exe.25215a0.1.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth (Nextron Systems)	0xdf7ea:$s1: http:// 0xfd898:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xfdf28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xfdf4e:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101b2e:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xffa26:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xdf7ea:$f1: http://
33.2.8DD2.exe.25215a0.1.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
33.2.8DD2.exe.25215a0.1.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfd288:$x1: C:\SystemID\PersonalID.txt 0xfd734:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfd0f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x102f28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfd6ec:$s1: " --AutoStart 0xfd700:$s1: " --AutoStart 0x101348:$s2: --ForNetRes 0x101310:$s3: --Admin 0x101790:$s4: %username% 0x1018b4:$s5: ?pid= 0x1018c0:$s6: &first=true 0x1018d8:$s6: &first=false 0xfd7f4:$s7: delself.bat 0x1017f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x101820:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x101848:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
33.2.8DD2.exe.25215a0.1.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x102f28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xc1ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
37.2.8DD2.exe.400000.0.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth (Nextron Systems)	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54e:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312e:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
37.2.8DD2.exe.400000.0.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
37.2.8DD2.exe.400000.0.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
37.2.8DD2.exe.400000.0.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
32.2.946D.exe.400000.0.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth (Nextron Systems)	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54e:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312e:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
32.2.946D.exe.400000.0.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
32.2.946D.exe.400000.0.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
32.2.946D.exe.400000.0.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
36.2.794C.exe.24615a0.1.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth (Nextron Systems)	0xdf7ea:$s1: http:// 0xfd898:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xfdf28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xfdf4e:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101b2e:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xffa26:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xdf7ea:$f1: http://
36.2.794C.exe.24615a0.1.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
36.2.794C.exe.24615a0.1.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfd288:$x1: C:\SystemID\PersonalID.txt 0xfd734:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfd0f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x102f28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfd6ec:$s1: " --AutoStart 0xfd700:$s1: " --AutoStart 0x101348:$s2: --ForNetRes 0x101310:$s3: --Admin 0x101790:$s4: %username% 0x1018b4:$s5: ?pid= 0x1018c0:$s6: &first=true 0x1018d8:$s6: &first=false 0xfd7f4:$s7: delself.bat 0x1017f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x101820:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x101848:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
36.2.794C.exe.24615a0.1.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x102f28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xc1ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
30.2.946D.exe.24b15a0.1.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth (Nextron Systems)	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54e:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312e:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
30.2.946D.exe.24b15a0.1.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
30.2.946D.exe.24b15a0.1.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
30.2.946D.exe.24b15a0.1.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
5.2.BDC0.exe.25115a0.1.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth (Nextron Systems)	0xdf7ea:$s1: http:// 0xfd898:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xfdf28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xfdf4e:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101b2e:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xffa26:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xdf7ea:$f1: http://
5.2.BDC0.exe.25115a0.1.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
5.2.BDC0.exe.25115a0.1.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfd288:$x1: C:\SystemID\PersonalID.txt 0xfd734:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfd0f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x102f28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfd6ec:$s1: " --AutoStart 0xfd700:$s1: " --AutoStart 0x101348:$s2: --ForNetRes 0x101310:$s3: --Admin 0x101790:$s4: %username% 0x1018b4:$s5: ?pid= 0x1018c0:$s6: &first=true 0x1018d8:$s6: &first=false 0xfd7f4:$s7: delself.bat 0x1017f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x101820:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x101848:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
5.2.BDC0.exe.25115a0.1.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x102f28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xc1ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
20.2.223E.exe.41b2f50.0.raw.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
20.0.223E.exe.700000.0.unpack	MALWARE_Win_DLInjector04	Detects downloader / injector	ditekSHen	0x4e2e9c:$s1: Runner 0x4e3001:$s3: RunOnStartup 0x4e2eb0:$a1: Antis 0x4e2edd:$a2: antiVM 0x4e2ee4:$a3: antiSandbox 0x4e2ef0:$a4: antiDebug 0x4e2efa:$a5: antiEmulator 0x4e2f07:$a6: enablePersistence 0x4e2f19:$a7: enableFakeError 0x4e302a:$a8: DetectVirtualMachine 0x4e304f:$a9: DetectSandboxie 0x4e307a:$a10: DetectDebugger 0x4e3089:$a11: CheckEmulator
Click to see the 118 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://colisumy.com/dl/build2.exe$run	URL Reputation: Label: malware
Source: http://zexeq.com/files/1/build3.exe$run	URL Reputation: Label: malware
Source: http://zexeq.com/raud/get.php	URL Reputation: Label: malware
Source: http://zexeq.com/raud/get.php?pid=903E7F261711F85395E5CEFBF4173C544.	Avira URL Cloud: Label: malware
Source: http://colisumy.com/dl/build2.exe	URL Reputation: Label: malware
Source: http://zexeq.com/raud/get.phpL	Avira URL Cloud: Label: malware
Source: http://45.9.74.80/0bjds.apjeoighw.com/	Avira URL Cloud: Label: malware
Source: http://zexeq.com/raud/get.php?pid=903E7F261711F85395E5CEFBF4173C54&first=truey	Avira URL Cloud: Label: malware
Source: http://colisumy.com/dl/build2.exerun417	Avira URL Cloud: Label: malware
Source: http://colisumy.com/dl/build2.exe/p	Avira URL Cloud: Label: malware
Source: 45.9.74.80/0bjdn2Z/index.php	Avira URL Cloud: Label: malware
Source: http://zexeq.com/files/1/build3.exerun	Avira URL Cloud: Label: malware
Source: http://colisumy.com/dlget.php?pid=903E7F261711F85395E5CEFBF4173C54	Avira URL Cloud: Label: malware
Source: http://zexeq.com/files/1/build3.exe$runyinstall020921_delay721_sec.exe0	Avira URL Cloud: Label: malware
Source: http://zexeq.com/files/1/build3.exe$rung	Avira URL Cloud: Label: malware
Source: http://45.9.74.80/0bjds.apjeoighw.com/check/?sid=436838&key=0f2526fc923d8a6ab4c43d0a56a5696e	Avira URL Cloud: Label: malware
Source: http://zexeq.com/files/1/build3.exe$runP	Avira URL Cloud: Label: malware
Source: http://zexeq.com/raud/get.phpep	Avira URL Cloud: Label: malware
Source: http://toobussy.com/tmp/	Avira URL Cloud: Label: malware
Source: http://zexeq.com/raud/get.php?pid=903E7F261711F85395E5CEFBF4173C54&first=trueb	Avira URL Cloud: Label: malware
Source: http://zexeq.com/raud/get.php?pid=903E7F261711F85395E5CEFBF4173C54	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\cred64[1].dll	Avira: detection malicious, Label: HEUR/AGEN.1301090
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\build3[1].exe	Avira: detection malicious, Label: TR/Crypt.XPACK.Gen8
Source: C:\Users\user\AppData\Local\Temp\223E.exe	Avira: detection malicious, Label: HEUR/AGEN.1357339
Source: C:\Users\user\AppData\Local\Temp\4445.exe	Avira: detection malicious, Label: HEUR/AGEN.1357339
Source: C:\Users\user\AppData\Local\205aa591-8aa8-4e2c-a5b1-c9b7aaf860cf\build3.exe	Avira: detection malicious, Label: TR/Crypt.XPACK.Gen8
Source: C:\Users\user\AppData\Local\Temp\6d73a97b0c\mnolyk.exe	Avira: detection malicious, Label: HEUR/AGEN.1319380

Found malware configuration

Source: 00000012.00000002.463532414.0000000002410000.00000040.00001000.00020000.00000000.sdmp	Malware Configuration Extractor: Djvu {"Download URLs": ["http://colisumy.com/dl/build2.exe", "http://zexeq.com/files/1/build3.exe"], "C2 url": "http://zexeq.com/raud/get.php", "Ransom note file": "_readme.txt", "Ransom note": "ATTENTION!\r\n\r\nDon't worry, you can return all your files!\r\nAll your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key.\r\nThe only method of recovering files is to purchase decrypt tool and unique key for you.\r\nThis software will decrypt all your encrypted files.\r\nWhat guarantees you have?\r\nYou can send one of your encrypted file from your PC and we decrypt it for free.\r\nBut we can decrypt only 1 file for free. File must not contain valuable information.\r\nYou can get and look video overview decrypt tool:\r\nhttps://we.tl/t-tnzomMj6HU\r\nPrice of private key and decrypt software is $980.\r\nDiscount 50% available if you contact us first 72 hours, that's price for you is $490.\r\nPlease note that you'll never restore your data without payment.\r\nCheck your e-mail \"Spam\" or \"Junk\" folder if you don't get answer more than 6 hours.\r\n\r\n\r\nTo get this software you need write on our e-mail:\r\nsupport@freshmail.top\r\n\r\nReserve e-mail address to contact us:\r\ndatarestorehelp@airmail.cc\r\n\r\nYour personal ID:\r\n0717JOsie", "Ignore Files": ["ntuser.dat", "ntuser.dat.LOG1", "ntuser.dat.LOG2", "ntuser.pol", ".sys", ".ini", ".DLL", ".dll", ".blf", ".bat", ".lnk", ".regtrans-ms", "C:\\SystemID\\", "C:\\Users\\Default User\\", "C:\\Users\\Public\\", "C:\\Users\\All Users\\", "C:\\Users\\Default\\", "C:\\Documents and Settings\\", "C:\\ProgramData\\", "C:\\Recovery\\", "C:\\System Volume Information\\", "C:\\Users\\%username%\\AppData\\Roaming\\", "C:\\Users\\%username%\\AppData\\Local\\", "C:\\Windows\\", "C:\\PerfLogs\\", "C:\\ProgramData\\Microsoft\\", "C:\\ProgramData\\Package Cache\\", "C:\\Users\\Public\\", "C:\\$Recycle.Bin\\", "C:\\$WINDOWS.~BT\\", "C:\\dell\\", "C:\\Intel\\", "C:\\MSOCache\\", "C:\\Program Files\\", "C:\\Program Files (x86)\\", "C:\\Games\\", "C:\\Windows.old\\", "D:\\Users\\%username%\\AppData\\Roaming\\", "D:\\Users\\%username%\\AppData\\Local\\", "D:\\Windows\\", "D:\\PerfLogs\\", "D:\\ProgramData\\Desktop\\", "D:\\ProgramData\\Microsoft\\", "D:\\ProgramData\\Package Cache\\", "D:\\Users\\Public\\", "D:\\$Recycle.Bin\\", "D:\\$WINDOWS.~BT\\", "D:\\dell\\", "D:\\Intel\\", "D:\\MSOCache\\", "D:\\Program Files\\", "D:\\Program Files (x86)\\", "D:\\Games\\", "E:\\Users\\%username%\\AppData\\Roaming\\", "E:\\Users\\%username%\\AppData\\Local\\", "E:\\Windows\\", "E:\\PerfLogs\\", "E:\\ProgramData\\Desktop\\", "E:\\ProgramData\\Microsoft\\", "E:\\ProgramData\\Package Cache\\", "E:\\Users\\Public\\", "E:\\$Recycle.Bin\\", "E:\\$WINDOWS.~BT\\", "E:\\dell\\", "E:\\Intel\\", "E:\\MSOCache\\", "E:\\Program Files\\", "E:\\Program Files (x86)\\", "E:\\Games\\", "F:\\Users\\%username%\\AppData\\Roaming\\", "F:\\Users\\%username%\\AppData\\Local\\", "F:\\Windo
Source: 00000029.00000002.507218040.0000000000830000.00000004.00001000.00020000.00000000.sdmp	Malware Configuration Extractor: SmokeLoader {"Version": 2022, "C2 list": ["http://toobussy.com/tmp/", "http://wuc11.com/tmp/", "http://ladogatur.ru/tmp/", "http://kingpirate.ru/tmp/"]}
Source: 0000002A.00000002.506376694.00000000022F0000.00000040.00001000.00020000.00000000.sdmp	Malware Configuration Extractor: Vidar {"C2 url": ["https://steamcommunity.com/profiles/76561199508624021", "https://t.me/looking_glassbot"], "Botnet": "e44c96dfdf315ccf17cdd4b93cfe6e48"}
Source: 20.2.223E.exe.42def90.1.raw.unpack	Malware Configuration Extractor: Amadey {"C2 url": "45.9.74.80/0bjdn2Z/index.php", "Version": "3.67"}

Multi AV Scanner detection for submitted file

Source: 02107799.exe	ReversingLabs: Detection: 37%
Source: 02107799.exe	Virustotal: Detection: 42%			Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\205aa591-8aa8-4e2c-a5b1-c9b7aaf860cf\build2.exe	ReversingLabs: Detection: 86%
Source: C:\Users\user\AppData\Local\205aa591-8aa8-4e2c-a5b1-c9b7aaf860cf\build3.exe	ReversingLabs: Detection: 87%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\build2[1].exe	ReversingLabs: Detection: 86%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\build3[1].exe	ReversingLabs: Detection: 87%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\cred64[1].dll	ReversingLabs: Detection: 83%
Source: C:\Users\user\AppData\Local\Temp\223E.exe	ReversingLabs: Detection: 70%
Source: C:\Users\user\AppData\Local\Temp\4445.exe	ReversingLabs: Detection: 70%
Source: C:\Users\user\AppData\Local\Temp\6d73a97b0c\mnolyk.exe	ReversingLabs: Detection: 87%
Source: C:\Users\user\AppData\Local\Temp\7439.exe	ReversingLabs: Detection: 43%
Source: C:\Users\user\AppData\Local\Temp\78BB.exe	ReversingLabs: Detection: 70%
Source: C:\Users\user\AppData\Local\Temp\794C.exe	ReversingLabs: Detection: 70%
Source: C:\Users\user\AppData\Local\Temp\8DD2.exe	ReversingLabs: Detection: 70%
Source: C:\Users\user\AppData\Local\Temp\AFA6.exe	ReversingLabs: Detection: 70%
Source: C:\Users\user\AppData\Local\Temp\C45B.exe	ReversingLabs: Detection: 70%
Source: C:\Users\user\AppData\Local\Temp\EB26.exe	ReversingLabs: Detection: 70%
Source: C:\Users\user\AppData\Local\Temp\F0C7.exe	ReversingLabs: Detection: 70%
Source: C:\Users\user\AppData\Local\Temp\NewPlayer.exe	ReversingLabs: Detection: 87%
Source: C:\Users\user\AppData\Local\Temp\XandETC.exe	ReversingLabs: Detection: 72%
Source: C:\Users\user\AppData\Local\Temp\aafg31.exe	ReversingLabs: Detection: 33%
Source: C:\Users\user\AppData\Roaming\07c6bc37dc5087\cred64.dll	ReversingLabs: Detection: 83%
Source: C:\Users\user\AppData\Roaming\cuwsgii	ReversingLabs: Detection: 37%

Machine Learning detection for sample

Source: 02107799.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: 45.9.74.80
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: /0bjdn2Z/index.php
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: 3.67
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: 6d73a97b0c
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: mnolyk.exe
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: SCHTASKS
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: /Create /SC MINUTE /MO 1 /TN
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: /TR "
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: " /F
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: Startup
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: cmd /C RMDIR /s/q
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: rundll32
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: /Delete /TN "
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: Programs
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: %USERPROFILE%
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: \App
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: POST
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: &vs=
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: &sd=
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: &os=
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: &bi=
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: &ar=
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: &pc=
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: &un=
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: &dm=
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: &av=
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: &lv=
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: &og=
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: cred.dll\|clip.dll\|
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: Main
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: http://
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: https://
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: Plugins/
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: &unit=
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: shell32.dll
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: kernel32.dll
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: GetNativeSystemInfo
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: ProgramData\
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: AVAST Software
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: Avira
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: Kaspersky Lab
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: ESET
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: Panda Security
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: Doctor Web
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: 360TotalSecurity
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: Bitdefender
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: Norton
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: Sophos
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: Comodo
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: WinDefender
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: 0123456789
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: Content-Type: multipart/form-data; boundary=----
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: ------
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: ?scr=1
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: .jpg
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: Content-Type: application/x-www-form-urlencoded
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: ComputerName
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: abcdefghijklmnopqrstuvwxyz0123456789-_
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: -unicode-
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: SYSTEM\ControlSet001\Services\BasicDisplay\Video
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: VideoID
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: \0000
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: DefaultSettings.XResolution
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: DefaultSettings.YResolution
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: ProductName
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: 2019
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: 2022
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: 2016
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: CurrentBuild
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: echo Y\|CACLS "
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: " /P "
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: CACLS "
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: :R" /E
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: :F" /E
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: &&Exit
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: rundll32.exe
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: "taskkill /f /im "
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: " && timeout 1 && del
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: && Exit"
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: " && ren
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: &&
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: Powershell.exe
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: -executionpolicy remotesigned -File "
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor:
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: N}
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: ;
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: 1xD
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: 1Xc
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: DS
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: M
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: m+
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: F
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: +.k
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: t9$
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: *t}
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: jb-
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: !{
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: UjX
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: !R
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: dL\
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: ~V
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: y^
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: lY^
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: ~{4
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: cd%!LB
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: {,S
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: J[.PpX
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: r`d
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: .]-
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: \
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: >P6
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: g
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: +f8
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: V!H
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: m
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: wEK
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor:
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: jn
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: 3'!
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: ]CX
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: 6$R
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: }B*
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor:
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: %
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: {]?
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: cr8
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: YB]
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: 1]n
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: 8BB
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: h9\
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: h0?
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: rv
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: q=u
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: C2u
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: `
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: z]e
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: ^EZ
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: Kvf
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: 7/?
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: `B1
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: v
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: #
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: qJ\
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor:
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: p
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: J`
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: [{!
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor:
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: jB;
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor:
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: m2z
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: N
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: @
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: 9}4
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: h
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: &B!
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: rGu
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: ]
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: Y
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: +
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: {)1
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: VTs
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: 1b`
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: `
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: k\|N
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: Mo'
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: g
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: G
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: ?
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: D9t
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: FNZ
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: =Wc
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: t
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: Z(a
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: h A
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: 775
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: ^?,
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: *nL
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: 63l
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: OE^
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: 2Ak
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor:
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: Ca4
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: ^&k
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: _
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: ~OP
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: f
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: z]`
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: DX
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: &Y
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: O#&
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: yL0
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: -
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: R
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: y
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: ")6
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor:
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: Z
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: D
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: G,/9^
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: I,
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: D
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: BvX
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: YpG
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: c^
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: 4`2)
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: Gg4
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: BZw
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: Lj
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: ='<
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: & &
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor:
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: l\|R
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: z
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: s:c
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: u
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: u
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: u
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: u
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: w)I
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: J
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: pa
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: yz
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: l
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: I5
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: ?
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: >=K
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: =]i
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: =5)
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: <e*
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: ^+a
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: U
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: d\|t
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: o
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: h
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor:
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: UL
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: q
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor:
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: U#
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: K8=
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: NA}
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: LRM
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: a
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: spe
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: jTb
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: @m
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: mxk
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: r\|w
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: "=h
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: HJ
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor:
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: .hf
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: 8S+
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: ;CW
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: FTa
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: Q8J
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: jDI
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: >HS
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: X
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: 0\z
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: Fw5
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: bT
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: nD#
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: O;_
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: .
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: d_I
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: >kY
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: l
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: CJ
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: _!
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: y
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: 4T
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: ;
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: c
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: IlW
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: `
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: }
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: Vq4
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: fCT
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: zY:
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: :
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: {^S
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: U'1
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: 8RN
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: {,
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: G<b
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: }>e
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: {x
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: @
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: =*[
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: :Qi
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: {ev
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: ^@m
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: 8
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: 5\|
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: M#
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: 'wv
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: px)
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor:
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: (,~
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: LLj
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: T\|
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: g
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: E}}
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: Q
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: {
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: (
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: ov
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: 1n`
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: 5
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: 2x`
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: H9s
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: ]
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: j[4
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: #Sq
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: ~
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: +?
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: ?'A
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: $%a
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: in!
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: 0]E
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: 4\|-
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: ^c{
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: PMa
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: ixo
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: _2+
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: Y
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor:
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: l:;
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: N
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: dXU
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: ,7O
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: 7`1
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: D8e
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: =HN
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: 3y
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: KA+
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: DVx
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: #
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: #
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: (\|z
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: ?
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: R2X
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: $i
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: &Jm
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: z
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: cV
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: "GwfrS
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: j
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: CV'
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: x\
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: Kx3
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: *ku
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: <
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: eL6
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: _
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor:
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: 6K?
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: n{I
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor:
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: %`p
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: 2D
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: =
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: 3p!
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: *yl
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: :K
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: +0}
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: fIy
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: i1F
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: EFMk
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: =%;
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: >=\|
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: =E;
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: <=o
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: =E;
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: >U?
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: >Z5
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: ?E=
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: @*B
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: tv!
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: {(s
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: 3M
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: !m
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: U
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: $V\|
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: &&D
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: $6u
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: 'Fg
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: %V`
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: !
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: Wi{
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: G
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: U
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: ?P
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: k\|
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: x#n
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: O
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: -
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: f@.
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor:
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: \|Jn
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: FZD
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: 0i{
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: 4
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: e;F
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: %2*
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: 1
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor:
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: +zJ
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: A5p
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor:
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: lKJ
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: V2
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: 5K=
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: );
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: ~
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: h*
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: 6ix
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: \|:
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: b
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: :u>
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: fod
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: *
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: \|
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: .
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: '&{
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: (Aj
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor:
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: *'g
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: )&5
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: Bx#
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: _X&
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: {_
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: h
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: &
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: n'/
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: DR
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: ]
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: }Qp
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: Z
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: \|}/
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: JQ@
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: twO
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: x
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: j[#
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: rg
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: ca,
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: Ra~
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: o:@
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: /t-
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: 'C?
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: {U
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: }\Z
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor:
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: &]p
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: nF
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: MJN
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: Per
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: B
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: \|\#
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: A
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: z
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: qtL
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: m
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: }e9
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: /
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: l>c
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: ggK
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: :+s
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: <w
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: F
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor:
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: Dci
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: 1pG
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: ,iB
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: L
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: \|
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: \|s
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: kqL
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: ^
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: 6^w%mG
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: -Or
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: x
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: ??c
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: +ND
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: U
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: h
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: }RD
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: edn
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: ea
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: ?
Source: 20.2.223E.exe.42def90.1.raw.unpack	String decryptor: I#:

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\5B59.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\6A3D.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\9af1d69e-1bc5-4008-ad08-a746f07a48e8\BDC0.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\205aa591-8aa8-4e2c-a5b1-c9b7aaf860cf\build2.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\110C.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\build2[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\223E.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\4445.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\6d73a97b0c\mnolyk.exe	Joe Sandbox ML: detected

Source: BDC0.exe, 00000013.00000002.937078432.00000000031EB000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\AppData\Local\Temp\BDC0.exe	Unpacked PE file: 6.2.BDC0.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\9af1d69e-1bc5-4008-ad08-a746f07a48e8\BDC0.exe	Unpacked PE file: 17.2.BDC0.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\BDC0.exe	Unpacked PE file: 19.2.BDC0.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\9af1d69e-1bc5-4008-ad08-a746f07a48e8\BDC0.exe	Unpacked PE file: 31.2.BDC0.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\946D.exe	Unpacked PE file: 32.2.946D.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\8DD2.exe	Unpacked PE file: 37.2.8DD2.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\794C.exe	Unpacked PE file: 39.2.794C.exe.400000.0.unpack

Source: 02107799.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\AppData\Local\Temp\BDC0.exe	File created: C:\_readme.txt
Source: C:\Users\user\AppData\Local\Temp\BDC0.exe	File created: C:\Users\user\_readme.txt

Source: C:\Users\user\Desktop\02107799.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Source:	Binary string: C:\widejasediboh-roxujixawe\yoj\vumeso-lix.pdb source: 02107799.exe, 00000000.00000000.371224251.0000000000401000.00000020.00000001.01000000.00000003.sdmp, cuwsgii, 00000004.00000000.442476877.0000000000401000.00000020.00000001.01000000.00000006.sdmp
Source:	Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb source: BDC0.exe, 00000005.00000002.453783695.0000000002510000.00000040.00001000.00020000.00000000.sdmp, BDC0.exe, 00000006.00000002.461344715.0000000000400000.00000040.00000400.00020000.00000000.sdmp, BDC0.exe, 0000000B.00000002.463587041.0000000002480000.00000040.00001000.00020000.00000000.sdmp, BDC0.exe, 00000011.00000002.895547083.0000000000400000.00000040.00000400.00020000.00000000.sdmp, BDC0.exe, 00000012.00000002.463532414.0000000002410000.00000040.00001000.00020000.00000000.sdmp, BDC0.exe, 00000013.00000002.895386251.0000000000400000.00000040.00000400.00020000.00000000.sdmp
Source:	Binary string: P:\Target\x64\ship\groove\x-none\grooveex.pdbeex.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 source: explorer.exe, 00000001.00000000.395956328.00007FFA13021000.00000020.00000001.01000000.00000005.sdmp
Source:	Binary string: P:\Target\x64\ship\groove\x-none\grooveex.pdb source: explorer.exe, 00000001.00000000.395956328.00007FFA13021000.00000020.00000001.01000000.00000005.sdmp
Source:	Binary string: helppane.pdb source: 223E.exe, 00000014.00000002.513841779.00000000040C5000.00000004.00000800.00020000.00000000.sdmp, aafg31.exe, 00000015.00000000.472372573.00007FF6607D1000.00000020.00000001.01000000.00000010.sdmp
Source:	Binary string: D:\Mktmp\Amadey\Release\Amadey.pdb source: 223E.exe, 00000014.00000002.513841779.00000000040C5000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\huvuvig\juhohan\bamakexuvoni\vaxilil\javefi\5\liguvihahoca\suci.pdb source: explorer.exe, 00000001.00000003.451894424.0000000012E53000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.451378243.000000001344F000.00000004.00000010.00020000.00000000.sdmp, BDC0.exe
Source:	Binary string: CGC:\huvuvig\juhohan\bamakexuvoni\vaxilil\javefi\5\liguvihahoca\suci.pdb source: explorer.exe, 00000001.00000003.451894424.0000000012E53000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.451378243.000000001344F000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdbI source: BDC0.exe, 00000005.00000002.453783695.0000000002510000.00000040.00001000.00020000.00000000.sdmp, BDC0.exe, 00000006.00000002.461344715.0000000000400000.00000040.00000400.00020000.00000000.sdmp, BDC0.exe, 0000000B.00000002.463587041.0000000002480000.00000040.00001000.00020000.00000000.sdmp, BDC0.exe, 00000011.00000002.895547083.0000000000400000.00000040.00000400.00020000.00000000.sdmp, BDC0.exe, 00000012.00000002.463532414.0000000002410000.00000040.00001000.00020000.00000000.sdmp, BDC0.exe, 00000013.00000002.895386251.0000000000400000.00000040.00000400.00020000.00000000.sdmp
Source:	Binary string: vCC:\widejasediboh-roxujixawe\yoj\vumeso-lix.pdb source: 02107799.exe, 00000000.00000000.371224251.0000000000401000.00000020.00000001.01000000.00000003.sdmp, cuwsgii, 00000004.00000000.442476877.0000000000401000.00000020.00000001.01000000.00000006.sdmp
Source:	Binary string: eex.pdb source: explorer.exe, 00000001.00000000.395956328.00007FFA13021000.00000020.00000001.01000000.00000005.sdmp
Source:	Binary string: )5C:\rusuxenalo\dutaz jale\puyenotak\tipibu.pdb source: explorer.exe, 00000001.00000003.455193216.0000000012CB1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.455319120.0000000012E55000.00000004.00000001.00020000.00000000.sdmp, AD22.exe, 00000007.00000000.455578864.0000000000401000.00000020.00000001.01000000.00000009.sdmp
Source:	Binary string: C:\rusuxenalo\dutaz jale\puyenotak\tipibu.pdb source: explorer.exe, 00000001.00000003.455193216.0000000012CB1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.455319120.0000000012E55000.00000004.00000001.00020000.00000000.sdmp, AD22.exe, 00000007.00000000.455578864.0000000000401000.00000020.00000001.01000000.00000009.sdmp

Source: C:\Users\user\AppData\Local\Temp\BDC0.exe

Code function: 5_2_00403870 GetStringTypeExA,FindFirstVolumeMountPointW,GetPrivateProfileIntA,WaitForSingleObject,FreeConsole,GetConsoleCursorInfo,GetModuleFileNameW,EnumFontsW,GetConsoleCursorInfo,GetModuleFileNameW,EnumFontsW,GetVersionExW,GetConsoleAliasesLengthA,SleepEx,CreateFileMappingW,CreateMutexA,GetCommState,FreeConsole,MapGenericMask,DebugBreak,AttachConsole,MapGenericMask,DebugBreak,FreeConsole,AttachConsole,FreeConsole,InterlockedExchangeAdd,WaitForMultipleObjectsEx,GetCharWidthW,GetCharABCWidthsFloatW,GetCharWidthW,GetCharABCWidthsFloatW,GetLastError,GetLastError,ReplaceFileA,WritePrivateProfileStringW,lstrcmpiW,CreateEventW,ReplaceFileA,WritePrivateProfileStringW,lstrcmpiW,CreateEventW,MulDiv,CreateActCtxA,GetFileAttributesExW,GetLogicalDriveStringsA,MulDiv,CreateActCtxA,GetFileAttributesExW,GetLogicalDriveStringsA,GetLongPathNameA,WritePrivateProfileStructW,IsBadReadPtr,CancelWaitableTimer,GetFileType,GetModuleHandleA,

Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\Videos\desktop.ini
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\Music\desktop.ini
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\Searches\desktop.ini
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 123.140.161.243 80
Source: C:\Windows\explorer.exe	Network Connect: 80.66.203.53 443
Source: C:\Windows\System32\rundll32.exe	Network Connect: 45.9.74.80 80
Source: C:\Windows\explorer.exe	Network Connect: 217.174.148.28 443
Source: C:\Windows\explorer.exe	Network Connect: 175.119.10.231 80
Source: C:\Windows\explorer.exe	Network Connect: 188.114.97.7 80
Source: C:\Windows\explorer.exe	Network Connect: 211.40.39.251 80
Source: C:\Windows\explorer.exe	Network Connect: 211.171.233.129 80
Source: C:\Windows\explorer.exe	Network Connect: 188.114.96.7 80
Source: C:\Windows\explorer.exe	Network Connect: 211.119.84.112 80
Source: C:\Windows\explorer.exe	Network Connect: 183.100.39.157 80
Source: C:\Windows\explorer.exe	Network Connect: 80.210.25.252 80
Source: C:\Windows\explorer.exe	Network Connect: 222.236.49.123 80
Source: C:\Windows\explorer.exe	Network Connect: 194.180.48.90 80
Source: C:\Windows\explorer.exe	Network Connect: 222.236.49.124 80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: 45.9.74.80/0bjdn2Z/index.php
Source: Malware configuration extractor	URLs: http://zexeq.com/raud/get.php
Source: Malware configuration extractor	URLs: http://toobussy.com/tmp/
Source: Malware configuration extractor	URLs: http://wuc11.com/tmp/
Source: Malware configuration extractor	URLs: http://ladogatur.ru/tmp/
Source: Malware configuration extractor	URLs: http://kingpirate.ru/tmp/
Source: Malware configuration extractor	URLs: https://steamcommunity.com/profiles/76561199508624021
Source: Malware configuration extractor	URLs: https://t.me/looking_glassbot

Source: Joe Sandbox View	IP Address: 103.100.211.218 103.100.211.218
Source: Joe Sandbox View	IP Address: 103.100.211.218 103.100.211.218

Source: unknown

Network traffic detected: IP country count 12

Source: aafg31.exe, 00000015.00000003.747091320.0000020955D07000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.785925314.0000020955D0E000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.872189879.0000020955D0E000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.802910134.0000020955D0E000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.847680947.0000020955D0E000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.747762577.0000020955D10000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.679386130.0000020953C59000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.839605379.0000020955D12000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.764921022.0000020955D12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.9.74.80/0bjds.apjeoighw.com/
Source: aafg31.exe, 00000015.00000003.589214326.0000020953C59000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.9.74.80/0bjds.apjeoighw.com/check/?sid=436838&key=0f2526fc923d8a6ab4c43d0a56a5696e
Source: BDC0.exe, 00000013.00000002.912417927.0000000000868000.00000004.00000020.00020000.00000000.sdmp, BDC0.exe, 00000013.00000002.912417927.00000000008ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://colisumy.com/dl/build2.exe
Source: BDC0.exe, 00000013.00000002.912417927.00000000008ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://colisumy.com/dl/build2.exe$run
Source: BDC0.exe, 00000013.00000002.912417927.0000000000868000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://colisumy.com/dl/build2.exe/p
Source: BDC0.exe, 00000013.00000002.912417927.00000000008ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://colisumy.com/dl/build2.exerun417
Source: BDC0.exe, 00000011.00000002.897516846.0000000000568000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://colisumy.com/dlget.php?pid=903E7F261711F85395E5CEFBF4173C54
Source: explorer.exe, 00000001.00000000.396414870.00007FFA13109000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://components.groove.net/Groove/Components/Root.osd?Package=net.groove.Groove.Tools.System.Groov
Source: explorer.exe, 00000001.00000000.396414870.00007FFA13109000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://components.groove.net/Groove/Components/SystemComponents/SystemComponents.osd?Package=net.gro
Source: BDC0.exe, 00000006.00000003.454948024.0000000000683000.00000004.00000020.00020000.00000000.sdmp, BDC0.exe, 00000006.00000002.461754674.0000000000683000.00000004.00000020.00020000.00000000.sdmp, BDC0.exe, 00000006.00000003.454804668.0000000000683000.00000004.00000020.00020000.00000000.sdmp, BDC0.exe, 00000011.00000002.897516846.00000000005B4000.00000004.00000020.00020000.00000000.sdmp, BDC0.exe, 00000011.00000003.466616880.00000000005B3000.00000004.00000020.00020000.00000000.sdmp, BDC0.exe, 00000013.00000003.464201683.00000000008AD000.00000004.00000020.00020000.00000000.sdmp, BDC0.exe, 00000013.00000002.912417927.0000000000868000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.644636498.0000020953C1A000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.747458130.0000020953C0C000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.586782794.0000020953C18000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.718720439.0000020953C1A000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.765330499.0000020953C0C000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.586487375.0000020953C0C000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.633428878.0000020953C0C000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.708902609.0000020953C18000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.775551486.0000020953C0C000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.626742491.0000020953C0C000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.853929000.0000020953C14000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.640779902.0000020953C1A000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.872402384.0000020953C16000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.703897096.0000020953C18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: BDC0.exe, 00000005.00000002.453783695.0000000002510000.00000040.00001000.00020000.00000000.sdmp, BDC0.exe, 00000006.00000002.461344715.0000000000400000.00000040.00000400.00020000.00000000.sdmp, BDC0.exe, 0000000B.00000002.463587041.0000000002480000.00000040.00001000.00020000.00000000.sdmp, BDC0.exe, 00000011.00000002.895547083.0000000000400000.00000040.00000400.00020000.00000000.sdmp, BDC0.exe, 00000012.00000002.463532414.0000000002410000.00000040.00001000.00020000.00000000.sdmp, BDC0.exe, 00000013.00000002.895386251.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://https://ns1.kriston.ugns2.chalekin.ugns3.unalelath.ugns4.andromath.ug/Error
Source: aafg31.exe, 00000015.00000003.518091220.0000020953BEF000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.527562190.0000020953BEF000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.493686172.0000020953BEF000.00000004.00001000.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.511244929.0000020953BEF000.00000004.00000001.00020000.00000000.sdmp, aafg31.exe, 00000015.00000002.895672737.0000020953BC3000.00000004.00000001.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.502518645.0000020953BEF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://jp.imgjeoighw.com/sts/image.jpg
Source: aafg31.exe, 00000015.00000003.702328602.0000020955D15000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000002.963156667.0000020955A80000.00000040.00001000.00020000.00000000.sdmp, aafg31.exe, 00000015.00000002.928321825.0000020955550000.00000004.00001000.00020000.00000000.sdmp, aafg31.exe, 00000015.00000002.898715266.0000020953C70000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ss.apjeoighw.com/
Source: aafg31.exe, 00000015.00000003.613408935.0000020953C59000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ss.apjeoighw.com/check/?sid=436898&key=31b04f4e86a5030e55172a3ce21438a6f
Source: aafg31.exe, 00000015.00000003.679386130.0000020953C59000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ss.apjeoighw.com/check/?sid=437058&key=7c45c7b8ba54fad24dbc26b647ebd1bcf
Source: aafg31.exe, 00000015.00000003.685325297.0000020953C59000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ss.apjeoighw.com/check/?sid=437114&key=556b8e8f2c0037a585c40888436f6c33f
Source: aafg31.exe, 00000015.00000003.747091320.0000020955D07000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.785925314.0000020955D0E000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.802910134.0000020955D0E000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.847680947.0000020955D0E000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.747762577.0000020955D10000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.839605379.0000020955D12000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.764921022.0000020955D12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ss.apjeoighw.com/check/?sid=437232&key=35a897019d4d6b7304232007313f15f2
Source: aafg31.exe, 00000015.00000003.785925314.0000020955D0E000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.802910134.0000020955D0E000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.847680947.0000020955D0E000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.839605379.0000020955D12000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.764921022.0000020955D12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ss.apjeoighw.com/check/?sid=437284&key=c4d583a983211d53f326aa000dca4127
Source: aafg31.exe, 00000015.00000002.972077905.0000020955BFD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ss.apjeoighw.com/check/?sid=437712&key=e0936dbb5215a1cc85afbf7dbb62727d
Source: aafg31.exe, 00000015.00000003.589214326.0000020953C04000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000002.928321825.0000020955550000.00000004.00001000.00020000.00000000.sdmp, aafg31.exe, 00000015.00000002.895672737.0000020953B7B000.00000004.00000001.00020000.00000000.sdmp, aafg31.exe, 00000015.00000002.898715266.0000020953C70000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ss.apjeoighw.com/check/safe
Source: aafg31.exe, 00000015.00000003.748891799.0000020953C0C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ss.apjeoighw.com/check/safe13f15f2
Source: aafg31.exe, 00000015.00000002.972077905.0000020955BFD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ss.apjeoighw.com/check/safe1B
Source: aafg31.exe, 00000015.00000003.753128296.0000020953C01000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.748891799.0000020953C04000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ss.apjeoighw.com/check/safeS
Source: aafg31.exe, 00000015.00000003.644636498.0000020953C1A000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.633428878.0000020953C0C000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.626742491.0000020953C0C000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.640779902.0000020953C1A000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.653577716.0000020953C0C000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.635219550.0000020953C1A000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.615362679.0000020953C0C000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.613408935.0000020953C0C000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.648060767.0000020953C1A000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.639945801.0000020953C0C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ss.apjeoighw.com:80/check/?sid=436898&key=31b04f4e86a5030e55172a3ce21438a6
Source: aafg31.exe, 00000015.00000003.678658664.0000020953C0C000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.679386130.0000020953C18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ss.apjeoighw.com:80/check/?sid=437058&key=7c45c7b8ba54fad24dbc26b647ebd1bc
Source: aafg31.exe, 00000015.00000003.718720439.0000020953C1A000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.708902609.0000020953C18000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.703897096.0000020953C18000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.686001799.0000020953C18000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.725776709.0000020953C0C000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.697812636.0000020953C18000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.703042210.0000020953C0C000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.685325297.0000020953C18000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.691479412.0000020953C0C000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.708488932.0000020953C0C000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.718518496.0000020953C0C000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.684916045.0000020953C0C000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.727495452.0000020953C18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ss.apjeoighw.com:80/check/?sid=437114&key=556b8e8f2c0037a585c40888436f6c335
Source: aafg31.exe, 00000015.00000003.765330499.0000020953C0C000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.775551486.0000020953C0C000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.853929000.0000020953C14000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.789517605.0000020953C1A000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.767549181.0000020953C1A000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.803618288.0000020953C1A000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.853735463.0000020953C0C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ss.apjeoighw.com:80/check/?sid=437284&key=c4d583a983211d53f326aa000dca4127MjIzMSIsICJ1bl9wd2Q
Source: aafg31.exe, 00000015.00000003.644636498.0000020953C1A000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.718720439.0000020953C1A000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.633428878.0000020953C0C000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.708902609.0000020953C18000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.626742491.0000020953C0C000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.640779902.0000020953C1A000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.703897096.0000020953C18000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.653577716.0000020953C0C000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.686001799.0000020953C18000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.697812636.0000020953C18000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.678658664.0000020953C0C000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.703042210.0000020953C0C000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.685325297.0000020953C18000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.691479412.0000020953C0C000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.708488932.0000020953C0C000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.718518496.0000020953C0C000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.635219550.0000020953C1A000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.679386130.0000020953C18000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.684916045.0000020953C0C000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.615362679.0000020953C0C000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.613408935.0000020953C0C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ss.apjeoighw.com:80/check/safe
Source: aafg31.exe, 00000015.00000003.718720439.0000020953C1A000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.708902609.0000020953C18000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.703897096.0000020953C18000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.686001799.0000020953C18000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.725776709.0000020953C0C000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.697812636.0000020953C18000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.703042210.0000020953C0C000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.685325297.0000020953C18000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.691479412.0000020953C0C000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.708488932.0000020953C0C000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.718518496.0000020953C0C000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.684916045.0000020953C0C000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.727495452.0000020953C18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ss.apjeoighw.com:80/check/safeD
Source: BDC0.exe, 00000013.00000003.476305321.0000000009890000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.amazon.com/
Source: explorer.exe, 00000001.00000000.382909770.000000000091F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: BDC0.exe, 00000013.00000003.476398741.0000000009890000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.google.com/
Source: BDC0.exe, 00000013.00000003.476481044.0000000009890000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.live.com/
Source: BDC0.exe, 00000013.00000003.476513071.0000000009890000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.nytimes.com/
Source: BDC0.exe, 00000013.00000002.895386251.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://www.openssl.org/support/faq.html
Source: BDC0.exe, 00000013.00000003.476541733.0000000009890000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.reddit.com/
Source: BDC0.exe, 00000013.00000003.476625971.0000000009890000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.twitter.com/
Source: BDC0.exe, 00000013.00000003.476659640.0000000009890000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.wikipedia.com/
Source: BDC0.exe, 00000013.00000003.476682552.0000000009890000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.youtube.com/
Source: BDC0.exe, 00000013.00000002.937078432.00000000031EB000.00000004.00000020.00020000.00000000.sdmp, BDC0.exe, 00000013.00000002.912417927.0000000000907000.00000004.00000020.00020000.00000000.sdmp, BDC0.exe, 00000013.00000002.912417927.00000000008ED000.00000004.00000020.00020000.00000000.sdmp, BDC0.exe, 00000013.00000002.937078432.00000000031F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://zexeq.com/files/1/build3.exe
Source: BDC0.exe, 00000013.00000002.912417927.00000000008ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://zexeq.com/files/1/build3.exe$run
Source: BDC0.exe, 00000013.00000002.912417927.00000000008ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://zexeq.com/files/1/build3.exe$runP
Source: BDC0.exe, 00000013.00000002.912417927.00000000008ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://zexeq.com/files/1/build3.exe$rung
Source: BDC0.exe, 00000013.00000002.912417927.0000000000868000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://zexeq.com/files/1/build3.exe$runyinstall020921_delay721_sec.exe0
Source: BDC0.exe, 00000013.00000002.912417927.00000000008ED000.00000004.00000020.00020000.00000000.sdmp, BDC0.exe, 00000013.00000002.937078432.00000000031F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://zexeq.com/files/1/build3.exerun
Source: BDC0.exe, 00000011.00000002.897516846.0000000000613000.00000004.00000020.00020000.00000000.sdmp, BDC0.exe, 00000013.00000002.912417927.0000000000907000.00000004.00000020.00020000.00000000.sdmp, BDC0.exe, 00000013.00000002.912417927.00000000008F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://zexeq.com/raud/get.php
Source: BDC0.exe, 00000011.00000002.897516846.00000000005B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://zexeq.com/raud/get.php?pid=903E7F261711F85395E5CEFBF4173C54
Source: BDC0.exe, 00000013.00000002.912417927.00000000008F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://zexeq.com/raud/get.php?pid=903E7F261711F85395E5CEFBF4173C54&first=trueb
Source: BDC0.exe, 00000013.00000002.912417927.00000000008F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://zexeq.com/raud/get.php?pid=903E7F261711F85395E5CEFBF4173C54&first=truey
Source: BDC0.exe, 00000011.00000002.897516846.00000000005B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://zexeq.com/raud/get.php?pid=903E7F261711F85395E5CEFBF4173C544.
Source: BDC0.exe, 00000011.00000002.897516846.0000000000613000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://zexeq.com/raud/get.phpL
Source: BDC0.exe, 00000011.00000002.897516846.0000000000613000.00000004.00000020.00020000.00000000.sdmp, BDC0.exe, 00000013.00000002.912417927.0000000000907000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://zexeq.com/raud/get.phpep
Source: BDC0.exe, 00000013.00000003.464201683.00000000008AD000.00000004.00000020.00020000.00000000.sdmp, BDC0.exe, 00000013.00000002.912417927.0000000000868000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/
Source: BDC0.exe, 00000006.00000002.461754674.0000000000653000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/:m
Source: BDC0.exe, 00000013.00000003.464201683.00000000008AD000.00000004.00000020.00020000.00000000.sdmp, BDC0.exe, 00000013.00000002.912417927.0000000000868000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/H
Source: BDC0.exe, 00000005.00000002.453783695.0000000002510000.00000040.00001000.00020000.00000000.sdmp, BDC0.exe, 00000006.00000002.461344715.0000000000400000.00000040.00000400.00020000.00000000.sdmp, BDC0.exe, 00000006.00000002.461754674.0000000000622000.00000004.00000020.00020000.00000000.sdmp, BDC0.exe, 0000000B.00000002.463587041.0000000002480000.00000040.00001000.00020000.00000000.sdmp, BDC0.exe, 00000011.00000002.897516846.00000000005B4000.00000004.00000020.00020000.00000000.sdmp, BDC0.exe, 00000011.00000002.895547083.0000000000400000.00000040.00000400.00020000.00000000.sdmp, BDC0.exe, 00000011.00000002.897516846.0000000000568000.00000004.00000020.00020000.00000000.sdmp, BDC0.exe, 00000011.00000003.466616880.00000000005B3000.00000004.00000020.00020000.00000000.sdmp, BDC0.exe, 00000012.00000002.463532414.0000000002410000.00000040.00001000.00020000.00000000.sdmp, BDC0.exe, 00000013.00000003.464201683.00000000008AD000.00000004.00000020.00020000.00000000.sdmp, BDC0.exe, 00000013.00000002.895386251.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.json
Source: BDC0.exe, 00000011.00000002.897516846.00000000005B4000.00000004.00000020.00020000.00000000.sdmp, BDC0.exe, 00000011.00000003.466616880.00000000005B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.json#?
Source: BDC0.exe, 00000011.00000002.897516846.00000000005B4000.00000004.00000020.00020000.00000000.sdmp, BDC0.exe, 00000011.00000003.466616880.00000000005B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.json;?
Source: BDC0.exe, 00000013.00000003.464201683.00000000008AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.jsonFA
Source: BDC0.exe, 00000006.00000002.461754674.0000000000622000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.jsonX
Source: BDC0.exe, 00000013.00000003.464201683.00000000008AD000.00000004.00000020.00020000.00000000.sdmp, BDC0.exe, 00000013.00000002.912417927.0000000000868000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.jsonr
Source: BDC0.exe, 00000013.00000003.464201683.00000000008AD000.00000004.00000020.00020000.00000000.sdmp, BDC0.exe, 00000013.00000002.912417927.0000000000868000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.jsonz
Source: aafg31.exe, 00000015.00000003.871483645.0000020955D5B000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.661860603.0000020955D4B000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.682406444.0000020955D44000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.682234652.0000020955D9B000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.891564020.0000020955D76000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.725526339.0000020955D63000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.610458087.0000020955D0D000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.661265412.0000020955D14000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.725252342.0000020955D9B000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.727653565.0000020955D47000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.726734363.0000020955D43000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.748027526.0000020955D9B000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.608542388.0000020955D2B000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.869877378.0000020955C11000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.609917388.0000020955D07000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.661265412.0000020955D4B000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.587487365.0000020955D3F000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.746443120.0000020955D95000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.891215691.0000020955C11000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.610990462.0000020955D0F000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.892118052.0000020955D54000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://messenger.com/
Source: aafg31.exe, 00000015.00000003.589214326.0000020953C64000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.586782794.0000020953C64000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://static.xx.fbcdn.net
Source: aafg31.exe, 00000015.00000003.727362332.0000020955D46000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.661661754.0000020955D07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://static.xx.fbcdn.net/rsrc.php/v3/y-/l/0
Source: aafg31.exe, 00000015.00000003.871483645.0000020955D5B000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.661860603.0000020955D4B000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.682406444.0000020955D44000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.682234652.0000020955D9B000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.610458087.0000020955D0D000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.661265412.0000020955D14000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.725252342.0000020955D9B000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.727653565.0000020955D47000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.726734363.0000020955D43000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.748027526.0000020955D9B000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.608542388.0000020955D2B000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.869877378.0000020955C11000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.609917388.0000020955D07000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.661265412.0000020955D4B000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.587487365.0000020955D3F000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.746443120.0000020955D95000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.891215691.0000020955C11000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.610990462.0000020955D0F000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.892118052.0000020955D54000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.746443120.0000020955D4A000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.727362332.0000020955D46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://static.xx.fbcdn.net/rsrc.php/v3/y2/l/0
Source: aafg31.exe, 00000015.00000003.871483645.0000020955D5B000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.661860603.0000020955D4B000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.682406444.0000020955D44000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.682234652.0000020955D9B000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.610458087.0000020955D0D000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.661265412.0000020955D14000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.725252342.0000020955D9B000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.727653565.0000020955D47000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.726734363.0000020955D43000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.748027526.0000020955D9B000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.608542388.0000020955D2B000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.869877378.0000020955C11000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.609917388.0000020955D07000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.661265412.0000020955D4B000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.587487365.0000020955D3F000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.746443120.0000020955D95000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.891215691.0000020955C11000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.610990462.0000020955D0F000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.892118052.0000020955D54000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.746443120.0000020955D4A000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.727362332.0000020955D46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://static.xx.fbcdn.net/rsrc.php/v3/y4/r/ZZnKfYusN8Z.js?_nc_x=Ij3Wp8lg5Kz
Source: aafg31.exe, 00000015.00000003.871483645.0000020955D5B000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.661860603.0000020955D4B000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.682406444.0000020955D44000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.682234652.0000020955D9B000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.610458087.0000020955D0D000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.661265412.0000020955D14000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.725252342.0000020955D9B000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.727653565.0000020955D47000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.726734363.0000020955D43000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.748027526.0000020955D9B000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.608542388.0000020955D2B000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.869877378.0000020955C11000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.609917388.0000020955D07000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.661265412.0000020955D4B000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.587487365.0000020955D3F000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.746443120.0000020955D95000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.891215691.0000020955C11000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.610990462.0000020955D0F000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.892118052.0000020955D54000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.746443120.0000020955D4A000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.727362332.0000020955D46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://static.xx.fbcdn.net/rsrc.php/v3/yB/l/0
Source: aafg31.exe, 00000015.00000003.727362332.0000020955D46000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.661661754.0000020955D07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://static.xx.fbcdn.net/rsrc.php/v3/yE/l/0
Source: aafg31.exe, 00000015.00000003.871483645.0000020955D5B000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.661860603.0000020955D4B000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.682406444.0000020955D44000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.682234652.0000020955D9B000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.610458087.0000020955D0D000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.661265412.0000020955D14000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.725252342.0000020955D9B000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.727653565.0000020955D47000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.726734363.0000020955D43000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.748027526.0000020955D9B000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.608542388.0000020955D2B000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.869877378.0000020955C11000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.609917388.0000020955D07000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.661265412.0000020955D4B000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.587487365.0000020955D3F000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.746443120.0000020955D95000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.891215691.0000020955C11000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.610990462.0000020955D0F000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.892118052.0000020955D54000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.746443120.0000020955D4A000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.727362332.0000020955D46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://static.xx.fbcdn.net/rsrc.php/v3/yE/r/yWg6mkUCjYR.js?_nc_x=Ij3Wp8lg5Kz
Source: aafg31.exe, 00000015.00000003.661727127.0000020953C60000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000002.896936074.0000020953C0C000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.610052648.0000020953C62000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.747458130.0000020953C62000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.678658664.0000020953C63000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.748891799.0000020953C62000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.727495452.0000020953C63000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.586782794.0000020953C64000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.610737115.0000020953C62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://static.xx.fbcdn.net/rsrc.php/v3/yI/r/Ib90vcVxYzI.js?_nc_x=Ij3Wp8lg5Kz
Source: aafg31.exe, 00000015.00000003.727362332.0000020955D46000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.661661754.0000020955D07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://static.xx.fbcdn.net/rsrc.php/v3/yK/l/0
Source: aafg31.exe, 00000015.00000003.871483645.0000020955D5B000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.661860603.0000020955D4B000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.682406444.0000020955D44000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.872402384.0000020953C62000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.682234652.0000020955D9B000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.610458087.0000020955D0D000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.585095031.0000020953C04000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.872402384.0000020953C16000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.682568528.0000020955D10000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.872189879.0000020955D0E000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.892118052.0000020955D48000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.661265412.0000020955D14000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.725252342.0000020955D9B000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.727653565.0000020955D47000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.747896229.0000020955CFE000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.871983191.0000020955D48000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.726734363.0000020955D43000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.748027526.0000020955D9B000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.608542388.0000020955D2B000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.869877378.0000020955C11000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.609917388.0000020955D07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://static.xx.fbcdn.net/rsrc.php/v3/yL/r/camCPYrr6r7.js?_nc_x=Ij3Wp8lg5Kz
Source: aafg31.exe, 00000015.00000002.896936074.0000020953C0C000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.610052648.0000020953C62000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.747458130.0000020953C62000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.748891799.0000020953C62000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.727495452.0000020953C63000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.610737115.0000020953C62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://static.xx.fbcdn.net/rsrc.php/v3/yO/r/_tJ17sGyxOX.js?_nc_x=Ij3Wp8lg5Kz
Source: aafg31.exe, 00000015.00000003.727362332.0000020955D46000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.661661754.0000020955D07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://static.xx.fbcdn.net/rsrc.php/v3/yP/l/0
Source: aafg31.exe, 00000015.00000003.871483645.0000020955D5B000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.661860603.0000020955D4B000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.682406444.0000020955D44000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.682234652.0000020955D9B000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.610458087.0000020955D0D000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.661265412.0000020955D14000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.725252342.0000020955D9B000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.727653565.0000020955D47000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.726734363.0000020955D43000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.748027526.0000020955D9B000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.608542388.0000020955D2B000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.869877378.0000020955C11000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.609917388.0000020955D07000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.661265412.0000020955D4B000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.587487365.0000020955D3F000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.746443120.0000020955D95000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.891215691.0000020955C11000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.610990462.0000020955D0F000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.892118052.0000020955D54000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.746443120.0000020955D4A000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.727362332.0000020955D46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://static.xx.fbcdn.net/rsrc.php/v3/yT/r/Kp9IMjEGN_T.js?_nc_x=Ij3Wp8lg5Kz
Source: aafg31.exe, 00000015.00000003.871483645.0000020955D5B000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.661860603.0000020955D4B000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.682406444.0000020955D44000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.682234652.0000020955D9B000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.610458087.0000020955D0D000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.661265412.0000020955D14000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.725252342.0000020955D9B000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.727653565.0000020955D47000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.726734363.0000020955D43000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.748027526.0000020955D9B000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.608542388.0000020955D2B000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.869877378.0000020955C11000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.609917388.0000020955D07000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.661265412.0000020955D4B000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.587487365.0000020955D3F000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.746443120.0000020955D95000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.891215691.0000020955C11000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.610990462.0000020955D0F000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.892118052.0000020955D54000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.746443120.0000020955D4A000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.727362332.0000020955D46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://static.xx.fbcdn.net/rsrc.php/v3/ye/r/sczXDyPA0UL.js?_nc_x=Ij3Wp8lg5Kz
Source: aafg31.exe, 00000015.00000003.871483645.0000020955D5B000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.661860603.0000020955D4B000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.682406444.0000020955D44000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.682234652.0000020955D9B000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.610458087.0000020955D0D000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.661265412.0000020955D14000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.725252342.0000020955D9B000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.727653565.0000020955D47000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.726734363.0000020955D43000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.748027526.0000020955D9B000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.608542388.0000020955D2B000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.869877378.0000020955C11000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.609917388.0000020955D07000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.661265412.0000020955D4B000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.587487365.0000020955D3F000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.746443120.0000020955D95000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.891215691.0000020955C11000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.610990462.0000020955D0F000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.892118052.0000020955D54000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.746443120.0000020955D4A000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.727362332.0000020955D46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://static.xx.fbcdn.net/rsrc.php/v3/yn/r/A-4As8UDAZ8.js?_nc_x=Ij3Wp8lg5Kz
Source: aafg31.exe, 00000015.00000003.727362332.0000020955D46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://static.xx.fbcdn.net/rsrc.php/v3/yq/l/0
Source: aafg31.exe, 00000015.00000003.871483645.0000020955D5B000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.661860603.0000020955D4B000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.682406444.0000020955D44000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.682234652.0000020955D9B000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.610458087.0000020955D0D000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.661265412.0000020955D14000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.725252342.0000020955D9B000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.727653565.0000020955D47000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.726734363.0000020955D43000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.748027526.0000020955D9B000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.608542388.0000020955D2B000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.869877378.0000020955C11000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.609917388.0000020955D07000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.661265412.0000020955D4B000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.587487365.0000020955D3F000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.746443120.0000020955D95000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.891215691.0000020955C11000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.610990462.0000020955D0F000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.892118052.0000020955D54000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.746443120.0000020955D4A000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.727362332.0000020955D46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://static.xx.fbcdn.net/rsrc.php/v3/yt/r/v75M7CPu9-P.js?_nc_x=Ij3Wp8lg5Kz
Source: aafg31.exe, 00000015.00000003.871483645.0000020955D5B000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.661860603.0000020955D4B000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.682406444.0000020955D44000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.682234652.0000020955D9B000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.610458087.0000020955D0D000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.661265412.0000020955D14000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.725252342.0000020955D9B000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.727653565.0000020955D47000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.726734363.0000020955D43000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.748027526.0000020955D9B000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.608542388.0000020955D2B000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.869877378.0000020955C11000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.609917388.0000020955D07000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.661265412.0000020955D4B000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.587487365.0000020955D3F000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.746443120.0000020955D95000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.891215691.0000020955C11000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.610990462.0000020955D0F000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.892118052.0000020955D54000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.746443120.0000020955D4A000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.727362332.0000020955D46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://static.xx.fbcdn.net/rsrc.php/v3i7M54/yx/l/en_US/LsRZeEzcd6B.js?_nc_x=Ij3Wp8lg5Kz
Source: BDC0.exe, 00000011.00000002.897516846.0000000000613000.00000004.00000020.00020000.00000000.sdmp, BDC0.exe, 00000013.00000002.912417927.0000000000907000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://we.tl/t-tnzomMj6
Source: BDC0.exe, 00000011.00000002.897516846.0000000000613000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://we.tl/t-tnzomMj6$
Source: BDC0.exe, 00000011.00000002.897516846.0000000000613000.00000004.00000020.00020000.00000000.sdmp, BDC0.exe, 00000011.00000002.897516846.0000000000632000.00000004.00000020.00020000.00000000.sdmp, BDC0.exe, 00000013.00000002.912417927.0000000000907000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://we.tl/t-tnzomMj6HU

Source: aafg31.exe, 00000015.00000003.585095031.0000020953C61000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: #gJk3RYKhstar-mini.c10r.facebook.comwww.facebook.comFXj6EPkNg4WXHCg52HIoEQn7GF0F9SBjFHg2D2lZOfmSaHvPyCZZjaJ5cbtVLzodNzkJjPBYkXrjN517PTNCwAF+80uNh76Bcw+HDqwUHRm3Nia9NN2qVmW3MKGv20E0gK7ncJ21FvxG1jv/nFRw03kOspr4Zom7/Tdh2mQA1BgNE3RHwa32WfmbCExrN11Ls19TySQD2PiGBYkIY8z0c2kpiXgBQ0rbGE2VIhO9Hs1BZr5d721PdODZ+CGJKWZ90t8S8YZOxJg/66A3Wx4cC99mjipIu9ioEe3NTp3v5FJAPFZbUGtMbnLh+M0lircY9pNdJVINT86MKRHX6vhuzJGEx9ezIGcNieBMAcDYTZeQTED8o8AuI7a9cRkFE4or44CpHBUw6FqVqj+uhbvvudjcwjG8lOpdtpUj80ZB4hpocdh2lKuxh/WArZs3uAHIE1f4pce6y2XOvsh6Br9f0rtUqnOrOB3092tKvNbr1SrNO3ReNt0XhrrTGMxLpArlqoNlf2VyGowHYz2VdrF+kfRWBdaRRL2mJT1xyeMAjS+8gVSqO2DCEGygNkp2r8QQW70rWOSi5T59FmpjmWZUcj+2H6+dRAhjl3qr2Rjke7TpNxrE5U8reTa0zBKjq4FhnRmiVbrQb2zim0iPq3KDwbWZcZr7MSPXpkHy2e5qe0Br9RaxxRThv/pBXjn3tTxj9zJ4x/Ti8wj4TszZP31Tr3qZ2FboseQ9PoQuTB4bWFa8nWAbj8XqcAe7y/kWyBsth/UyBmEKhwHXOlceSNnXVsAmbetqbRefa+13l+MsDoeK/RbXeMzrH59JKknr11j3k+ucEa3DG1sdSF4ep9PsPobiHX9L4f28O7nmzrQbbhohcRwDTKxiY2MWEcGZdcPvmXp8g+q4PjaqOr1ntZwb0IUPSeG44Pk+EA2efXwMLnOugxBtY86DEOoeugRwCM0XEYCweZzZJxpFrm6bm/zbKhiUkx6VoNe+v3/vvV1zC/3l/3oMfVgCrdhT9frr3YQDlf1RBgrLbMjZND9LopWGNX8hikgZk8BkLtSh6D4o4Gwl14c4jZ0j8yw0sgpX0mwHGGL3X1fO0heLO4uv9w4t5bUtcsNzvN/dph6Zb9rXq3nbrK+Htpf+Je69XS4aT1aqvj7+aKpvdg8SC1jf4K9VP3NxsaGu9Xy9rLzO/6Xw/1CV8r041GiD3NX5T5uftgkhfgZoxtPBLZ3TPaxeyypi/RU/d9CKpczDYPJK61Oo/35lqdV0PXWp1Py6hXS0cSxrn0+dEpsn2BLk2WtXvpbuC5ZWpe6NEmTPCQ4+A7Pa7uDTh0XN0HbOxxdZ92zoPZ3iDmwWyf5q6D2f7toz7t6SFTY8m7J6BCvOeuvvlf39l45uvfef3DIeaTEzKOIeM+LzJaftVByKDyGApGyFAwQnoXCrg0Cekpj+EBMv51iFxvWbGFrr4I82ZRBFS8ddjZ3OAD7Vod8IQwVwe8G7tWB3xbR71bG/M0DndLxuHuJB93He5+0xRhrIanmt1y9VSTrjdhei2yx/HF1TyrBMCUrjYqiIO4mQp/PZkpWX8WlxFWI/ZhQpyVKq0Uy83GYk23UgfzJJOVCFxHGEdnvTAjQXb1z3UMvcYcr4t4NRNtL0DPcHi2i3q06x2vj9i7k62o41vvf/XXEJ7SYjnWB8jVhrpcKz9Qq4Co9aZ+r7pslFzY77RH28i1FlwfhkL0TdE2xgPCZYUO8shduZi equals www.facebook.com (Facebook)
Source: aafg31.exe, 00000015.00000003.586782794.0000020953C59000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: #gJk3RYKhstar-mini.c10r.facebook.comwww.facebook.comFXj6EPkNg4WXHCg52HIoEQn7GF0F9SBjFHg2D2lZOfmSaHvPyCZZjaJ5cbtVLzodNzkJjPBYkXrjN517PTNCwAF+80uNh76Bcw+HDqwUHRm3Nia9NN2qVmW3MKGv20E0gK7ncJ21FvxG1jv/nFRw03kOspr4Zom7/Tdh2mQA1BgNE3RHwa32WfmbCExrN11Ls19TySQD2PiGBYkIY8z0c2kpiXgBQ0rbGE2VIhO9Hs1BZr5d721PdODZ+CGJKWZ90t8S8YZOxJg/66A3Wx4cC99mjipIu9ioEe3NTp3v5FJAPFZbUGtMbnLh+M0lircY9pNdJVINT86MKRHX6vhuzJGEx9ezIGcNieBMAcDYTZeQTED8o8AuI7a9cRkFE4or44CpHBUw6FqVqj+uhbvvudjcwjG8lOpdtpUj80ZB4hpocdh2lKuxh/WArZs3uAHIE1f4pce6y2XOvsh6Br9f0rtUqnOrOB3092tKvNbr1SrNO3ReNt0XhrrTGMxLpArlqoNlf2VyGowHYz2VdrF+kfRWBdaRRL2mJT1xyeMAjS+8gVSqO2DCEGygNkp2r8QQW70rWOSi5T59FmpjmWZUcj+2H6+dRAhjl3qr2Rjke7TpNxrE5U8reTa0zBKjq4FhnRmiVbrQb2zim0iPq3KDwbWZcZr7MSPXpkHy2e5qe0Br9RaxxRThv/pBXjn3tTxj9zJ4x/Ti8wj4TszZP31Tr3qZ2FboseQ9PoQuTB4bWFa8nWAbj8XqcAe7y/kWyBsth/UyBmEKhwHXOlceSNnXVsAmbetqbRefa+13l+MsDoeK/RbXeMzrH59JKknr11j3k+ucEa3DG1sdSF4ep9PsPobiHX9L4f28O7nmzrQbbhohcRwDTKxiY2MWEcGZdcPvmXp8g+q4PjaqOr1ntZwb0IUPSeG44Pk+EA2efXwMLnOugxBtY86DEOoeugRwCM0XEYCweZzZJxpFrm6bm/zbKhiUkx6VoNe+v3/vvV1zC/3l/3oMfVgCrdhT9frr3YQDlf1RBgrLbMjZND9LopWGNX8hikgZk8BkLtSh6D4o4Gwl14c4jZ0j8yw0sgpX0mwHGGL3X1fO0heLO4uv9w4t5bUtcsNzvN/dph6Zb9rXq3nbrK+Htpf+Je69XS4aT1aqvj7+aKpvdg8SC1jf4K9VP3NxsaGu9Xy9rLzO/6Xw/1CV8r041GiD3NX5T5uftgkhfgZoxtPBLZ3TPaxeyypi/RU/d9CKpczDYPJK61Oo/35lqdV0PXWp1Py6hXS0cSxrn0+dEpsn2BLk2WtXvpbuC5ZWpe6NEmTPCQ4+A7Pa7uDTh0XN0HbOxxdZ92zoPZ3iDmwWyf5q6D2f7toz7t6SFTY8m7J6BCvOeuvvlf39l45uvfef3DIeaTEzKOIeM+LzJaftVByKDyGApGyFAwQnoXCrg0Cekpj+EBMv51iFxvWbGFrr4I82ZRBFS8ddjZ3OAD7Vod8IQwVwe8G7tWB3xbR71bG/M0DndLxuHuJB93He5+0xRhrIanmt1y9VSTrjdhei2yx/HF1TyrBMCUrjYqiIO4mQp/PZkpWX8WlxFWI/ZhQpyVKq0Uy83GYk23UgfzJJOVCFxHGEdnvTAjQXb1z3UMvcYcr4t4NRNtL0DPcHi2i3q06x2vj9i7k62o41vvf/XXEJ7SYjnWB8jVhrpcKz9Qq4Co9aZ+r7pslFzY77RH28i1FlwfhkL0TdE2xgPCZYUODiqPZxOBa0 equals www.facebook.com (Facebook)
Source: aafg31.exe, 00000015.00000002.895672737.0000020953BE1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: #star-mini.c10r.facebook.comwww.facebook.com equals www.facebook.com (Facebook)
Source: aafg31.exe, 00000015.00000003.610737115.0000020953C62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: #star-mini.c10r.facebook.comwww.facebook.com4U6AFg8Nsj3k3vIHu95+5sG/VsS2dtne0TzdIdghGJsYOzpvLwxV/6jY/TA0qf20R2eyFLV/XmsnZyAbM/YRfO4YvnpJnr+CtJeLnWoFXcBLLLsmPWschms65UXthtd2j5Xh/q9PHF3fjiF4tPdOMTLwzfPCLTnhKYCK8yEVK5vyCM9xDSc2UUX+l2xk9yGW8ErijCdT7OfyzW+Th/gIHzcaMxRUdieupV/qnSuRmzTo4ZfZrlqP/+y/+wGZr1hYlmTTRrolkXrFmMpVlWsuHSrbV7rdA661ZonXUrtN66FVpn3QpdlG4VJ7p1KelWz2uFbc361v/78IdpFPxYiGxLq4tG3bNCs9vR9N7y3M3Dy3PXEcYNSyu3uiokDr82KyR6NHNVSPRuF/VoZ3ysEYyPNYLzIxrzhhVy7dCd1fKG/FemIdfzp0+3QRCJnZnmPzJt33D/7mm/G+57l5tr+mJTX6ZFvI43G/SetFnlnEZpC5SzlrAhlS8jo486L0e3LkwX2fW7iT3QkO6dP30pDadgXYL+xI1pTffAX8hN6T3ZobeiM6NvRX/dJnLtwIwNifvCRlviHt/oJ3H15oqm94iSYGPDpM7UdK3ceUCvdbTZHL0ufhadPLQ6m11udVZz6nKtvlrQ2jC/7QJdA4s+eXSNldS2FuvWYudk+977WIlWfDX/W1wqx5abL2z+/+y9CZhk11XnqcisKtlPi8shWVKl9pSMZRGVevticNNvlSutUpUzS7ag++skMjOqMlSREamIyKxlZr6RbUxj8AbN1mbvNg3thumBboYeaOhhWgONpxswOzSLe2EfYKD5gAGbnt95sa8ZtapUet9nl6oi7r3v3rP8z//ce+6L7UKFwaobFzr/lfcrdnusbdUazcIGTUvbtfqFwuY5WWrhtCy1sN7ytcJqqb5X3ii9p1Y/y7822yfKR9cvHG3/Av3RPXeJx4375nS5Uhr7RXeS476slE+XNi5sVEqNsV93Zr/U6LwAZmyzRvp+ybVGs9gcP87Gzu7aTropyAjd6+aFxouVsc13EcZaMX1ByFojPVehrbxJd3dH2p9FbcynUNwQKyy3bugPSvpynGHYn/f3if/tkHL/UK+1U8X11vsKU+/4s553/N6M3mGMc482Gi8xemPpVK1ZbL8UMdpt/S730rO11eJeaTN92XZjTd7gVNpce7bWTOq1i6Vq5i6Zu1xjd+kZ/gyO8x9vVd483P/Z4l75TLH1UiDmvl4qNlMX+uitXRf6sltnDDDjXOgkcU78YkneFFwXce2VTpXJKs4sJeV6o/WW7vQVSeaVuUth4sQ0VZ0+tZPFcrXZnlRPHqdq6QQlgYHqn96tpM0yn858+lr79BifnMG7v/+A8vjx4sZgBrH2ztKFk/L2YBpVyqV6iz3+znzXuX9tflbnHutDsbzVZumZlt0tnVhde/aE2PqxyD917MSzSydPrB4TCSy9M/7iNQSyuhpH18aDxFV6bjTkJR0zLwvYpK41zmPaDtJyqa7DDfpR1z9bbrmvyc1oZJdjNfvregaj+flblUeGza/9wwn90eDDvWjwvtmigT4235gSDXqBwLhWgcDVZzHiVlnOczub/HvpPVulUmWJKZZO1fq/WD1X3El/a+UKo1YWELKAsH9AGPTIGdz6/7xVuWd4EKkTSZ35Az1n/qtDs6H/lNxopdTYqaU/6CI1KEvylAupd9O3cVL2Tcv15oXVEo/ZbFwrz/au1gT1zJ0zd77W7iwm^ equals www.facebook.com (Facebook)
Source: aafg31.exe, 00000015.00000003.615362679.0000020953C63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: #star-mini.c10r.facebook.comwww.facebook.com4U6AFg8Nsj3k3vIHu95+5sG/VsS2dtne0TzdIdghGJsYOzpvLwxV/6jY/TA0qf20R2eyFLV/XmsnZyAbM/YRfO4YvnpJnr+CtJeLnWoFXcBLLLsmPWschms65UXthtd2j5Xh/q9PHF3fjiF4tPdOMTLwzfPCLTnhKYCK8yEVK5vyCM9xDSc2UUX+l2xk9yGW8ErijCdT7OfyzW+Th/gIHzcaMxRUdieupV/qnSuRmzTo4ZfZrlqP/+y/+wGZr1hYlmTTRrolkXrFmMpVlWsuHSrbV7rdA661ZonXUrtN66FVpn3QpdlG4VJ7p1KelWz2uFbc361v/78IdpFPxYiGxLq4tG3bNCs9vR9N7y3M3Dy3PXEcYNSyu3uiokDr82KyR6NHNVSPRuF/VoZ3ysEYyPNYLzIxrzhhVy7dCd1fKG/FemIdfzp0+3QRCJnZnmPzJt33D/7mm/G+57l5tr+mJTX6ZFvI43G/SetFnlnEZpC5SzlrAhlS8jo486L0e3LkwX2fW7iT3QkO6dP30pDadgXYL+xI1pTffAX8hN6T3ZobeiM6NvRX/dJnLtwIwNifvCRlviHt/oJ3H15oqm94iSYGPDpM7UdK3ceUCvdbTZHL0ufhadPLQ6m11udVZz6nKtvlrQ2jC/7QJdA4s+eXSNldS2FuvWYudk+977WIlWfDX/W1wqx5abL2z+/+y9CZhk11XnqcisKtlPi8shWVKl9pSMZRGVevticNNvlSutUpUzS7ag++skMjOqMlSREamIyKxlZr6RbUxj8AbN1mbvNg3thumBboYeaOhhWgONpxswOzSLe2EfYKD5gAGbnt95sa8ZtapUet9nl6oi7r3v3rP8z//ce+6L7UKFwaobFzr/lfcrdnusbdUazcIGTUvbtfqFwuY5WWrhtCy1sN7ytcJqqb5X3ii9p1Y/y7822yfKR9cvHG3/Av3RPXeJx4375nS5Uhr7RXeS476slE+XNi5sVEqNsV93Zr/U6LwAZmyzRvp+ybVGs9gcP87Gzu7aTropyAjd6+aFxouVsc13EcZaMX1ByFojPVehrbxJd3dH2p9FbcynUNwQKyy3bugPSvpynGHYn/f3if/tkHL/UK+1U8X11vsKU+/4s553/N6M3mGMc482Gi8xemPpVK1ZbL8UMdpt/S730rO11eJeaTN92XZjTd7gVNpce7bWTOq1i6Vq5i6Zu1xjd+kZ/gyO8x9vVd483P/Z4l75TLH1UiDmvl4qNlMX+uitXRf6sltnDDDjXOgkcU78YkneFFwXce2VTpXJKs4sJeV6o/WW7vQVSeaVuUth4sQ0VZ0+tZPFcrXZnlRPHqdq6QQlgYHqn96tpM0yn858+lr79BifnMG7v/+A8vjx4sZgBrH2ztKFk/L2YBpVyqV6iz3+znzXuX9tflbnHutDsbzVZumZlt0tnVhde/aE2PqxyD917MSzSydPrB4TCSy9M/7iNQSyuhpH18aDxFV6bjTkJR0zLwvYpK41zmPaDtJyqa7DDfpR1z9bbrmvyc1oZJdjNfvregaj+flblUeGza/9wwn90eDDvWjwvtmigT4235gSDXqBwLhWgcDVZzHiVlnOczub/HvpPVulUmWJKZZO1fq/WD1X3El/a+UKo1YWELKAsH9AGPTIGdz6/7xVuWd4EKkTSZ35Az1n/qtDs6H/lNxopdTYqaU/6CI1KEvylAupd9O3cVL2Tcv15oXVEo/ZbFwrz/au1gT1zJ0zd77W7iwmb equals www.facebook.com (Facebook)
Source: aafg31.exe, 00000015.00000003.727495452.0000020953C59000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: #star-mini.c10r.facebook.comwww.facebook.comYzrms1 equals www.facebook.com (Facebook)
Source: aafg31.exe, 00000015.00000003.872402384.0000020953C59000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: #star-mini.c10r.facebook.comwww.facebook.comfgMYLp equals www.facebook.com (Facebook)
Source: aafg31.exe, 00000015.00000003.610737115.0000020953C62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: #star-mini.c10r.facebook.comwww.facebook.comjiEtlE equals www.facebook.com (Facebook)
Source: aafg31.exe, 00000015.00000003.686001799.0000020953C62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: #star-mini.c10r.facebook.comwww.facebook.commEMTE4O equals www.facebook.com (Facebook)
Source: aafg31.exe, 00000015.00000003.893794196.0000020953C5F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: #star-mini.c10r.facebook.comwww.facebook.commngSopN equals www.facebook.com (Facebook)
Source: aafg31.exe, 00000015.00000003.727495452.0000020953C59000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: #star-mini.c10r.facebook.comwww.facebook.commoP7zAH equals www.facebook.com (Facebook)
Source: aafg31.exe, 00000015.00000002.897089501.0000020953C5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: #star-mini.c10r.facebook.comwww.facebook.commqPZxOBa0 equals www.facebook.com (Facebook)
Source: aafg31.exe, 00000015.00000003.872402384.0000020953C59000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: #star-mini.c10r.facebook.comwww.facebook.comqrBjUsc3 equals www.facebook.com (Facebook)
Source: aafg31.exe, 00000015.00000003.727495452.0000020953C59000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: #star-mini.c10r.facebook.comwww.facebook.comvlQwufe2 equals www.facebook.com (Facebook)
Source: aafg31.exe, 00000015.00000003.871483645.0000020955D5B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: name="referrer" content="origin-when-crossorigin" id="meta_referrer" /><script nonce="q5tMiLYZ">function envFlush(a){function b(b){for(var c in a)b[c]=a[c]}window.requireLazy?window.requireLazy(["Env"],b):(window.Env=window.Env\|\|{},b(window.Env))}envFlush({"useTrustedTypes":false,"isTrustedTypesReportOnly":false,"ajaxpipe_token":"AXjZ6wGXtfhJEKvvsqM","gk_instrument_object_url":true,"stack_trace_limit":30,"timesliceBufferSize":5000,"show_invariant_decoder":false,"compat_iframe_token":"AQ6iSpgOr5fQTsmS7z4","isCQuick":false});</script><script nonce="q5tMiLYZ">(function(a){function b(b){if(!window.openDatabase)return;b.I_AM_INCOGNITO_AND_I_REALLY_NEED_WEBSQL=function(a,b,c,d){return window.openDatabase(a,b,c,d)};window.openDatabase=function(){throw new Error()}}b(a)})(this);</script><style nonce="q5tMiLYZ"></style><script nonce="q5tMiLYZ">__DEV__=0;</script><noscript><meta http-equiv="refresh" content="0; URL=/login.php?next=https%3A%2F%2Fadsmanager.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing%2F&_fb_noscript=1" /></noscript><link rel="manifest" id="MANIFEST_LINK" href="/data/manifest/" crossorigin="use-credentials" /><title id="pageTitle">Log into Facebook</title><meta name="google" content="notranslate" /><meta name="description" content="Log into Facebook to start sharing and connecting with your friends, family, and people you know." /><meta property="og:site_name" content="Facebook" /><meta property="og:url" content="https://www.facebook.com/login.php?next=https%3A%2F%2Fadsmanager.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing%2F" /><meta property="og:locale" content="en_US" /><link rel="canonical" href="https://www.facebook.com/login/web/" /><link rel="icon" href="https://static.xx.fbcdn.net/rsrc.php/yv/r/B8BxsscfVBr.ico" /><link type="text/css" rel="stylesheet" href="https://static.xx.fbcdn.net/rsrc.php/v3/yP/l/0,cross/6MB_F4yiWj8.css?_nc_x=Ij3Wp8lg5Kz" data-bootloader-hash="HLTHBFO" /> equals www.facebook.com (Facebook)
Source: aafg31.exe, 00000015.00000003.764921022.0000020955D12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: property="og:url" content="https://www.facebook.com/login.php?next=https%3A%2F%2Fadsmanager.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing%2F" /><meta property="og:locale" content="en_US" /><link rel="canonical" href="https://www.facebook.com/login/web/" /><link rel="icon" href="https://static.xx.fbcdn.net/rsrc.php/yv/r/B8BxsscfVBr.ico" /><link type="text/css" rel="stylesheet" href="https://static.xx.fbcdn.net/rsrc.php/v3/yP/l/0,cross/6MB_F4yiWj8.css?_nc_x=Ij3Wp8lg5Kz" data-bootloader-hash="HLTHBFO" /> equals www.facebook.com (Facebook)
Source: aafg31.exe, 00000015.00000003.775551486.0000020953C62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: #star-mini.c10r.facebook.comwww.facebook.comNe8Aoak equals www.facebook.com (Facebook)
Source: aafg31.exe, 00000015.00000003.767549181.0000020953C59000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: #star-mini.c10r.facebook.comwww.facebook.comfgMYLp equals www.facebook.com (Facebook)
Source: aafg31.exe, 00000015.00000003.727362332.0000020955D46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: )</a></li><li><a role="button" class="_42ft _4jy0 _517i _517h _51sy" rel="dialog" ajaxify="/settings/language/language/?uri=https%3A%2F%2Fzh-cn.facebook.com%2Flogin.php%3Fnext%3Dhttps%253A%252F%252Fadsmanager.facebook.com%252Fads%252Fmanager%252Faccount_settings%252Faccount_billing%252F&source=www_list_selector_more" href="#" title="Show more languages"><i class="img sp_EP9wX8qDDvu sx_0de3e6"></i></a></li></ul><div id="contentCurve"></div><div id="pageFooterChildren" role="contentinfo" aria-label="Facebook site links"><ul class="uiList pageFooterLinkList _509- _4ki _703 _6-i"><li><a href="/reg/" title="Sign Up for Facebook">Sign Up</a></li><li><a href="/login/" title="Log into Facebook">Log In</a></li><li><a href="https://messenger.com/" title="Check out Messenger.">Messenger</a></li><li><a href="/lite/" title="Facebook Lite for Android.">Facebook Lite</a></li><li><a href="https://www.facebook.com/watch/" title="Browse our Watch videos.">Watch</a></li><li><a href="/places/" title="Check out popular places on Facebook.">Places</a></li><li><a href="/games/" title="Check out Facebook games.">Games</a></li><li><a href="/marketplace/" title="Buy and sell on Facebook Marketplace.">Marketplace</a></li><li><a href="https://pay.facebook.com/" title="Learn more about Meta Pay" target="_blank">Meta Pay</a></li><li><a href="https://www.meta.com/" title="Check out Meta" target="_blank">Meta Store</a></li><li><a href="https://www.meta.com/quest/" title="Learn more about Meta Quest" target="_blank">Meta Quest</a></li><li><a href="https://l.facebook.com/l.php?u=https%3A%2F%2Fwww.instagram.com%2F&h=AT0L4g4ILO6wM3IonpAWu7GOCri0jS6F1V29WSAdkRjdqlcAur_2lcRMGdBr_Fj6vcAPbRGyrr_-Nap6MhNbIdTzhFcQVO-hgG4YXd99UtB0BcYTeYY9ksWuxifzrCr5QnEodIma8njkLwVFnT-59w" title="Check out Instagram" target="_blank" rel="nofollow" data-lynx-mode="asynclazy">Instagram</a></li><li><a href="/fundraisers/" title="Donate to worthy causes.">Fundraisers</a></li><li><a href="/biz/directory/" title="Browse our Facebook Services directory.">Services</a></li><li><a href="/votinginformationcenter/?entry_point=c2l0ZQ%3D%3D" title="See the Voting Information Center.">Voting Information Center</a></li><li><a href="/privacy/policy/?entry_point=facebook_page_footer" title="Learn how we collect, use and share information to support Facebook.">Privacy Policy</a></li><li><a href="/privacy/center/?entry_point=facebook_page_footer" title="Learn how to manage and control your privacy on Facebook.">Privacy Center</a></li><li><a href="/groups/discover/" title="Explore our Groups.">Groups</a></li><li><a href="https://about.meta.com/" accesskey="8" title="Read our blog, discover the resource center, and find job opportunities.">About</a></li><li><a href="/ad_campaign/landing.php?placement=pflo&campaign_id=402047449186&nav_source=unknown&extra_1=auto" title="Advertise on Facebook.">Create Ad</a></li><li><a href="/pages/create/?ref_type=site_footer" title="Create a page">Create Page</a></li><li><a
Source: aafg31.exe, 00000015.00000003.746443120.0000020955D4A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: )</a></li><li><a role="button" class="_42ft _4jy0 _517i _517h _51sy" rel="dialog" ajaxify="/settings/language/language/?uri=https%3A%2F%2Fzh-cn.facebook.com%2Flogin.php%3Fnext%3Dhttps%253A%252F%252Fadsmanager.facebook.com%252Fads%252Fmanager%252Faccount_settings%252Faccount_billing%252F&source=www_list_selector_more" href="#" title="Show more languages"><i class="img sp_EP9wX8qDDvu sx_0de3e6"></i></a></li></ul><div id="contentCurve"></div><div id="pageFooterChildren" role="contentinfo" aria-label="Facebook site links"><ul class="uiList pageFooterLinkList _509- _4ki _703 _6-i"><li><a href="/reg/" title="Sign Up for Facebook">Sign Up</a></li><li><a href="/login/" title="Log into Facebook">Log In</a></li><li><a href="https://messenger.com/" title="Check out Messenger.">Messenger</a></li><li><a href="/lite/" title="Facebook Lite for Android.">Facebook Lite</a></li><li><a href="https://www.facebook.com/watch/" title="Browse our Watch videos.">Watch</a></li><li><a href="/places/" title="Check out popular places on Facebook.">Places</a></li><li><a href="/games/" title="Check out Facebook games.">Games</a></li><li><a href="/marketplace/" title="Buy and sell on Facebook Marketplace.">Marketplace</a></li><li><a href="https://pay.facebook.com/" title="Learn more about Meta Pay" target="_blank">Meta Pay</a></li><li><a href="https://www.meta.com/" title="Check out Meta" target="_blank">Meta Store</a></li><li><a href="https://www.meta.com/quest/" title="Learn more about Meta Quest" target="_blank">Meta Quest</a></li><li><a href="https://l.facebook.com/l.php?u=https%3A%2F%2Fwww.instagram.com%2F&h=AT0PxYBQFvg0mobTHJju8M3bk9dBMb1-DaU5og69w0cITpUYOp5NTFj5biYfJXYgjM8tZU_uGmiahubUFBao7M6xVbDAEI-fMOSGoVfUmxsvkRcKSDJO2ae4FASGdusmCBb2Zt3zK6MbV8AZT_AQwA" title="Check out Instagram" target="_blank" rel="nofollow" data-lynx-mode="asynclazy">Instagram</a></li><li><a href="/fundraisers/" title="Donate to worthy causes.">Fundraisers</a></li><li><a href="/biz/directory/" title="Browse our Facebook Services directory.">Services</a></li><li><a href="/votinginformationcenter/?entry_point=c2l0ZQ%3D%3D" title="See the Voting Information Center.">Voting Information Center</a></li><li><a href="/privacy/policy/?entry_point=facebook_page_footer" title="Learn how we collect, use and share information to support Facebook.">Privacy Policy</a></li><li><a href="/privacy/center/?entry_point=facebook_page_footer" title="Learn how to manage and control your privacy on Facebook.">Privacy Center</a></li><li><a href="/groups/discover/" title="Explore our Groups.">Groups</a></li><li><a href="https://about.meta.com/" accesskey="8" title="Read our blog, discover the resource center, and find job opportunities.">About</a></li><li><a href="/ad_campaign/landing.php?placement=pflo&campaign_id=402047449186&nav_source=unknown&extra_1=auto" title="Advertise on Facebook.">Create Ad</a></li><li><a href="/pages/create/?ref_type=site_footer" title="Create a page">Create Page</a></li><li><a
Source: aafg31.exe, 00000015.00000003.587487365.0000020955D3F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: )</a></li><li><a role="button" class="_42ft _4jy0 _517i _517h _51sy" rel="dialog" ajaxify="/settings/language/language/?uri=https%3A%2F%2Fzh-cn.facebook.com%2Flogin.php%3Fnext%3Dhttps%253A%252F%252Fadsmanager.facebook.com%252Fads%252Fmanager%252Faccount_settings%252Faccount_billing%252F&source=www_list_selector_more" href="#" title="Show more languages"><i class="img sp_EP9wX8qDDvu sx_0de3e6"></i></a></li></ul><div id="contentCurve"></div><div id="pageFooterChildren" role="contentinfo" aria-label="Facebook site links"><ul class="uiList pageFooterLinkList _509- _4ki _703 _6-i"><li><a href="/reg/" title="Sign Up for Facebook">Sign Up</a></li><li><a href="/login/" title="Log into Facebook">Log In</a></li><li><a href="https://messenger.com/" title="Check out Messenger.">Messenger</a></li><li><a href="/lite/" title="Facebook Lite for Android.">Facebook Lite</a></li><li><a href="https://www.facebook.com/watch/" title="Browse our Watch videos.">Watch</a></li><li><a href="/places/" title="Check out popular places on Facebook.">Places</a></li><li><a href="/games/" title="Check out Facebook games.">Games</a></li><li><a href="/marketplace/" title="Buy and sell on Facebook Marketplace.">Marketplace</a></li><li><a href="https://pay.facebook.com/" title="Learn more about Meta Pay" target="_blank">Meta Pay</a></li><li><a href="https://www.meta.com/" title="Check out Meta" target="_blank">Meta Store</a></li><li><a href="https://www.meta.com/quest/" title="Learn more about Meta Quest" target="_blank">Meta Quest</a></li><li><a href="https://l.facebook.com/l.php?u=https%3A%2F%2Fwww.instagram.com%2F&h=AT0R-ItG6onOMb0nwDKIQNqWdq_45gXoD7J2wJyypkLJuVpaDLPJ719UjS7C0OXVBGxKG7xRPzjbMwNGOBj8u-rn9MXAlhjEWzZ6T4doOiyFRAHyKcJRTRjtmdO5H6qDx3RSqosXwYEF3lkhICOCAg" title="Check out Instagram" target="_blank" rel="nofollow" data-lynx-mode="asynclazy">Instagram</a></li><li><a href="/fundraisers/" title="Donate to worthy causes.">Fundraisers</a></li><li><a href="/biz/directory/" title="Browse our Facebook Services directory.">Services</a></li><li><a href="/votinginformationcenter/?entry_point=c2l0ZQ%3D%3D" title="See the Voting Information Center.">Voting Information Center</a></li><li><a href="/privacy/policy/?entry_point=facebook_page_footer" title="Learn how we collect, use and share information to support Facebook.">Privacy Policy</a></li><li><a href="/privacy/center/?entry_point=facebook_page_footer" title="Learn how to manage and control your privacy on Facebook.">Privacy Center</a></li><li><a href="/groups/discover/" title="Explore our Groups.">Groups</a></li><li><a href="https://about.meta.com/" accesskey="8" title="Read our blog, discover the resource center, and find job opportunities.">About</a></li><li><a href="/ad_campaign/landing.php?placement=pflo&campaign_id=402047449186&nav_source=unknown&extra_1=auto" title="Advertise on Facebook.">Create Ad</a></li><li><a href="/pages/create/?ref_type=site_footer" title="Create a page">Create Page</a></li><li><a
Source: aafg31.exe, 00000015.00000003.869877378.0000020955C11000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: )</a></li><li><a role="button" class="_42ft _4jy0 _517i _517h _51sy" rel="dialog" ajaxify="/settings/language/language/?uri=https%3A%2F%2Fzh-cn.facebook.com%2Flogin.php%3Fnext%3Dhttps%253A%252F%252Fadsmanager.facebook.com%252Fads%252Fmanager%252Faccount_settings%252Faccount_billing%252F&source=www_list_selector_more" href="#" title="Show more languages"><i class="img sp_EP9wX8qDDvu sx_0de3e6"></i></a></li></ul><div id="contentCurve"></div><div id="pageFooterChildren" role="contentinfo" aria-label="Facebook site links"><ul class="uiList pageFooterLinkList _509- _4ki _703 _6-i"><li><a href="/reg/" title="Sign Up for Facebook">Sign Up</a></li><li><a href="/login/" title="Log into Facebook">Log In</a></li><li><a href="https://messenger.com/" title="Check out Messenger.">Messenger</a></li><li><a href="/lite/" title="Facebook Lite for Android.">Facebook Lite</a></li><li><a href="https://www.facebook.com/watch/" title="Browse our Watch videos.">Watch</a></li><li><a href="/places/" title="Check out popular places on Facebook.">Places</a></li><li><a href="/games/" title="Check out Facebook games.">Games</a></li><li><a href="/marketplace/" title="Buy and sell on Facebook Marketplace.">Marketplace</a></li><li><a href="https://pay.facebook.com/" title="Learn more about Meta Pay" target="_blank">Meta Pay</a></li><li><a href="https://www.meta.com/" title="Check out Meta" target="_blank">Meta Store</a></li><li><a href="https://www.meta.com/quest/" title="Learn more about Meta Quest" target="_blank">Meta Quest</a></li><li><a href="https://l.facebook.com/l.php?u=https%3A%2F%2Fwww.instagram.com%2F&h=AT0g5gg65ESCbDVm9XmLmgIaz9_qvRRALpR1QZCbvdV2SUOP6qTnPSyDM4c1YHoNWPTa1usFmfbwVcRQ--CCEpDnj453jsfWkKgLS-YXkqW_P9k8fGcQXT41UK0_TksetppyaX5RuPbGkFzG_ClzEA" title="Check out Instagram" target="_blank" rel="nofollow" data-lynx-mode="asynclazy">Instagram</a></li><li><a href="/fundraisers/" title="Donate to worthy causes.">Fundraisers</a></li><li><a href="/biz/directory/" title="Browse our Facebook Services directory.">Services</a></li><li><a href="/votinginformationcenter/?entry_point=c2l0ZQ%3D%3D" title="See the Voting Information Center.">Voting Information Center</a></li><li><a href="/privacy/policy/?entry_point=facebook_page_footer" title="Learn how we collect, use and share information to support Facebook.">Privacy Policy</a></li><li><a href="/privacy/center/?entry_point=facebook_page_footer" title="Learn how to manage and control your privacy on Facebook.">Privacy Center</a></li><li><a href="/groups/discover/" title="Explore our Groups.">Groups</a></li><li><a href="https://about.meta.com/" accesskey="8" title="Read our blog, discover the resource center, and find job opportunities.">About</a></li><li><a href="/ad_campaign/landing.php?placement=pflo&campaign_id=402047449186&nav_source=unknown&extra_1=auto" title="Advertise on Facebook.">Create Ad</a></li><li><a href="/pages/create/?ref_type=site_footer" title="Create a page">Create Page</a></li><li><a
Source: aafg31.exe, 00000015.00000003.682234652.0000020955D9B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: )</a></li><li><a role="button" class="_42ft _4jy0 _517i _517h _51sy" rel="dialog" ajaxify="/settings/language/language/?uri=https%3A%2F%2Fzh-cn.facebook.com%2Flogin.php%3Fnext%3Dhttps%253A%252F%252Fadsmanager.facebook.com%252Fads%252Fmanager%252Faccount_settings%252Faccount_billing%252F&source=www_list_selector_more" href="#" title="Show more languages"><i class="img sp_EP9wX8qDDvu sx_0de3e6"></i></a></li></ul><div id="contentCurve"></div><div id="pageFooterChildren" role="contentinfo" aria-label="Facebook site links"><ul class="uiList pageFooterLinkList _509- _4ki _703 _6-i"><li><a href="/reg/" title="Sign Up for Facebook">Sign Up</a></li><li><a href="/login/" title="Log into Facebook">Log In</a></li><li><a href="https://messenger.com/" title="Check out Messenger.">Messenger</a></li><li><a href="/lite/" title="Facebook Lite for Android.">Facebook Lite</a></li><li><a href="https://www.facebook.com/watch/" title="Browse our Watch videos.">Watch</a></li><li><a href="/places/" title="Check out popular places on Facebook.">Places</a></li><li><a href="/games/" title="Check out Facebook games.">Games</a></li><li><a href="/marketplace/" title="Buy and sell on Facebook Marketplace.">Marketplace</a></li><li><a href="https://pay.facebook.com/" title="Learn more about Meta Pay" target="_blank">Meta Pay</a></li><li><a href="https://www.meta.com/" title="Check out Meta" target="_blank">Meta Store</a></li><li><a href="https://www.meta.com/quest/" title="Learn more about Meta Quest" target="_blank">Meta Quest</a></li><li><a href="https://l.facebook.com/l.php?u=https%3A%2F%2Fwww.instagram.com%2F&h=AT0n_GkMiWeabxnEYC-3a42Z0_-A9TUv6Iwh8KDXaGQSSD9GZWl6pihZkDWmp5_xtmGmS-mtAwlWjEEBssd2h-JirDIWCjKWKK-RyxeJuUCX4_CtUXlYmPN2z1CkvFhIHyblx7hxJLqz6bVokcw_sA" title="Check out Instagram" target="_blank" rel="nofollow" data-lynx-mode="asynclazy">Instagram</a></li><li><a href="/fundraisers/" title="Donate to worthy causes.">Fundraisers</a></li><li><a href="/biz/directory/" title="Browse our Facebook Services directory.">Services</a></li><li><a href="/votinginformationcenter/?entry_point=c2l0ZQ%3D%3D" title="See the Voting Information Center.">Voting Information Center</a></li><li><a href="/privacy/policy/?entry_point=facebook_page_footer" title="Learn how we collect, use and share information to support Facebook.">Privacy Policy</a></li><li><a href="/privacy/center/?entry_point=facebook_page_footer" title="Learn how to manage and control your privacy on Facebook.">Privacy Center</a></li><li><a href="/groups/discover/" title="Explore our Groups.">Groups</a></li><li><a href="https://about.meta.com/" accesskey="8" title="Read our blog, discover the resource center, and find job opportunities.">About</a></li><li><a href="/ad_campaign/landing.php?placement=pflo&campaign_id=402047449186&nav_source=unknown&extra_1=auto" title="Advertise on Facebook.">Create Ad</a></li><li><a href="/pages/create/?ref_type=site_footer" title="Create a page">Create Page</a></li><li><a
Source: aafg31.exe, 00000015.00000003.610990462.0000020955D0F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: )</a></li><li><a role="button" class="_42ft _4jy0 _517i _517h _51sy" rel="dialog" ajaxify="/settings/language/language/?uri=https%3A%2F%2Fzh-cn.facebook.com%2Flogin.php%3Fnext%3Dhttps%253A%252F%252Fadsmanager.facebook.com%252Fads%252Fmanager%252Faccount_settings%252Faccount_billing%252F&source=www_list_selector_more" href="#" title="Show more languages"><i class="img sp_EP9wX8qDDvu sx_0de3e6"></i></a></li></ul><div id="contentCurve"></div><div id="pageFooterChildren" role="contentinfo" aria-label="Facebook site links"><ul class="uiList pageFooterLinkList _509- _4ki _703 _6-i"><li><a href="/reg/" title="Sign Up for Facebook">Sign Up</a></li><li><a href="/login/" title="Log into Facebook">Log In</a></li><li><a href="https://messenger.com/" title="Check out Messenger.">Messenger</a></li><li><a href="/lite/" title="Facebook Lite for Android.">Facebook Lite</a></li><li><a href="https://www.facebook.com/watch/" title="Browse our Watch videos.">Watch</a></li><li><a href="/places/" title="Check out popular places on Facebook.">Places</a></li><li><a href="/games/" title="Check out Facebook games.">Games</a></li><li><a href="/marketplace/" title="Buy and sell on Facebook Marketplace.">Marketplace</a></li><li><a href="https://pay.facebook.com/" title="Learn more about Meta Pay" target="_blank">Meta Pay</a></li><li><a href="https://www.meta.com/" title="Check out Meta" target="_blank">Meta Store</a></li><li><a href="https://www.meta.com/quest/" title="Learn more about Meta Quest" target="_blank">Meta Quest</a></li><li><a href="https://l.facebook.com/l.php?u=https%3A%2F%2Fwww.instagram.com%2F&h=AT1zLAxZP-fSShBrc1Qi_ZfWYADyFcH8J9P3gtWRxJMYeSpztj2KGLFNGO8mSIvUJ_LCHPIs7tpMWvFO_hyEXEwRyRmN1iz1Ahok5hLq2FprEiAdIh2RjoQUNvktvPaF1FlHNG_6fsneHstVvUl8Bg" title="Check out Instagram" target="_blank" rel="nofollow" data-lynx-mode="asynclazy">Instagram</a></li><li><a href="/fundraisers/" title="Donate to worthy causes.">Fundraisers</a></li><li><a href="/biz/directory/" title="Browse our Facebook Services directory.">Services</a></li><li><a href="/votinginformationcenter/?entry_point=c2l0ZQ%3D%3D" title="See the Voting Information Center.">Voting Information Center</a></li><li><a href="/privacy/policy/?entry_point=facebook_page_footer" title="Learn how we collect, use and share information to support Facebook.">Privacy Policy</a></li><li><a href="/privacy/center/?entry_point=facebook_page_footer" title="Learn how to manage and control your privacy on Facebook.">Privacy Center</a></li><li><a href="/groups/discover/" title="Explore our Groups.">Groups</a></li><li><a href="https://about.meta.com/" accesskey="8" title="Read our blog, discover the resource center, and find job opportunities.">About</a></li><li><a href="/ad_campaign/landing.php?placement=pflo&campaign_id=402047449186&nav_source=unknown&extra_1=auto" title="Advertise on Facebook.">Create Ad</a></li><li><a href="/pages/create/?ref_type=site_footer" title="Create a page">Create Page</a></li><li><a
Source: aafg31.exe, 00000015.00000003.892118052.0000020955D54000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: )</a></li><li><a role="button" class="_42ft _4jy0 _517i _517h _51sy" rel="dialog" ajaxify="/settings/language/language/?uri=https%3A%2F%2Fzh-cn.facebook.com%2Flogin.php%3Fnext%3Dhttps%253A%252F%252Fadsmanager.facebook.com%252Fads%252Fmanager%252Faccount_settings%252Faccount_billing%252F&source=www_list_selector_more" href="#" title="Show more languages"><i class="img sp_EP9wX8qDDvu sx_0de3e6"></i></a></li></ul><div id="contentCurve"></div><div id="pageFooterChildren" role="contentinfo" aria-label="Facebook site links"><ul class="uiList pageFooterLinkList _509- _4ki _703 _6-i"><li><a href="/reg/" title="Sign Up for Facebook">Sign Up</a></li><li><a href="/login/" title="Log into Facebook">Log In</a></li><li><a href="https://messenger.com/" title="Check out Messenger.">Messenger</a></li><li><a href="/lite/" title="Facebook Lite for Android.">Facebook Lite</a></li><li><a href="https://www.facebook.com/watch/" title="Browse our Watch videos.">Watch</a></li><li><a href="/places/" title="Check out popular places on Facebook.">Places</a></li><li><a href="/games/" title="Check out Facebook games.">Games</a></li><li><a href="/marketplace/" title="Buy and sell on Facebook Marketplace.">Marketplace</a></li><li><a href="https://pay.facebook.com/" title="Learn more about Meta Pay" target="_blank">Meta Pay</a></li><li><a href="https://www.meta.com/" title="Check out Meta" target="_blank">Meta Store</a></li><li><a href="https://www.meta.com/quest/" title="Learn more about Meta Quest" target="_blank">Meta Quest</a></li><li><a href="https://l.facebook.com/l.php?u=https%3A%2F%2Fwww.instagram.com%2F&h=AT2XXSYw0sanXNAUpiGIfwuOd8MIqci5fHz00-0O54f3nTpUseh1gjJZpNh0rnOO9ajUcawgV6nWNArAXbR_8eX2Y1bSYtdgau6r0hSxTgdukUzo0As2U2mTVbKa10WS2qLFDLv6QeCPIIiWKQ_mSQ" title="Check out Instagram" target="_blank" rel="nofollow" data-lynx-mode="asynclazy">Instagram</a></li><li><a href="/fundraisers/" title="Donate to worthy causes.">Fundraisers</a></li><li><a href="/biz/directory/" title="Browse our Facebook Services directory.">Services</a></li><li><a href="/votinginformationcenter/?entry_point=c2l0ZQ%3D%3D" title="See the Voting Information Center.">Voting Information Center</a></li><li><a href="/privacy/policy/?entry_point=facebook_page_footer" title="Learn how we collect, use and share information to support Facebook.">Privacy Policy</a></li><li><a href="/privacy/center/?entry_point=facebook_page_footer" title="Learn how to manage and control your privacy on Facebook.">Privacy Center</a></li><li><a href="/groups/discover/" title="Explore our Groups.">Groups</a></li><li><a href="https://about.meta.com/" accesskey="8" title="Read our blog, discover the resource center, and find job opportunities.">About</a></li><li><a href="/ad_campaign/landing.php?placement=pflo&campaign_id=402047449186&nav_source=unknown&extra_1=auto" title="Advertise on Facebook.">Create Ad</a></li><li><a href="/pages/create/?ref_type=site_footer" title="Create a page">Create Page</a></li><li><a
Source: aafg31.exe, 00000015.00000003.661265412.0000020955D4B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: )</a></li><li><a role="button" class="_42ft _4jy0 _517i _517h _51sy" rel="dialog" ajaxify="/settings/language/language/?uri=https%3A%2F%2Fzh-cn.facebook.com%2Flogin.php%3Fnext%3Dhttps%253A%252F%252Fadsmanager.facebook.com%252Fads%252Fmanager%252Faccount_settings%252Faccount_billing%252F&source=www_list_selector_more" href="#" title="Show more languages"><i class="img sp_EP9wX8qDDvu sx_0de3e6"></i></a></li></ul><div id="contentCurve"></div><div id="pageFooterChildren" role="contentinfo" aria-label="Facebook site links"><ul class="uiList pageFooterLinkList _509- _4ki _703 _6-i"><li><a href="/reg/" title="Sign Up for Facebook">Sign Up</a></li><li><a href="/login/" title="Log into Facebook">Log In</a></li><li><a href="https://messenger.com/" title="Check out Messenger.">Messenger</a></li><li><a href="/lite/" title="Facebook Lite for Android.">Facebook Lite</a></li><li><a href="https://www.facebook.com/watch/" title="Browse our Watch videos.">Watch</a></li><li><a href="/places/" title="Check out popular places on Facebook.">Places</a></li><li><a href="/games/" title="Check out Facebook games.">Games</a></li><li><a href="/marketplace/" title="Buy and sell on Facebook Marketplace.">Marketplace</a></li><li><a href="https://pay.facebook.com/" title="Learn more about Meta Pay" target="_blank">Meta Pay</a></li><li><a href="https://www.meta.com/" title="Check out Meta" target="_blank">Meta Store</a></li><li><a href="https://www.meta.com/quest/" title="Learn more about Meta Quest" target="_blank">Meta Quest</a></li><li><a href="https://l.facebook.com/l.php?u=https%3A%2F%2Fwww.instagram.com%2F&h=AT3wnJZB-eZDq95G_Oo2JutX5Pd01-8inbrozlAijuS5ElPWd4c3MwA6Uo_E4jodGPDKwDnErv967dkEryhihUdzeTB08iBDiZhhZnK6G8H0bSs2FS67MPGX-8d9wdxHVRVKgH3femIDrn0JFeHCrw" title="Check out Instagram" target="_blank" rel="nofollow" data-lynx-mode="asynclazy">Instagram</a></li><li><a href="/fundraisers/" title="Donate to worthy causes.">Fundraisers</a></li><li><a href="/biz/directory/" title="Browse our Facebook Services directory.">Services</a></li><li><a href="/votinginformationcenter/?entry_point=c2l0ZQ%3D%3D" title="See the Voting Information Center.">Voting Information Center</a></li><li><a href="/privacy/policy/?entry_point=facebook_page_footer" title="Learn how we collect, use and share information to support Facebook.">Privacy Policy</a></li><li><a href="/privacy/center/?entry_point=facebook_page_footer" title="Learn how to manage and control your privacy on Facebook.">Privacy Center</a></li><li><a href="/groups/discover/" title="Explore our Groups.">Groups</a></li><li><a href="https://about.meta.com/" accesskey="8" title="Read our blog, discover the resource center, and find job opportunities.">About</a></li><li><a href="/ad_campaign/landing.php?placement=pflo&campaign_id=402047449186&nav_source=unknown&extra_1=auto" title="Advertise on Facebook.">Create Ad</a></li><li><a href="/pages/create/?ref_type=site_footer" title="Create a page">Create Page</a></li><li><a
Source: aafg31.exe, 00000015.00000003.679323171.0000020955CFA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ){return window.openDatabase(a,b,c,d)};window.openDatabase=function(){throw new Error()}}b(a)})(this);</script><style nonce="9xkozTCD"></style><script nonce="9xkozTCD">__DEV__=0;</script><noscript><meta http-equiv="refresh" content="0; URL=/login.php?next=https%3A%2F%2Fadsmanager.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing%2F&_fb_noscript=1" /></noscript><link rel="manifest" id="MANIFEST_LINK" href="/data/manifest/" crossorigin="use-credentials" /><title id="pageTitle">Log into Facebook</title><meta name="google" content="notranslate" /><meta name="description" content="Log into Facebook to start sharing and connecting with your friends, family, and people you know." /><meta property="og:site_name" content="Facebook" /><meta property="og:url" content="https://www.facebook.com/login.php?next=https%3A%2F%2Fadsmanager.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing%2F" /><meta property="og:locale" content="en_US" /><link rel="canonical" href="https://www.facebook.com/login/web/" /><link rel="icon" href="https://static.xx.fbcdn.net/rsrc.php/yv/r/B8BxsscfVBr.ico" /><link type="text/css" rel="stylesheet" href="https://static.xx.fbcdn.net/rsrc.php/v3/yP/l/0,cross/6MB_F4yiWj8.css?_nc_x=Ij3Wp8lg5Kz" data-bootloader-hash="HLTHBFO" /> equals www.facebook.com (Facebook)
Source: aafg31.exe, 00000015.00000003.872189879.0000020955D0E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ,"RECRUITING_CANDIDATE_PORTAL_ACCOUNT_DELETION_CARD","BIZ_INBOX_POP_UP_TIP_NAVIGATION_BUG_FIX","SRT_REVIEW_DISABLE_FELLOWSHIP_REVIEW","EO_STORE_HOME_PAGE_COVID19_BANNER","TPA_SRT_TRANSLATION"]},"ko":{"__set":["3OsLvnSHNTt","1G7wJ6bJt9K","9NpkGYwzrPG","3oh5Mw86USj","8NAceEy9JZo","7FOIzos6XJX","rf8JEPGgOi","4j36SVzvP3w","4NSq3ZC4ScE","53gCxKq281G","3yzzwBY7Npj","1onzIv0jH6H","8PlKuowafe8","1ntjZ2zgf03","4SIH2GRVX5W","2dhqRnqXGLQ","2WgiNOrHVuC","amKHb4Cw4WI","8rDvN9vWdAK","5BdzWGmfvrA","DDZhogI19W","acrJTh9WGdp","1oOE64fL4wO","5XCz1h9Iaw3","7r6mSP7ofr2","6DGPLrRdyts","aWxCyi1sEC7","9kCSDzzr8fu","awYA7fn2Bse","aBMlJ8QRPWE","Fl3bH3ozLe","3sKizTQ6byg"]}},2580],["CurrentBusinessUser",[],{"business_id":null,"business_persona_id":null,"business_role":null,"business_user_id":null,"businessAccountName":null,"email":null,"first_name":null,"ip_permission":null,"isBusinessPerson":false,"isFacebookWorkAccount":false,"isInstagramBusinessPerson":false,"isEnterpriseBusiness":false,"shouldHideComponentsByUnsupportedFirstPartyTools":false,"shouldShowAccountSwitchComponents":false,"isUserOptInAccountSwitchInfraUpgrade":false,"business_profile_pic_url":null,"enterprise_profile_pic_url":null,"isTwoFacNewFlow":false,"last_name":null,"personal_user_id":"0","is_ads_feature_limited":null,"is_business_banhammered":null,"expiry_time":null,"has_verified_email":null,"permitted_business_account_task_ids":[]},2654],["JSErrorLoggingConfig",[],{"appId":256281040558,"extra":[],"reportInterval":50,"sampleWeight":null,"sampleWeightKey":"__jssesw","projectBlocklist":[]},2776],["DataStoreConfig",[],{"expandoKey":"__FB_STORE","useExpando":true},2915],["CookieCoreLoggingConfig",[],{"maximumIgnorableStallMs":16.67,"sampleRate":9.7e-5,"sampleRateClassic":1.0e-10,"sampleRateFastStale":1.0e-8},3401],["ImmediateImplementationExperiments",[],{"prefer_message_channel":true},3419],["DTSGInitData",[],{"token":"","async_get_token":""},3515],["UriNeedRawQuerySVConfig",[],{"uris":["dms.netmng.com","doubleclick.net","r.msn.com","watchit.sky.com","graphite.instagram.com","www.kfc.co.th","learn.pantheon.io","www.landmarkshops.in","www.ncl.com","s0.wp.com","www.tatacliq.com","bs.serving-sys.com","kohls.com","lazada.co.th","xg4ken.com","technopark.ru","officedepot.com.mx","bestbuy.com.mx","booking.com","nibio.no"]},3871],["InitialCookieConsent",[],{"deferCookies":false,"initialConsent":[],"noCookies":false,"shouldShowCookieBanner":false},4328],["WebConnectionClassServerGuess",[],{"connectionClass":"EXCELLENT"},4705],["CometAltpayJsSdkIframeAllowedDomains",[],{"allowed_domains":["https:\/\/live.adyen.com","https:\/\/integration-facebook.payu.in","https:\/\/facebook.payulatam.com","https:\/\/secure.payu.com","https:\/\/facebook.dlocal.com","https:\/\/buy2.boku.com"]},4920],["BootloaderEndpointConfig",[],{"debugNoBatching":false,"maxBatchSize":-1,"endpointURI":"https:\/\/www.facebook.com\/ajax\/bootloader-endpoint\/"},5094],["CookieConsentIFrameConfig",[],{"consent_param":"FQASEhISAA==.ARZjeebX9nkbJV0qmnvEg
Source: aafg31.exe, 00000015.00000003.872189879.0000020955D0E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ,"RECRUITING_CANDIDATE_PORTAL_ACCOUNT_DELETION_CARD","BIZ_INBOX_POP_UP_TIP_NAVIGATION_BUG_FIX","SRT_REVIEW_DISABLE_FELLOWSHIP_REVIEW","EO_STORE_HOME_PAGE_COVID19_BANNER","TPA_SRT_TRANSLATION"]},"ko":{"__set":["3OsLvnSHNTt","1G7wJ6bJt9K","9NpkGYwzrPG","3oh5Mw86USj","8NAceEy9JZo","7FOIzos6XJX","rf8JEPGgOi","4j36SVzvP3w","4NSq3ZC4ScE","53gCxKq281G","3yzzwBY7Npj","1onzIv0jH6H","8PlKuowafe8","1ntjZ2zgf03","4SIH2GRVX5W","2dhqRnqXGLQ","2WgiNOrHVuC","amKHb4Cw4WI","8rDvN9vWdAK","5BdzWGmfvrA","DDZhogI19W","acrJTh9WGdp","1oOE64fL4wO","5XCz1h9Iaw3","7r6mSP7ofr2","6DGPLrRdyts","aWxCyi1sEC7","9kCSDzzr8fu","awYA7fn2Bse","aBMlJ8QRPWE","Fl3bH3ozLe","3sKizTQ6byg"]}},2580],["CurrentBusinessUser",[],{"business_id":null,"business_persona_id":null,"business_role":null,"business_user_id":null,"businessAccountName":null,"email":null,"first_name":null,"ip_permission":null,"isBusinessPerson":false,"isFacebookWorkAccount":false,"isInstagramBusinessPerson":false,"isEnterpriseBusiness":false,"shouldHideComponentsByUnsupportedFirstPartyTools":false,"shouldShowAccountSwitchComponents":false,"isUserOptInAccountSwitchInfraUpgrade":false,"business_profile_pic_url":null,"enterprise_profile_pic_url":null,"isTwoFacNewFlow":false,"last_name":null,"personal_user_id":"0","is_ads_feature_limited":null,"is_business_banhammered":null,"expiry_time":null,"has_verified_email":null,"permitted_business_account_task_ids":[]},2654],["JSErrorLoggingConfig",[],{"appId":256281040558,"extra":[],"reportInterval":50,"sampleWeight":null,"sampleWeightKey":"__jssesw","projectBlocklist":[]},2776],["DataStoreConfig",[],{"expandoKey":"__FB_STORE","useExpando":true},2915],["CookieCoreLoggingConfig",[],{"maximumIgnorableStallMs":16.67,"sampleRate":9.7e-5,"sampleRateClassic":1.0e-10,"sampleRateFastStale":1.0e-8},3401],["ImmediateImplementationExperiments",[],{"prefer_message_channel":true},3419],["DTSGInitData",[],{"token":"","async_get_token":""},3515],["UriNeedRawQuerySVConfig",[],{"uris":["dms.netmng.com","doubleclick.net","r.msn.com","watchit.sky.com","graphite.instagram.com","www.kfc.co.th","learn.pantheon.io","www.landmarkshops.in","www.ncl.com","s0.wp.com","www.tatacliq.com","bs.serving-sys.com","kohls.com","lazada.co.th","xg4ken.com","technopark.ru","officedepot.com.mx","bestbuy.com.mx","booking.com","nibio.no"]},3871],["InitialCookieConsent",[],{"deferCookies":false,"initialConsent":[],"noCookies":false,"shouldShowCookieBanner":false},4328],["WebConnectionClassServerGuess",[],{"connectionClass":"EXCELLENT"},4705],["CometAltpayJsSdkIframeAllowedDomains",[],{"allowed_domains":["https:\/\/live.adyen.com","https:\/\/integration-facebook.payu.in","https:\/\/facebook.payulatam.com","https:\/\/secure.payu.com","https:\/\/facebook.dlocal.com","https:\/\/buy2.boku.com"]},4920],["BootloaderEndpointConfig",[],{"debugNoBatching":false,"maxBatchSize":-1,"endpointURI":"https:\/\/www.facebook.com\/ajax\/bootloader-endpoint\/"},5094],["CookieConsentIFrameConfig",[],{"consent_param":"FQASEhISAA==.ARZjeebX9nkbJV0qmnvEg
Source: aafg31.exe, 00000015.00000003.610737115.0000020953C18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: <head><meta charset="utf-8" /><meta name="referrer" content="origin-when-crossorigin" id="meta_referrer" /><script nonce="9xkozTCD">function envFlush(a){function b(b){for(var c in a)b[c]=a[c]}window.requireLazy?window.requireLazy(["Env"],b):(window.Env=window.Env\|\|{},b(window.Env))}envFlush({"useTrustedTypes":false,"isTrustedTypesReportOnly":false,"ajaxpipe_token":"AXjZ6wGXtfhJEKvv3w4","gk_instrument_object_url":true,"stack_trace_limit":30,"timesliceBufferSize":5000,"show_invariant_decoder":false,"compat_iframe_token":"AQ6iSpgOr5fQTsmS2BU","isCQuick":false});</script><script nonce="9xkozTCD">(function(a){function b(b){if(!window.openDatabase)return;b.I_AM_INCOGNITO_AND_I_REALLY_NEED_WEBSQL=function(a,b,c,d){return window.openDatabase(a,b,c,d)};window.openDatabase=function(){throw new Error()}}b(a)})(this);</script><style nonce="9xkozTCD"></style><script nonce="9xkozTCD">__DEV__=0;</script><noscript><meta http-equiv="refresh" content="0; URL=/login.php?next=https%3A%2F%2Fadsmanager.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing%2F&_fb_noscript=1" /></noscript><link rel="manifest" id="MANIFEST_LINK" href="/data/manifest/" crossorigin="use-credentials" /><title id="pageTitle">Log into Facebook</title><meta name="google" content="notranslate" /><meta name="description" content="Log into Facebook to start sharing and connecting with your friends, family, and people you know." /><meta property="og:site_name" content="Facebook" /><meta property="og:url" content="https://www.facebook.com/login.php? equals www.facebook.com (Facebook)
Source: aafg31.exe, 00000015.00000003.610737115.0000020953C18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: <head><meta charset="utf-8" /><meta name="referrer" content="origin-when-crossorigin" id="meta_referrer" /><script nonce="9xkozTCD">function envFlush(a){function b(b){for(var c in a)b[c]=a[c]}window.requireLazy?window.requireLazy(["Env"],b):(window.Env=window.Env\|\|{},b(window.Env))}envFlush({"useTrustedTypes":false,"isTrustedTypesReportOnly":false,"ajaxpipe_token":"AXjZ6wGXtfhJEKvv3w4","gk_instrument_object_url":true,"stack_trace_limit":30,"timesliceBufferSize":5000,"show_invariant_decoder":false,"compat_iframe_token":"AQ6iSpgOr5fQTsmS2BU","isCQuick":false});</script><script nonce="9xkozTCD">(function(a){function b(b){if(!window.openDatabase)return;b.I_AM_INCOGNITO_AND_I_REALLY_NEED_WEBSQL=function(a,b,c,d){return window.openDatabase(a,b,c,d)};window.openDatabase=function(){throw new Error()}}b(a)})(this);</script><style nonce="9xkozTCD"></style><script nonce="9xkozTCD">__DEV__=0;</script><noscript><meta http-equiv="refresh" content="0; URL=/login.php?next=https%3A%2F%2Fadsmanager.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing%2F&_fb_noscript=1" /></noscript><link rel="manifest" id="MANIFEST_LINK" href="/data/manifest/" crossorigin="use-credentials" /><title id="pageTitle">Log into Facebook</title><meta name="google" content="notranslate" /><meta name="description" content="Log into Facebook to start sharing and connecting with your friends, family, and people you know." /><meta property="og:site_name" content="Facebook" /><meta property="og:url" content="https://www.facebook.com/login.php?@ equals www.facebook.com (Facebook)
Source: aafg31.exe, 00000015.00000003.679323171.0000020955CFA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: <head><meta charset="utf-8" /><meta name="referrer" content="origin-when-crossorigin" id="meta_referrer" /><script nonce="9xkozTCD">function envFlush(a){function b(b){for(var c in a)b[c]=a[c]}window.requireLazy?window.requireLazy(["Env"],b):(window.Env=window.Env\|\|{},b(window.Env))}envFlush({"useTrustedTypes":false,"isTrustedTypesReportOnly":false,"ajaxpipe_token":"AXjZ6wGXtfhJEKvv3w4","gk_instrument_object_url":true,"stack_trace_limit":30,"timesliceBufferSize":5000,"show_invariant_decoder":false,"compat_iframe_token":"AQ6iSpgOr5fQTsmS2BU","isCQuick":false});</script><script nonce="9xkozTCD">(function(a){function b(b){if(!window.openDatabase)return;b.I_AM_INCOGNITO_AND_I_REALLY_NEED_WEBSQL=function(a,b,c,d){return window.openDatabase(a,b,c,d)};window.openDatabase=function(){throw new Error()}}b(a)})(this);</script><style nonce="9xkozTCD"></style><script nonce="9xkozTCD">__DEV__=0;</script><noscript><meta http-equiv="refresh" content="0; URL=/login.php?next=https%3A%2F%2Fadsmanager.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing%2F&_fb_noscript=1" /></noscript><link rel="manifest" id="MANIFEST_LINK" href="/data/manifest/" crossorigin="use-credentials" /><title id="pageTitle">Log into Facebook</title><meta name="google" content="notranslate" /><meta name="description" content="Log into Facebook to start sharing and connecting with your friends, family, and people you know." /><meta property="og:site_name" content="Facebook" /><meta property="og:url" content="https://www.facebook.com/login.php?next=https%3A%2F%2Fadsmanager.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing%2F" /><meta property="og:locale" content="en_US" /><link rel="canonical" equals www.facebook.com (Facebook)
Source: aafg31.exe, 00000015.00000003.610990462.0000020955D0F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: <head><meta charset="utf-8" /><meta name="referrer" content="origin-when-crossorigin" id="meta_referrer" /><script nonce="9xkozTCD">function envFlush(a){function b(b){for(var c in a)b[c]=a[c]}window.requireLazy?window.requireLazy(["Env"],b):(window.Env=window.Env\|\|{},b(window.Env))}envFlush({"useTrustedTypes":false,"isTrustedTypesReportOnly":false,"ajaxpipe_token":"AXjZ6wGXtfhJEKvv3w4","gk_instrument_object_url":true,"stack_trace_limit":30,"timesliceBufferSize":5000,"show_invariant_decoder":false,"compat_iframe_token":"AQ6iSpgOr5fQTsmS2BU","isCQuick":false});</script><script nonce="9xkozTCD">(function(a){function b(b){if(!window.openDatabase)return;b.I_AM_INCOGNITO_AND_I_REALLY_NEED_WEBSQL=function(a,b,c,d){return window.openDatabase(a,b,c,d)};window.openDatabase=function(){throw new Error()}}b(a)})(this);</script><style nonce="9xkozTCD"></style><script nonce="9xkozTCD">__DEV__=0;</script><noscript><meta http-equiv="refresh" content="0; URL=/login.php?next=https%3A%2F%2Fadsmanager.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing%2F&_fb_noscript=1" /></noscript><link rel="manifest" id="MANIFEST_LINK" href="/data/manifest/" crossorigin="use-credentials" /><title id="pageTitle">Log into Facebook</title><meta name="google" content="notranslate" /><meta name="description" content="Log into Facebook to start sharing and connecting with your friends, family, and people you know." /><meta property="og:site_name" content="Facebook" /><meta property="og:url" content="https://www.facebook.com/login.php?next=https%3A%2F%2Fadsmanager.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing%2F" /><meta property="og:locale" content="en_US" /><link rel="canonical" href="https://www.facebook.com/login/web/" /><link rel="icon" href="https://static.xx.fbcdn.net/rsrc.php/yv/r/B8BxsscfVBr.ico" /><link type="text/css" rel="stylesheet" href="https://static.xx.fbcdn.net/rsrc.php/v3/yP/l/0,cross/6MB_F4yiWj8.css?_nc_x=Ij3Wp8lg5Kz" data-bootloader-hash="HLTHBFO" /> equals www.facebook.com (Facebook)
Source: aafg31.exe, 00000015.00000003.892118052.0000020955D54000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: <head><meta charset="utf-8" /><meta name="referrer" content="origin-when-crossorigin" id="meta_referrer" /><script nonce="Iy8oG6YM">function envFlush(a){function b(b){for(var c in a)b[c]=a[c]}window.requireLazy?window.requireLazy(["Env"],b):(window.Env=window.Env\|\|{},b(window.Env))}envFlush({"useTrustedTypes":false,"isTrustedTypesReportOnly":false,"ajaxpipe_token":"AXjZ6wGXtfhJEKvvgos","gk_instrument_object_url":true,"stack_trace_limit":30,"timesliceBufferSize":5000,"show_invariant_decoder":false,"compat_iframe_token":"AQ6iSpgOr5fQTsmS7ok","isCQuick":false});</script><script nonce="Iy8oG6YM">(function(a){function b(b){if(!window.openDatabase)return;b.I_AM_INCOGNITO_AND_I_REALLY_NEED_WEBSQL=function(a,b,c,d){return window.openDatabase(a,b,c,d)};window.openDatabase=function(){throw new Error()}}b(a)})(this);</script><style nonce="Iy8oG6YM"></style><script nonce="Iy8oG6YM">__DEV__=0;</script><noscript><meta http-equiv="refresh" content="0; URL=/login.php?next=https%3A%2F%2Fadsmanager.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing%2F&_fb_noscript=1" /></noscript><link rel="manifest" id="MANIFEST_LINK" href="/data/manifest/" crossorigin="use-credentials" /><title id="pageTitle">Log into Facebook</title><meta name="google" content="notranslate" /><meta name="description" content="Log into Facebook to start sharing and connecting with your friends, family, and people you know." /><meta property="og:site_name" content="Facebook" /><meta property="og:url" content="https://www.facebook.com/login.php?next=https%3A%2F%2Fadsmanager.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing%2F" /><meta property="og:locale" content="en_US" /><link rel="canonical" href="https://www.facebook.com/login/web/" /><link rel="icon" href="https://static.xx.fbcdn.net/rsrc.php/yv/r/B8BxsscfVBr.ico" /><link type="text/css" rel="stylesheet" href="https://static.xx.fbcdn.net/rsrc.php/v3/yP/l/0,cross/6MB_F4yiWj8.css?_nc_x=Ij3Wp8lg5Kz" data-bootloader-hash="HLTHBFO" /> equals www.facebook.com (Facebook)
Source: aafg31.exe, 00000015.00000003.587487365.0000020955D3F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: <head><meta charset="utf-8" /><meta name="referrer" content="origin-when-crossorigin" id="meta_referrer" /><script nonce="K7QJaGPk">function envFlush(a){function b(b){for(var c in a)b[c]=a[c]}window.requireLazy?window.requireLazy(["Env"],b):(window.Env=window.Env\|\|{},b(window.Env))}envFlush({"useTrustedTypes":false,"isTrustedTypesReportOnly":false,"ajaxpipe_token":"AXjZ6wGXtfhJEKvvluI","gk_instrument_object_url":true,"stack_trace_limit":30,"timesliceBufferSize":5000,"show_invariant_decoder":false,"compat_iframe_token":"AQ6iSpgOr5fQTsmS_eg","isCQuick":false});</script><script nonce="K7QJaGPk">(function(a){function b(b){if(!window.openDatabase)return;b.I_AM_INCOGNITO_AND_I_REALLY_NEED_WEBSQL=function(a,b,c,d){return window.openDatabase(a,b,c,d)};window.openDatabase=function(){throw new Error()}}b(a)})(this);</script><style nonce="K7QJaGPk"></style><script nonce="K7QJaGPk">__DEV__=0;</script><noscript><meta http-equiv="refresh" content="0; URL=/login.php?next=https%3A%2F%2Fadsmanager.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing%2F&_fb_noscript=1" /></noscript><link rel="manifest" id="MANIFEST_LINK" href="/data/manifest/" crossorigin="use-credentials" /><title id="pageTitle">Log into Facebook</title><meta name="google" content="notranslate" /><meta name="description" content="Log into Facebook to start sharing and connecting with your friends, family, and people you know." /><meta property="og:site_name" content="Facebook" /><meta property="og:url" content="https://www.facebook.com/login.php?next=https%3A%2F%2Fadsmanager.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing%2F" /><meta property="og:locale" content="en_US" /><link rel="canonical" href="https://www.facebook.com/login/web/" /><link rel="icon" href="https://static.xx.fbcdn.net/rsrc.php/yv/r/B8BxsscfVBr.ico" /><link type="text/css" rel="stylesheet" href="https://static.xx.fbcdn.net/rsrc.php/v3/yP/l/0,cross/6MB_F4yiWj8.css?_nc_x=Ij3Wp8lg5Kz" data-bootloader-hash="HLTHBFO" /> equals www.facebook.com (Facebook)
Source: aafg31.exe, 00000015.00000003.725776709.0000020953C0C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: <head><meta charset="utf-8" /><meta name="referrer" content="origin-when-crossorigin" id="meta_referrer" /><script nonce="PjEgiD4s">function envFlush(a){function b(b){for(var c in a)b[c]=a[c]}window.requireLazy?window.requireLazy(["Env"],b):(window.Env=window.Env\|\|{},b(window.Env))}envFlush({"useTrustedTypes":false,"isTrustedTypesReportOnly":false,"ajaxpipe_token":"AXjZ6wGXtfhJEKvvcjo","gk_instrument_object_url":true,"stack_trace_limit":30,"timesliceBufferSize":5000,"show_invariant_decoder":false,"compat_iframe_token":"AQ6iSpgOr5fQTsmSyVs","isCQuick":false});</script><script nonce="PjEgiD4s">(function(a){function b(b){if(!window.openDatabase)return;b.I_AM_INCOGNITO_AND_I_REALLY_NEED_WEBSQL=function(a,b,c,d){return window.openDatabase(a,b,c,d)};window.openDatabase=function(){throw new Error()}}b(a)})(this);</script><style nonce="PjEgiD4s"></style><script nonce="PjEgiD4s">__DEV__=0;</script><noscript><meta http-equiv="refresh" content="0; URL=/login.php?next=https%3A%2F%2Fadsmanager.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing%2F&_fb_noscript=1" /></noscript><link rel="manifest" id="MANIFEST_LINK" href="/data/manifest/" crossorigin="use-credentials" /><title id="pageTitle">Log into Facebook</title><meta name="google" content="notranslate" /><meta name="description" content="Log into Facebook to start sharing and connecting with your friends, family, and people you know." /><meta property="og:site_name" content="Facebook" /><meta property="og:url" content="https://www.facebook.com/login.php? equals www.facebook.com (Facebook)
Source: aafg31.exe, 00000015.00000003.725776709.0000020953C0C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: <head><meta charset="utf-8" /><meta name="referrer" content="origin-when-crossorigin" id="meta_referrer" /><script nonce="PjEgiD4s">function envFlush(a){function b(b){for(var c in a)b[c]=a[c]}window.requireLazy?window.requireLazy(["Env"],b):(window.Env=window.Env\|\|{},b(window.Env))}envFlush({"useTrustedTypes":false,"isTrustedTypesReportOnly":false,"ajaxpipe_token":"AXjZ6wGXtfhJEKvvcjo","gk_instrument_object_url":true,"stack_trace_limit":30,"timesliceBufferSize":5000,"show_invariant_decoder":false,"compat_iframe_token":"AQ6iSpgOr5fQTsmSyVs","isCQuick":false});</script><script nonce="PjEgiD4s">(function(a){function b(b){if(!window.openDatabase)return;b.I_AM_INCOGNITO_AND_I_REALLY_NEED_WEBSQL=function(a,b,c,d){return window.openDatabase(a,b,c,d)};window.openDatabase=function(){throw new Error()}}b(a)})(this);</script><style nonce="PjEgiD4s"></style><script nonce="PjEgiD4s">__DEV__=0;</script><noscript><meta http-equiv="refresh" content="0; URL=/login.php?next=https%3A%2F%2Fadsmanager.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing%2F&_fb_noscript=1" /></noscript><link rel="manifest" id="MANIFEST_LINK" href="/data/manifest/" crossorigin="use-credentials" /><title id="pageTitle">Log into Facebook</title><meta name="google" content="notranslate" /><meta name="description" content="Log into Facebook to start sharing and connecting with your friends, family, and people you know." /><meta property="og:site_name" content="Facebook" /><meta property="og:url" content="https://www.facebook.com/login.php?m:* equals www.facebook.com (Facebook)
Source: aafg31.exe, 00000015.00000003.727362332.0000020955D46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: <head><meta charset="utf-8" /><meta name="referrer" content="origin-when-crossorigin" id="meta_referrer" /><script nonce="PjEgiD4s">function envFlush(a){function b(b){for(var c in a)b[c]=a[c]}window.requireLazy?window.requireLazy(["Env"],b):(window.Env=window.Env\|\|{},b(window.Env))}envFlush({"useTrustedTypes":false,"isTrustedTypesReportOnly":false,"ajaxpipe_token":"AXjZ6wGXtfhJEKvvcjo","gk_instrument_object_url":true,"stack_trace_limit":30,"timesliceBufferSize":5000,"show_invariant_decoder":false,"compat_iframe_token":"AQ6iSpgOr5fQTsmSyVs","isCQuick":false});</script><script nonce="PjEgiD4s">(function(a){function b(b){if(!window.openDatabase)return;b.I_AM_INCOGNITO_AND_I_REALLY_NEED_WEBSQL=function(a,b,c,d){return window.openDatabase(a,b,c,d)};window.openDatabase=function(){throw new Error()}}b(a)})(this);</script><style nonce="PjEgiD4s"></style><script nonce="PjEgiD4s">__DEV__=0;</script><noscript><meta http-equiv="refresh" content="0; URL=/login.php?next=https%3A%2F%2Fadsmanager.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing%2F&_fb_noscript=1" /></noscript><link rel="manifest" id="MANIFEST_LINK" href="/data/manifest/" crossorigin="use-credentials" /><title id="pageTitle">Log into Facebook</title><meta name="google" content="notranslate" /><meta name="description" content="Log into Facebook to start sharing and connecting with your friends, family, and people you know." /><meta property="og:site_name" content="Facebook" /><meta property="og:url" content="https://www.facebook.com/login.php?next=https%3A%2F%2Fadsmanager.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing%2F" /><meta property="og:locale" content="en_US" /><link rel="canonical" href="https://www.facebook.com/login/web/" /><link rel="icon" href="https://static.xx.fbcdn.net/rsrc.php/yv/r/B8BxsscfVBr.ico" /><link type="text/css" rel="stylesheet" href="https://static.xx.fbcdn.net/rsrc.php/v3/yP/l/0,cross/6MB_F4yiWj8.css?_nc_x=Ij3Wp8lg5Kz" data-bootloader-hash="HLTHBFO" /> equals www.facebook.com (Facebook)
Source: aafg31.exe, 00000015.00000003.661661754.0000020955D07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: <head><meta charset="utf-8" /><meta name="referrer" content="origin-when-crossorigin" id="meta_referrer" /><script nonce="gItkpFkb">function envFlush(a){function b(b){for(var c in a)b[c]=a[c]}window.requireLazy?window.requireLazy(["Env"],b):(window.Env=window.Env\|\|{},b(window.Env))}envFlush({"useTrustedTypes":false,"isTrustedTypesReportOnly":false,"ajaxpipe_token":"AXjZ6wGXtfhJEKvvm6Q","gk_instrument_object_url":true,"stack_trace_limit":30,"timesliceBufferSize":5000,"show_invariant_decoder":false,"compat_iframe_token":"AQ6iSpgOr5fQTsmSj08","isCQuick":false});</script><script nonce="gItkpFkb">(function(a){function b(b){if(!window.openDatabase)return;b.I_AM_INCOGNITO_AND_I_REALLY_NEED_WEBSQL=function(a,b,c,d){return window.openDatabase(a,b,c,d)};window.openDatabase=function(){throw new Error()}}b(a)})(this);</script><style nonce="gItkpFkb"></style><script nonce="gItkpFkb">__DEV__=0;</script><noscript><meta http-equiv="refresh" content="0; URL=/login.php?next=https%3A%2F%2Fadsmanager.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing%2F&_fb_noscript=1" /></noscript><link rel="manifest" id="MANIFEST_LINK" href="/data/manifest/" crossorigin="use-credentials" /><title id="pageTitle">Log into Facebook</title><meta name="google" content="notranslate" /><meta name="description" content="Log into Facebook to start sharing and connecting with your friends, family, and people you know." /><meta property="og:site_name" content="Facebook" /><meta property="og:url" content="https://www.facebook.com/login.php?next=https%3A%2F%2Fadsmanager.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing%2F" /><meta property="og:locale" content="en_US" /><link rel="canonical" href="https://www.facebook.com/login/web/" /><link rel="icon" href="https://static.xx.fbcdn.net/rsrc.php/yv/r/B8BxsscfVBr.ico" /><link type="text/css" rel="stylesheet" href="https://static.xx.fbcdn.net/rsrc.php/v3/yP/l/0,cross/6MB_F4yiWj8.css?_nc_x=Ij3Wp8lg5Kz" data-bootloader-hash="HLTHBFO" /> equals www.facebook.com (Facebook)
Source: aafg31.exe, 00000015.00000003.682568528.0000020955D43000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: <head><meta charset="utf-8" /><meta name="referrer" content="origin-when-crossorigin" id="meta_referrer" /><script nonce="jvZL36Ju">function envFlush(a){function b(b){for(var c in a)b[c]=a[c]}window.requireLazy?window.requireLazy(["Env"],b):(window.Env=window.Env\|\|{},b(window.Env))}envFlush({"useTrustedTypes":false,"isTrustedTypesReportOnly":false,"ajaxpipe_token":"AXjZ6wGXtfhJEKvvCvs","gk_instrument_object_url":true,"stack_trace_limit":30,"timesliceBufferSize":5000,"show_invariant_decoder":false,"compat_iframe_token":"AQ6iSpgOr5fQTsmSh_Y","isCQuick":false});</script><script nonce="jvZL36Ju">(function(a){function b(b){if(!window.openDatabase)return;b.I_AM_INCOGNITO_AND_I_REALLY_NEED_WEBSQL=function(a,b,c,d){return window.openDatabase(a,b,c,d)};window.openDatabase=function(){throw new Error()}}b(a)})(this);</script><style nonce="jvZL36Ju"></style><script nonce="jvZL36Ju">__DEV__=0;</script><noscript><meta http-equiv="refresh" content="0; URL=/login.php?next=https%3A%2F%2Fadsmanager.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing%2F&_fb_noscript=1" /></noscript><link rel="manifest" id="MANIFEST_LINK" href="/data/manifest/" crossorigin="use-credentials" /><title id="pageTitle">Log into Facebook</title><meta name="google" content="notranslate" /><meta name="description" content="Log into Facebook to start sharing and connecting with your friends, family, and people you know." /><meta property="og:site_name" content="Facebook" /><meta property="og:url" content="https://www.facebook.com/login.php?next=https%3A%2F%2Fadsmanager.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing%2F" /><meta property="og:locale" content="en_US" /><link rel="canonical" href="https://www.facebook.com/login/web/" /><link rel="icon" href="https://static.xx.fbcdn.net/rsrc.php/yv/r/B8BxsscfVBr.ico" /><link type="text/css" rel="stylesheet" href="https://static.xx.fbcdn.net/rsrc.php/v3/yP/l/0,cross/6MB_F4yiWj8.css?_nc_x=Ij3Wp8lg5Kz" data-bootloader-hash="HLTHBFO" /> equals www.facebook.com (Facebook)
Source: aafg31.exe, 00000015.00000003.872402384.0000020953C59000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: <head><meta charset="utf-8" /><meta name="referrer" content="origin-when-crossorigin" id="meta_referrer" /><script nonce="q5tMiLYZ">function envFlush(a){function b(b){for(var c in a)b[c]=a[c]}window.requireLazy?window.requireLazy(["Env"],b):(window.Env=window.Env\|\|{},b(window.Env))}envFlush({"useTrustedTypes":false,"isTrustedTypesReportOnly":false,"ajaxpipe_token":"AXjZ6wGXtfhJEKvvsqM","gk_instrument_object_url":true,"stack_trace_limit":30,"timesliceBufferSize":5000,"show_invariant_decoder":false,"compat_iframe_token":"AQ6iSpgOr5fQTsmS7z4","isCQuick":false});</script><script nonce="q5tMiLYZ">(function(a){function b(b){if(!window.openDatabase)return;b.I_AM_INCOGNITO_AND_I_REALLY_NEED_WEBSQL=function(a,b,c,d){return window.openDatabase(a,b,c,d)};window.openDatabase=function(){throw new Error()}}b(a)})(this);</script><style nonce="q5tMiLYZ"></style><script nonce="q5tMiLYZ">__DEV__=0;</script><noscript><meta http-equiv="refresh" content="0; URL=/login.php?next=https%3A%2F%2Fadsmanager.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing%2F&_fb_noscript=1" /></noscript><link rel="manifest" id="MANIFEST_LINK" href="/data/manifest/" crossorigin="use-credentials" /><title id="pageTitle">Log into Facebook</title><meta name="google" content="notranslate" /><meta name="description" content="Log into Facebook to start sharing and connecting with your friends, family, and people you know." /><meta property="og:site_name" content="Facebook" /><meta property="og:url" content="https://www.facebook.com/login.php?next=https%3A%2F%2Fadsmanager.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing%2F" /><meta property="og:locale" content="en_US" /><link rel="canonical" href="https://www.facebook.com/login/web/" /><link rel="icon" href="https://static.xx.fbcdn.net/rsrc.php/yv/r/B8BxsscfVBr.ico" /><link type="text/css" rel="stylesheet" href="https://static.xx.fbcdn.net/rsrc.php/v3/yP/l/0,cross/6MB_F4yiWj8.css?_nc_x=Ij3Wp8lg5Kz" data-bootloader-hash="HLTHBFO" /> equals www.facebook.com (Facebook)
Source: aafg31.exe, 00000015.00000003.747762577.0000020955D10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: <head><meta charset="utf-8" /><meta name="referrer" content="origin-when-crossorigin" id="meta_referrer" /><script nonce="w5qfH0fp">function envFlush(a){function b(b){for(var c in a)b[c]=a[c]}window.requireLazy?window.requireLazy(["Env"],b):(window.Env=window.Env\|\|{},b(window.Env))}envFlush({"useTrustedTypes":false,"isTrustedTypesReportOnly":false,"ajaxpipe_token":"AXjZ6wGXtfhJEKvvnZ4","gk_instrument_object_url":true,"stack_trace_limit":30,"timesliceBufferSize":5000,"show_invariant_decoder":false,"compat_iframe_token":"AQ6iSpgOr5fQTsmS_Fw","isCQuick":false});</script><script nonce="w5qfH0fp">(function(a){function b(b){if(!window.openDatabase)return;b.I_AM_INCOGNITO_AND_I_REALLY_NEED_WEBSQL=function(a,b,c,d){return window.openDatabase(a,b,c,d)};window.openDatabase=function(){throw new Error()}}b(a)})(this);</script><style nonce="w5qfH0fp"></style><script nonce="w5qfH0fp">__DEV__=0;</script><noscript><meta http-equiv="refresh" content="0; URL=/login.php?next=https%3A%2F%2Fadsmanager.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing%2F&_fb_noscript=1" /></noscript><link rel="manifest" id="MANIFEST_LINK" href="/data/manifest/" crossorigin="use-credentials" /><title id="pageTitle">Log into Facebook</title><meta name="google" content="notranslate" /><meta name="description" content="Log into Facebook to start sharing and connecting with your friends, family, and people you know." /><meta property="og:site_name" content="Facebook" /><meta property="og:url" content="https://www.facebook.com/login.php? equals www.facebook.com (Facebook)
Source: aafg31.exe, 00000015.00000003.747762577.0000020955D10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: <head><meta charset="utf-8" /><meta name="referrer" content="origin-when-crossorigin" id="meta_referrer" /><script nonce="w5qfH0fp">function envFlush(a){function b(b){for(var c in a)b[c]=a[c]}window.requireLazy?window.requireLazy(["Env"],b):(window.Env=window.Env\|\|{},b(window.Env))}envFlush({"useTrustedTypes":false,"isTrustedTypesReportOnly":false,"ajaxpipe_token":"AXjZ6wGXtfhJEKvvnZ4","gk_instrument_object_url":true,"stack_trace_limit":30,"timesliceBufferSize":5000,"show_invariant_decoder":false,"compat_iframe_token":"AQ6iSpgOr5fQTsmS_Fw","isCQuick":false});</script><script nonce="w5qfH0fp">(function(a){function b(b){if(!window.openDatabase)return;b.I_AM_INCOGNITO_AND_I_REALLY_NEED_WEBSQL=function(a,b,c,d){return window.openDatabase(a,b,c,d)};window.openDatabase=function(){throw new Error()}}b(a)})(this);</script><style nonce="w5qfH0fp"></style><script nonce="w5qfH0fp">__DEV__=0;</script><noscript><meta http-equiv="refresh" content="0; URL=/login.php?next=https%3A%2F%2Fadsmanager.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing%2F&_fb_noscript=1" /></noscript><link rel="manifest" id="MANIFEST_LINK" href="/data/manifest/" crossorigin="use-credentials" /><title id="pageTitle">Log into Facebook</title><meta name="google" content="notranslate" /><meta name="description" content="Log into Facebook to start sharing and connecting with your friends, family, and people you know." /><meta property="og:site_name" content="Facebook" /><meta property="og:url" content="https://www.facebook.com/login.php?//*. equals www.facebook.com (Facebook)
Source: aafg31.exe, 00000015.00000003.746443120.0000020955D4A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: <head><meta charset="utf-8" /><meta name="referrer" content="origin-when-crossorigin" id="meta_referrer" /><script nonce="w5qfH0fp">function envFlush(a){function b(b){for(var c in a)b[c]=a[c]}window.requireLazy?window.requireLazy(["Env"],b):(window.Env=window.Env\|\|{},b(window.Env))}envFlush({"useTrustedTypes":false,"isTrustedTypesReportOnly":false,"ajaxpipe_token":"AXjZ6wGXtfhJEKvvnZ4","gk_instrument_object_url":true,"stack_trace_limit":30,"timesliceBufferSize":5000,"show_invariant_decoder":false,"compat_iframe_token":"AQ6iSpgOr5fQTsmS_Fw","isCQuick":false});</script><script nonce="w5qfH0fp">(function(a){function b(b){if(!window.openDatabase)return;b.I_AM_INCOGNITO_AND_I_REALLY_NEED_WEBSQL=function(a,b,c,d){return window.openDatabase(a,b,c,d)};window.openDatabase=function(){throw new Error()}}b(a)})(this);</script><style nonce="w5qfH0fp"></style><script nonce="w5qfH0fp">__DEV__=0;</script><noscript><meta http-equiv="refresh" content="0; URL=/login.php?next=https%3A%2F%2Fadsmanager.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing%2F&_fb_noscript=1" /></noscript><link rel="manifest" id="MANIFEST_LINK" href="/data/manifest/" crossorigin="use-credentials" /><title id="pageTitle">Log into Facebook</title><meta name="google" content="notranslate" /><meta name="description" content="Log into Facebook to start sharing and connecting with your friends, family, and people you know." /><meta property="og:site_name" content="Facebook" /><meta property="og:url" content="https://www.facebook.com/login.php?next=https%3A%2F%2Fadsmanager.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing%2F" /><meta property="og:locale" content="en_US" /><link rel="canonical" href="https://www.facebook.com/login/web/" /><link rel="icon" href="https://static.xx.fbcdn.net/rsrc.php/yv/r/B8BxsscfVBr.ico" /><link type="text/css" rel="stylesheet" href="https://static.xx.fbcdn.net/rsrc.php/v3/yP/l/0,cross/6MB_F4yiWj8.css?_nc_x=Ij3Wp8lg5Kz" data-bootloader-hash="HLTHBFO" /> equals www.facebook.com (Facebook)
Source: aafg31.exe, 00000015.00000003.727495452.0000020953C18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: >function envFlush(a){function b(b){for(var c in a)b[c]=a[c]}window.requireLazy?window.requireLazy(["Env"],b):(window.Env=window.Env\|\|{},b(window.Env))}envFlush({"useTrustedTypes":false,"isTrustedTypesReportOnly":false,"ajaxpipe_token":"AXjZ6wGXtfhJEKvvcjo","gk_instrument_object_url":true,"stack_trace_limit":30,"timesliceBufferSize":5000,"show_invariant_decoder":false,"compat_iframe_token":"AQ6iSpgOr5fQTsmSyVs","isCQuick":false});</script><script nonce="PjEgiD4s">(function(a){function b(b){if(!window.openDatabase)return;b.I_AM_INCOGNITO_AND_I_REALLY_NEED_WEBSQL=function(a,b,c,d){return window.openDatabase(a,b,c,d)};window.openDatabase=function(){throw new Error()}}b(a)})(this);</script><style nonce="PjEgiD4s"></style><script nonce="PjEgiD4s">__DEV__=0;</script><noscript><meta http-equiv="refresh" content="0; URL=/login.php?next=https%3A%2F%2Fadsmanager.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing%2F&_fb_noscript=1" /></noscript><link rel="manifest" id="MANIFEST_LINK" href="/data/manifest/" crossorigin="use-credentials" /><title id="pageTitle">Log into Facebook</title><meta name="google" content="notranslate" /><meta name="description" content="Log into Facebook to start sharing and connecting with your friends, family, and people you know." /><meta property="og:site_name" content="Facebook" /><meta property="og:url" content="https://www.facebook.com/login.php? equals www.facebook.com (Facebook)
Source: aafg31.exe, 00000015.00000003.727495452.0000020953C18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: >function envFlush(a){function b(b){for(var c in a)b[c]=a[c]}window.requireLazy?window.requireLazy(["Env"],b):(window.Env=window.Env\|\|{},b(window.Env))}envFlush({"useTrustedTypes":false,"isTrustedTypesReportOnly":false,"ajaxpipe_token":"AXjZ6wGXtfhJEKvvcjo","gk_instrument_object_url":true,"stack_trace_limit":30,"timesliceBufferSize":5000,"show_invariant_decoder":false,"compat_iframe_token":"AQ6iSpgOr5fQTsmSyVs","isCQuick":false});</script><script nonce="PjEgiD4s">(function(a){function b(b){if(!window.openDatabase)return;b.I_AM_INCOGNITO_AND_I_REALLY_NEED_WEBSQL=function(a,b,c,d){return window.openDatabase(a,b,c,d)};window.openDatabase=function(){throw new Error()}}b(a)})(this);</script><style nonce="PjEgiD4s"></style><script nonce="PjEgiD4s">__DEV__=0;</script><noscript><meta http-equiv="refresh" content="0; URL=/login.php?next=https%3A%2F%2Fadsmanager.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing%2F&_fb_noscript=1" /></noscript><link rel="manifest" id="MANIFEST_LINK" href="/data/manifest/" crossorigin="use-credentials" /><title id="pageTitle">Log into Facebook</title><meta name="google" content="notranslate" /><meta name="description" content="Log into Facebook to start sharing and connecting with your friends, family, and people you know." /><meta property="og:site_name" content="Facebook" /><meta property="og:url" content="https://www.facebook.com/login.php?m:* equals www.facebook.com (Facebook)
Source: aafg31.exe, 00000015.00000003.661727127.0000020953C18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: >function envFlush(a){function b(b){for(var c in a)b[c]=a[c]}window.requireLazy?window.requireLazy(["Env"],b):(window.Env=window.Env\|\|{},b(window.Env))}envFlush({"useTrustedTypes":false,"isTrustedTypesReportOnly":false,"ajaxpipe_token":"AXjZ6wGXtfhJEKvvm6Q","gk_instrument_object_url":true,"stack_trace_limit":30,"timesliceBufferSize":5000,"show_invariant_decoder":false,"compat_iframe_token":"AQ6iSpgOr5fQTsmSj08","isCQuick":false});</script><script nonce="gItkpFkb">(function(a){function b(b){if(!window.openDatabase)return;b.I_AM_INCOGNITO_AND_I_REALLY_NEED_WEBSQL=function(a,b,c,d){return window.openDatabase(a,b,c,d)};window.openDatabase=function(){throw new Error()}}b(a)})(this);</script><style nonce="gItkpFkb"></style><script nonce="gItkpFkb">__DEV__=0;</script><noscript><meta http-equiv="refresh" content="0; URL=/login.php?next=https%3A%2F%2Fadsmanager.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing%2F&_fb_noscript=1" /></noscript><link rel="manifest" id="MANIFEST_LINK" href="/data/manifest/" crossorigin="use-credentials" /><title id="pageTitle">Log into Facebook</title><meta name="google" content="notranslate" /><meta name="description" content="Log into Facebook to start sharing and connecting with your friends, family, and people you know." /><meta property="og:site_name" content="Facebook" /><meta property="og:url" content="https://www.facebook.com/login.php?next=https%3A%2F%2Fadsmanager.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing%2F" /><meta property="og:locale" content="en_US" /><link rel="canonical" href="https://www.facebook.com/login/web/" /><link rel="icon" href="https://static.xx.fbcdn.net/rsrc.php/yv/r/B8BxsscfVBr.ico" /><link type="text/css" rel="stylesheet" href="https://static.xx.fbcdn.net/rsrc.php/v3/yP/l/0,cross/6MB_F4yiWj8.css?_nc_x=Ij3Wp8lg5Kz" data-bootloader-hash="HLTHBFO" /> equals www.facebook.com (Facebook)
Source: aafg31.exe, 00000015.00000003.610737115.0000020953C18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Alt-Svch3=":443"; ma=86400X-FB-DebuggmehyYXMg1+ey3yqPFBag0YEMHmL5pG1hxXbYfFfhhQI6XO/ckZtT0pyogRBArRDf/X3IAr4ilCv8lYOuImH2g==origin-agent-cluster?0X-Frame-OptionsDENYX-XSS-Protection0X-Content-Type-Optionsnosniffcross-origin-opener-policyunsafe-nonepermissions-policyaccelerometer=(), ambient-light-sensor=(), bluetooth=(), gyroscope=(), hid=(), idle-detection=(), magnetometer=(), midi=(), screen-wake-lock=(), serial=(), usb=()document-policyforce-load-at-topcontent-security-policydefault-src data: blob: 'self' https://.fbsbx.com 'unsafe-inline' .facebook.com .fbcdn.net 'unsafe-eval';script-src .facebook.com .fbcdn.net 'unsafe-inline' blob: data: 'self' 'unsafe-eval';style-src .fbcdn.net data: .facebook.com 'unsafe-inline';connect-src .facebook.com facebook.com .fbcdn.net wss://.facebook.com:* wss://.fbcdn.net attachment.fbsbx.com blob: .cdninstagram.com 'self' http://localhost:3103 wss://gateway.facebook.com wss://edge-chat.facebook.com wss://snaptu-d.facebook.com wss://kaios-d.facebook.com/ .fbsbx.com;font-src data: .facebook.com .fbcdn.net .fbsbx.com;img-src .fbcdn.net .facebook.com data: https://.fbsbx.com facebook.com .cdninstagram.com fbsbx.com fbcdn.net blob: android-webview-video-poster: .oculuscdn.com;media-src .cdninstagram.com blob: .fbcdn.net .fbsbx.com www.facebook.com .facebook.com data:;frame-src .facebook.com .fbsbx.com fbsbx.com data: .fbcdn.net;worker-src blob: *.facebook.com data:;block-all-mixed-content;upgrade-insecure-requests;report-uri https://www.facebook.com/csp/reporting/?m=c&minimize=0;x-fb-rlafr0report-to{"max_age":259200,"endpoints":[{"url":"https:\/\/www.facebook.com\/ajax\/browser_error_reports\/?device_level=unknown"}]}Persistent-AuthWWW-AuthenticateAccept-EncodingVarySet-CookieServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedSat, 01 Jan 2000 00:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset="utf-8"Content-TypeContent-LengthAllowWarningViaUpgradechunkedTransfer-EncodingTrailerno-cachePragmaKeep-AliveSun, 28 May 2023 08:45:46 GMTDateProxy-ConnectioncloseConnectionprivate, no-cache, no-store, must-revalidateCache-Control equals www.facebook.com (Facebook)
Source: aafg31.exe, 00000015.00000003.727277881.0000020955D05000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Alt-Svch3=":443"; ma=86400X-FB-DebugkLiwdoWT6OkK4J5Xj0wPb5pD3KW2wuxjsgotru6Yb50171aOAO8cqAfUFyVvha/oiVuSl9TdKbaHNBuL3sXqLg==origin-agent-cluster?0X-Frame-OptionsDENYX-XSS-Protection0X-Content-Type-Optionsnosniffcross-origin-opener-policyunsafe-nonepermissions-policyaccelerometer=(), ambient-light-sensor=(), bluetooth=(), gyroscope=(), hid=(), idle-detection=(), magnetometer=(), midi=(), screen-wake-lock=(), serial=(), usb=()document-policyforce-load-at-topcontent-security-policydefault-src data: blob: 'self' https://.fbsbx.com 'unsafe-inline' .facebook.com .fbcdn.net 'unsafe-eval';script-src .facebook.com .fbcdn.net 'unsafe-inline' blob: data: 'self' 'unsafe-eval';style-src .fbcdn.net data: .facebook.com 'unsafe-inline';connect-src .facebook.com facebook.com .fbcdn.net wss://.facebook.com:* wss://.fbcdn.net attachment.fbsbx.com blob: .cdninstagram.com 'self' http://localhost:3103 wss://gateway.facebook.com wss://edge-chat.facebook.com wss://snaptu-d.facebook.com wss://kaios-d.facebook.com/ .fbsbx.com;font-src data: .facebook.com .fbcdn.net .fbsbx.com;img-src .fbcdn.net .facebook.com data: https://.fbsbx.com facebook.com .cdninstagram.com fbsbx.com fbcdn.net blob: android-webview-video-poster: .oculuscdn.com;media-src .cdninstagram.com blob: .fbcdn.net .fbsbx.com www.facebook.com .facebook.com data:;frame-src .facebook.com .fbsbx.com fbsbx.com data: .fbcdn.net;worker-src blob: *.facebook.com data:;block-all-mixed-content;upgrade-insecure-requests;report-uri https://www.facebook.com/csp/reporting/?m=c&minimize=0;x-fb-rlafr0report-to{"max_age":259200,"endpoints":[{"url":"https:\/\/www.facebook.com\/ajax\/browser_error_reports\/?device_level=unknown"}]}Persistent-AuthWWW-AuthenticateAccept-EncodingVarySet-CookieServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedSat, 01 Jan 2000 00:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset="utf-8"Content-TypeContent-LengthAllowWarningViaUpgradechunkedTransfer-EncodingTrailerno-cachePragmaKeep-AliveSun, 28 May 2023 08:46:41 GMTDateProxy-ConnectioncloseConnectionprivate, no-cache, no-store, must-revalidateCache-Controlchat-latest equals www.facebook.com (Facebook)
Source: aafg31.exe, 00000015.00000003.747762577.0000020955D10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Alt-Svch3=":443"; ma=86400X-FB-Debugv0C7nfInVnr7S+B7brywKMFwKg0Cnp6vE7FY99fIhbLsrJ/kncAj07R9PUCvjH322SEeOqcAMTK9h909XwKSbQ==origin-agent-cluster?0X-Frame-OptionsDENYX-XSS-Protection0X-Content-Type-Optionsnosniffcross-origin-opener-policyunsafe-nonepermissions-policyaccelerometer=(), ambient-light-sensor=(), bluetooth=(), gyroscope=(), hid=(), idle-detection=(), magnetometer=(), midi=(), screen-wake-lock=(), serial=(), usb=()document-policyforce-load-at-topcontent-security-policydefault-src data: blob: 'self' https://.fbsbx.com 'unsafe-inline' .facebook.com .fbcdn.net 'unsafe-eval';script-src .facebook.com .fbcdn.net 'unsafe-inline' blob: data: 'self' 'unsafe-eval';style-src .fbcdn.net data: .facebook.com 'unsafe-inline';connect-src .facebook.com facebook.com .fbcdn.net wss://.facebook.com:* wss://.fbcdn.net attachment.fbsbx.com blob: .cdninstagram.com 'self' http://localhost:3103 wss://gateway.facebook.com wss://edge-chat.facebook.com wss://snaptu-d.facebook.com wss://kaios-d.facebook.com/ .fbsbx.com;font-src data: .facebook.com .fbcdn.net .fbsbx.com;img-src .fbcdn.net .facebook.com data: https://.fbsbx.com facebook.com .cdninstagram.com fbsbx.com fbcdn.net blob: android-webview-video-poster: .oculuscdn.com;media-src .cdninstagram.com blob: .fbcdn.net .fbsbx.com www.facebook.com .facebook.com data:;frame-src .facebook.com .fbsbx.com fbsbx.com data: .fbcdn.net;worker-src blob: *.facebook.com data:;block-all-mixed-content;upgrade-insecure-requests;report-uri https://www.facebook.com/csp/reporting/?m=c&minimize=0;x-fb-rlafr0report-to{"max_age":259200,"endpoints":[{"url":"https:\/\/www.facebook.com\/ajax\/browser_error_reports\/?device_level=unknown"}]}Persistent-AuthWWW-AuthenticateAccept-EncodingVarySet-CookieServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedSat, 01 Jan 2000 00:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset="utf-8"Content-TypeContent-LengthAllowWarningViaUpgradechunkedTransfer-EncodingTrailerno-cachePragmaKeep-AliveSun, 28 May 2023 08:46:51 GMTDateProxy-ConnectioncloseConnectionprivate, no-cache, no-store, must-revalidateCache-Control equals www.facebook.com (Facebook)
Source: aafg31.exe, 00000015.00000003.872402384.0000020953C16000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: F" /><meta property="og:locale" content="en_US" /><link rel="canonical" href="https://www.facebook.com/login/web/" /><link rel="icon" href="https://static.xx.fbcdn.net/rsrc.php/yv/r/B8BxsscfVBr.ico" /><link type="text/css" rel="stylesheet" href="https://static.xx.fbcdn.net/rsrc.php/v3/yP/l/0,cross/6MB_F4yiWj8.css?_nc_x=Ij3Wp8lg5Kz" data-bootloader-hash="HLTHBFO" /> equals www.facebook.com (Facebook)
Source: aafg31.exe, 00000015.00000002.895672737.0000020953BE1000.00000004.00000001.00020000.00000000.sdmp, aafg31.exe, 00000015.00000002.895672737.0000020953B7B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: FJHwww.facebook.com equals www.facebook.com (Facebook)
Source: aafg31.exe, 00000015.00000003.747091320.0000020955D07000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.610458087.0000020955D0D000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.685730378.0000020955CFA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Host: www.facebook.com equals www.facebook.com (Facebook)
Source: aafg31.exe, 00000015.00000002.898715266.0000020953C70000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: InitOnceExecuteOnceCreateSemaphoreWCreateSemaphoreExWCreateThreadpoolTimerSetThreadpoolTimerWaitForThreadpoolTimerCallbacksCloseThreadpoolTimerCreateThreadpoolWaitSetThreadpoolWaitCloseThreadpoolWaitFlushProcessWriteBuffersFreeLibraryWhenCallbackReturnsGetCurrentProcessorNumberCreateSymbolicLinkWGetCurrentPackageIdSetFileInformationByHandleInitializeConditionVariableWakeConditionVariableInitializeSRWLockAcquireSRWLockExclusiveTryAcquireSRWLockExclusiveReleaseSRWLockExclusiveSleepConditionVariableSRWCreateThreadpoolWorkSubmitThreadpoolWorkCloseThreadpoolWorkUnknown exceptionbad array new lengthstring too longmap/set too longMUI1stallinis0tallsisincmaduin_pwuerc_uslndbUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36 Edg/111.0.1661.62https://www.facebook.com/ed/login/ice-bas/login/dev"="st"azoe"jsd""luid"=urce""sot=oesjazlsd&d=&uirce=&souxt=&nehttps://www.facebook.com/login/device-based/login/c_uonkieJscooocohttps://adsmanager.facebook.com/ads/manager/account_settings/account_billing/D:accountI{accountIdpayInfohttps://adsmanager.facebook.com/ads/manager/accounts</tbody>><tbody</tr><tr?act</td> <tdlastRowdata-sortpaidbilling_statushttps://adsmanager.facebook.com/ads/manager/account_settings/account_billing/?act=&pid=p1&page=account_settings&tab=account_billing_settingsaccess_token:{accountID:https://graph.facebook.com/v15.0/act_fb_uid?access_token=fb_access_token&_reqName=adaccount&_reqSrc=AdsCMPaymentsAccountDataDispatcher&fields=%5B%22active_billing_date_preference%7Bday_of_month%2Cid%2Cnext_bill_date%2Ctime_created%2Ctime_effective%7D%22%2C%22can_pay_now%22%2C%22can_repay_now%22%2C%22current_unbilled_spend%22%2C%22extended_credit_info%22%2C%22is_br_entity_account%22%2C%22has_extended_credit%22%2C%22max_billing_threshold%22%2C%22min_billing_threshold%22%2C%22min_payment%22%2C%22next_bill_date%22%2C%22pending_billing_date_preference%7Bday_of_month%2Cid%2Cnext_bill_date%2Ctime_created%2Ctime_effective%7D%22%2C%22promotion_progress_bar_info%22%2C%22show_improved_boleto%22%2C%22business%7Bid%2Cname%2Cpayment_account_id%7D%22%2C%22total_prepay_balance%22%2C%22is_in_3ds_authorization_enabled_market%22%2C%22current_unpaid_unrepaid_invoice%22%2C%22has_repay_processing_invoices%22%5D&include_headers=false&method=get&pretty=0&suppress_http_code=1fb_uidfb_access_tokencan_pay_nowhttps://business.facebook.com/selectbusiness_id=businessookmarkshttps://www.facebook.com/pages/?category=your_pages&ref=b}:unt"le_switcher_eligible_profiles":{"co"profiageomePhasHmePhasHohttp://ss.apjeoighw.com/check/safe{"sid":0,"time":0,"rand_str":""}http://ss.apjeoighw.com/check/?sid=si#IO$J2&89DFJ2^984%7FJfj<>asi?h3.728*fhastime_strandrJOhf01(92)3j5kl3;4y:jdF9%3gj,IH@<F7>84\|8y&keinvalid vector subscriptinvalid string positionvector too long equals www.facebook.com (Facebook)
Source: BDC0.exe, 00000013.00000003.476372358.0000000009890000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: URL=http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: BDC0.exe, 00000013.00000003.476625971.0000000009890000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: URL=http://www.twitter.com/ equals www.twitter.com (Twitter)
Source: BDC0.exe, 00000013.00000003.476682552.0000000009890000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: URL=http://www.youtube.com/ equals www.youtube.com (Youtube)
Source: aafg31.exe, 00000015.00000002.895672737.0000020953BEF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: UXhaR00yTm1ZeU5qZzJPVGhpTnpobVpERTBZalV3T0NJc0lDSndZWGxKYm1adklqb2dabUZzYzJVc0lDSjFhV1FpT2lBaU1qSXpNU0lzSUNKMWJsOXdkMlFpT2lBaUlleUpoWTJOdmRXNTBTV1FpT2lBaUlpd2dJbU52YjJ0cFpVcHpiMjRpT2lCYlhTd2dJbWx6YVc1emRHRnNiQ0k2SUNJd0lpd2dJbTFoWXlJNklDSmxZV1ExWkdJNE5HbjA9/www.facebook.com/login.php?next=https%3A%2F%2Fadsmanager.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing%2F equals www.facebook.com (Facebook)
Source: aafg31.exe, 00000015.00000003.747896229.0000020955CFE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: com/csp/reporting/?m=c&minimize=0;x-fb-rlafr0Persistent-AuthWWW-AuthenticateAccept-EncodingVarySet-CookieServerRetry-AfterProxy-SupportProxy-AuthenticateP3Phttps://www.facebook.com/login.php?next=https%3A%2F%2Fadsmanager.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing%2FLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedSat, 01 Jan 2000 00:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset="utf-8"Content-Type0Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerno-cachePragmaKeep-AliveSun, 28 May 2023 08:46:50 GMTDateProxy-ConnectioncloseConnectionprivate, no-cache, no-store, must-revalidateCache-Control; equals www.facebook.com (Facebook)
Source: aafg31.exe, 00000015.00000003.747762577.0000020955D10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: default-src data: blob: 'self' https://.fbsbx.com 'unsafe-inline' .facebook.com .fbcdn.net 'unsafe-eval';script-src .facebook.com .fbcdn.net 'unsafe-inline' blob: data: 'self' 'unsafe-eval';style-src .fbcdn.net data: .facebook.com 'unsafe-inline';connect-src .facebook.com facebook.com .fbcdn.net wss://.facebook.com:* wss://.fbcdn.net attachment.fbsbx.com blob: .cdninstagram.com 'self' http://localhost:3103 wss://gateway.facebook.com wss://edge-chat.facebook.com wss://snaptu-d.facebook.com wss://kaios-d.facebook.com/ .fbsbx.com;font-src data: .facebook.com .fbcdn.net .fbsbx.com;img-src .fbcdn.net .facebook.com data: https://.fbsbx.com facebook.com .cdninstagram.com fbsbx.com fbcdn.net blob: android-webview-video-poster: .oculuscdn.com;media-src .cdninstagram.com blob: .fbcdn.net .fbsbx.com www.facebook.com .facebook.com data:;frame-src .facebook.com .fbsbx.com fbsbx.com data: .fbcdn.net;worker-src blob: *.facebook.com data:;block-all-mixed-content;upgrade-insecure-requests;report-uri https://www.facebook.com/csp/reporting/?m=c&minimize=0; equals www.facebook.com (Facebook)
Source: aafg31.exe, 00000015.00000003.701563103.0000020955D04000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.727277881.0000020955D05000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.692080940.0000020955D04000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com equals www.facebook.com (Facebook)
Source: aafg31.exe, 00000015.00000003.727495452.0000020953C18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com/login.php?next=https%3A%2F%2Fadsmanager.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing%2F equals www.facebook.com (Facebook)
Source: aafg31.exe, 00000015.00000002.895672737.0000020953B7B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com/login.php?next=https%3A%2F%2Fadsmanager.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing%2F: equals www.facebook.com (Facebook)
Source: aafg31.exe, 00000015.00000003.727277881.0000020955D05000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com/login.php?next=https%3A%2F%2Fadsmanager.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing%2F\ equals www.facebook.com (Facebook)
Source: aafg31.exe, 00000015.00000003.692080940.0000020955D04000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com/login.php?next=https%3A%2F%2Fadsmanager.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing%2Fcebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing%2FleT equals www.facebook.com (Facebook)
Source: aafg31.exe, 00000015.00000003.661661754.0000020955D07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com/login.php?next=https%3A%2F%2Fadsmanager.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing%2Fe equals www.facebook.com (Facebook)
Source: aafg31.exe, 00000015.00000003.661727127.0000020953C18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com/login.php?next=https%3A%2F%2Fadsmanager.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing%2Flp equals www.facebook.com (Facebook)
Source: aafg31.exe, 00000015.00000003.692080940.0000020955D04000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com/login.php?next=https%3A%2F%2Fadsmanager.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing%2Fzef equals www.facebook.com (Facebook)
Source: aafg31.exe, 00000015.00000003.872402384.0000020953C16000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com:443 equals www.facebook.com (Facebook)
Source: aafg31.exe, 00000015.00000003.661661754.0000020955D07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com:443/login.php?next=https%3A%2F%2Fadsmanager.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing%2F equals www.facebook.com (Facebook)
Source: aafg31.exe, 00000015.00000003.692080940.0000020955D04000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com:443/login.php?next=https%3A%2F%2Fadsmanager.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing%2FHep equals www.facebook.com (Facebook)
Source: aafg31.exe, 00000015.00000003.727277881.0000020955D05000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com:443/login.php?next=https%3A%2F%2Fadsmanager.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing%2FVe equals www.facebook.com (Facebook)
Source: aafg31.exe, 00000015.00000003.661480969.0000020953C0C000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.661727127.0000020953C18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com:4435@ equals www.facebook.com (Facebook)
Source: aafg31.exe, 00000015.00000003.586782794.0000020953C18000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.586487375.0000020953C0C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com:443H@ equals www.facebook.com (Facebook)
Source: aafg31.exe, 00000015.00000003.610737115.0000020953C18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com:443W@ equals www.facebook.com (Facebook)
Source: aafg31.exe, 00000015.00000002.897089501.0000020953C17000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.893794196.0000020953C16000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com:443eck/?sid=437712&key=e0936dbb5215a1cc85afbf7dbb62727dm equals www.facebook.com (Facebook)
Source: aafg31.exe, 00000015.00000003.747458130.0000020953C0C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com:443om:443/ads/manager/account_settings/account_billing/MjIzMSIsICJ1bl9wd2QiOiAiIn0=zA equals www.facebook.com (Facebook)
Source: aafg31.exe, 00000015.00000003.727277881.0000020955D05000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.comtion/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.92e equals www.facebook.com (Facebook)
Source: aafg31.exe, 00000015.00000002.895672737.0000020953BEF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: ihttps://www.facebook.com/login.php?next=https%3A%2F%2Fadsmanager.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing%2F equals www.facebook.com (Facebook)
Source: aafg31.exe, 00000015.00000002.895672737.0000020953BEF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: ihttps://www.facebook.com/login.php?next=https%3A%2F%2Fadsmanager.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing%2Fb equals www.facebook.com (Facebook)
Source: aafg31.exe, 00000015.00000002.898715266.0000020953C70000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: iostreambad castbad locale nameios_base::badbit setios_base::failbit setios_base::eofbit setinvalid stoi argumentstoi argument out of range^(([^:\/?#]+):)?(//([^\/?#:])(:([^\/?#]))?)?([^?#])(\?([^#]))?(#(.))?httphttps?POSTGET/device-based/loginContent-Type: application/x-www-form-urlencodedfacebooksec-ch-ua: "Microsoft Edge";v="111", "Not(A:Brand";v="8", "Chromium";v="111"ed-exchange;v=b3;q=0.9ng,/;q=0.8,application/signapplication/xml;q=0.9,image/webp,image/apation/xhtml+xml,Accept: text/html,applic0.1,eu;q=0.1;q=0.2,hy;q=0.1,ast;q=0.1,az;q=0.1,bn;q=q=0.6,am;q=0.5,sq;q=0.4,ar;q=0.3,anq=0.9;q=0.8,ja;q=0.7,af;Accept-Language: en,ion: keep-alivectConne/selectHost: business.facebook.comsec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"sec-ch-prefers-color-scheme: lightUpgrade-Insecure-Requests: 1Sec-Fetch-Mode: navigate: ?1Sec-Fetch-Userest: documentSec-Fetch-Dame-originch-Site: sSec-Fet/accountsHost: adsmanager.facebook.com/ads/manager/account_settings/account_billingadsmanager.facebook.combusiness.facebook.comok.comceboHost: www.fabile: ?0a-mosec-ch-urm: "Windows"latfosec-ch-ua-polor-scheme: lightefers-csec-ch-precure-Requests: 1de-InsUpgraetch-Site: noneSec-Fode: navigateetch-Mer: ?1c-Fetch-UsSementest: docutch-DSec-Fe/v15.0/k.comcebooHost: graph.fadows": "Winsec-ch-ua-platform-urlencodedpplication/x-www-formContent-type: aept: /*AccaceboOrigin: https://www.fame-sitetch-Site: stch-Mode: corsmptych-Dest: eook.com///www.facebReferer: https:ook.comw.facebHost: wwobile: ?0-ch-ua-msecindows"a-platform: "Ws-color-scheme: lightprefersec-ch-equests: 1ecure-RUpgrade-InsSec-Fetch-Site: noneMode: navigateSec-Fetch-ser: ?1Sec-Fetch-Uentst: documSec-Fetch-DeSec-Fetch-Site: same-originCache-Control: max-age=0vector<bool> too longalnumalnumalphaalphablankblankcntrlcntrlddigitdigitgraphgraphlowerlowerprintprintpunctpunctspacespacesupperupperwwxdigitxdigitHq equals www.facebook.com (Facebook)
Source: aafg31.exe, 00000015.00000003.891215691.0000020955C11000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: once="Iy8oG6YM">__DEV__=0;</script><noscript><meta http-equiv="refresh" content="0; URL=/login.php?next=https%3A%2F%2Fadsmanager.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing%2F&_fb_noscript=1" /></noscript><link rel="manifest" id="MANIFEST_LINK" href="/data/manifest/" crossorigin="use-credentials" /><title id="pageTitle">Log into Facebook</title><meta name="google" content="notranslate" /><meta name="description" content="Log into Facebook to start sharing and connecting with your friends, family, and people you know." /><meta property="og:site_name" content="Facebook" /><meta property="og:url" content="https://www.facebook.com/login.php?next=https%3A%2F%2Fadsmanager.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing%2F" /><meta property="og:locale" content="en_US" /><link rel="canonical" href="https://www.facebook.com/login/web/" /><link rel="icon" href="https://static.xx.fbcdn.net/rsrc.php/yv/r/B8BxsscfVBr.ico" /><link type="text/css" rel="stylesheet" href="https://static.xx.fbcdn.net/rsrc.php/v3/yP/l/0,cross/6MB_F4yiWj8.css?_nc_x=Ij3Wp8lg5Kz" data-bootloader-hash="HLTHBFO" /> equals www.facebook.com (Facebook)
Source: aafg31.exe, 00000015.00000003.679360802.0000020955D00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: once="gItkpFkb">__DEV__=0;</script><noscript><meta http-equiv="refresh" content="0; URL=/login.php?next=https%3A%2F%2Fadsmanager.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing%2F&_fb_noscript=1" /></noscript><link rel="manifest" id="MANIFEST_LINK" href="/data/manifest/" crossorigin="use-credentials" /><title id="pageTitle">Log into Facebook</title><meta name="google" content="notranslate" /><meta name="description" content="Log into Facebook to start sharing and connecting with your friends, family, and people you know." /><meta property="og:site_name" content="Facebook" /><meta property="og:url" content="https://www.facebook.com/login.php? equals www.facebook.com (Facebook)
Source: aafg31.exe, 00000015.00000003.679360802.0000020955D00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: once="gItkpFkb">__DEV__=0;</script><noscript><meta http-equiv="refresh" content="0; URL=/login.php?next=https%3A%2F%2Fadsmanager.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing%2F&_fb_noscript=1" /></noscript><link rel="manifest" id="MANIFEST_LINK" href="/data/manifest/" crossorigin="use-credentials" /><title id="pageTitle">Log into Facebook</title><meta name="google" content="notranslate" /><meta name="description" content="Log into Facebook to start sharing and connecting with your friends, family, and people you know." /><meta property="og:site_name" content="Facebook" /><meta property="og:url" content="https://www.facebook.com/login.php?b equals www.facebook.com (Facebook)
Source: aafg31.exe, 00000015.00000003.869877378.0000020955C11000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: once="q5tMiLYZ">__DEV__=0;</script><noscript><meta http-equiv="refresh" content="0; URL=/login.php?next=https%3A%2F%2Fadsmanager.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing%2F&_fb_noscript=1" /></noscript><link rel="manifest" id="MANIFEST_LINK" href="/data/manifest/" crossorigin="use-credentials" /><title id="pageTitle">Log into Facebook</title><meta name="google" content="notranslate" /><meta name="description" content="Log into Facebook to start sharing and connecting with your friends, family, and people you know." /><meta property="og:site_name" content="Facebook" /><meta property="og:url" content="https://www.facebook.com/login.php?next=https%3A%2F%2Fadsmanager.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing%2F" /><meta property="og:locale" content="en_US" /><link rel="canonical" href="https://www.facebook.com/login/web/" /><link rel="icon" href="https://static.xx.fbcdn.net/rsrc.php/yv/r/B8BxsscfVBr.ico" /><link type="text/css" rel="stylesheet" href="https://static.xx.fbcdn.net/rsrc.php/v3/yP/l/0,cross/6MB_F4yiWj8.css?_nc_x=Ij3Wp8lg5Kz" data-bootloader-hash="HLTHBFO" /> equals www.facebook.com (Facebook)
Source: aafg31.exe, 00000015.00000003.747896229.0000020955CFE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: pipe_token":"AXjZ6wGXtfhJEKvvnZ4","gk_instrument_object_url":true,"stack_trace_limit":30,"timesliceBufferSize":5000,"show_invariant_decoder":false,"compat_iframe_token":"AQ6iSpgOr5fQTsmS_Fw","isCQuick":false});</script><script nonce="w5qfH0fp">(function(a){function b(b){if(!window.openDatabase)return;b.I_AM_INCOGNITO_AND_I_REALLY_NEED_WEBSQL=function(a,b,c,d){return window.openDatabase(a,b,c,d)};window.openDatabase=function(){throw new Error()}}b(a)})(this);</script><style nonce="w5qfH0fp"></style><script nonce="w5qfH0fp">__DEV__=0;</script><noscript><meta http-equiv="refresh" content="0; URL=/login.php?next=https%3A%2F%2Fadsmanager.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing%2F&_fb_noscript=1" /></noscript><link rel="manifest" id="MANIFEST_LINK" href="/data/manifest/" crossorigin="use-credentials" /><title id="pageTitle">Log into Facebook</title><meta name="google" content="notranslate" /><meta name="description" content="Log into Facebook to start sharing and connecting with your friends, family, and people you know." /><meta property="og:site_name" content="Facebook" /><meta property="og:url" content="https://www.facebook.com/login.php?next=https%3A%2F%2Fadsmanager.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing%2F" /><meta property="og:locale" content="en_US" /><link rel="canonical" href="https://www.facebook.com/login/web/" /><link rel="icon" href="https://static.xx.fbcdn.net/rsrc.php/yv/r/B8BxsscfVBr.ico" /><link type="text/css" rel="stylesheet" href="https://static.xx.fbcdn.net/rsrc.php/v3/yP/l/0,cross/6MB_F4yiWj8.css?_nc_x=Ij3Wp8lg5Kz" data-bootloader-hash="HLTHBFO" /> equals www.facebook.com (Facebook)
Source: aafg31.exe, 00000015.00000003.872402384.0000020953C59000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: poster: .oculuscdn.com;media-src .cdninstagram.com blob: .fbcdn.net .fbsbx.com www.facebook.com .facebook.com data:;frame-src .facebook.com .fbsbx.com fbsbx.com data: .fbcdn.net;worker-src blob: *.facebook.com data:;block-all-mixed-content;upgrade-insecure-requests;report-uri https://www.facebook.com/csp/reporting/?m=c&minimize=0; equals www.facebook.com (Facebook)
Source: aafg31.exe, 00000015.00000003.644636498.0000020953C1A000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.747458130.0000020953C0C000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.586782794.0000020953C18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: aafg31.exe, 00000015.00000003.725776709.0000020953C04000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: www.facebook.comDj? equals www.facebook.com (Facebook)
Source: aafg31.exe, 00000015.00000002.895672737.0000020953B7B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: www.facebook.comHTEP equals www.facebook.com (Facebook)
Source: aafg31.exe, 00000015.00000002.895672737.0000020953BEF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: www.facebook.comZ equals www.facebook.com (Facebook)
Source: aafg31.exe, 00000015.00000003.892827797.0000020953C04000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: www.facebook.com`k[ equals www.facebook.com (Facebook)
Source: aafg31.exe, 00000015.00000003.644636498.0000020953C1A000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.747458130.0000020953C0C000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.586782794.0000020953C18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: www.facebook.comhWW equals www.facebook.com (Facebook)
Source: aafg31.exe, 00000015.00000002.895672737.0000020953B7B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: www.facebook.comhtep equals www.facebook.com (Facebook)
Source: aafg31.exe, 00000015.00000003.872402384.0000020953C16000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.725776709.0000020953C0C000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.727495452.0000020953C18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: www.facebook.comm equals www.facebook.com (Facebook)
Source: aafg31.exe, 00000015.00000002.895672737.0000020953BEF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: www.facebook.comok.com equals www.facebook.com (Facebook)
Source: aafg31.exe, 00000015.00000002.895672737.0000020953B7B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: www.facebook.comok.com;q=07 equals www.facebook.com (Facebook)
Source: aafg31.exe, 00000015.00000002.895672737.0000020953BE1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: www.facebook.comt equals www.facebook.com (Facebook)
Source: aafg31.exe, 00000015.00000003.586782794.0000020953C18000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.586487375.0000020953C0C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: www.facebook.comt_ equals www.facebook.com (Facebook)
Source: aafg31.exe, 00000015.00000002.897089501.0000020953C17000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.893794196.0000020953C16000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: www.facebook.comzA equals www.facebook.com (Facebook)
Source: aafg31.exe, 00000015.00000003.725776709.0000020953C04000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: www.facebook.com\|jW equals www.facebook.com (Facebook)
Source: aafg31.exe, 00000015.00000003.586487375.0000020953C07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: zy(["Env"],b):(window.Env=window.Env\|\|{},b(window.Env))}envFlush({"useTrustedTypes":false,"isTrustedTypesReportOnly":false,"ajaxpipe_token":"AXjZ6wGXtfhJEKvvluI","gk_instrument_object_url":true,"stack_trace_limit":30,"timesliceBufferSize":5000,"show_invariant_decoder":false,"compat_iframe_token":"AQ6iSpgOr5fQTsmS_eg","isCQuick":false});</script><script nonce="K7QJaGPk">(function(a){function b(b){if(!window.openDatabase)return;b.I_AM_INCOGNITO_AND_I_REALLY_NEED_WEBSQL=function(a,b,c,d){return window.openDatabase(a,b,c,d)};window.openDatabase=function(){throw new Error()}}b(a)})(this);</script><style nonce="K7QJaGPk"></style><script nonce="K7QJaGPk">__DEV__=0;</script><noscript><meta http-equiv="refresh" content="0; URL=/login.php?next=https%3A%2F%2Fadsmanager.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing%2F&_fb_noscript=1" /></noscript><link rel="manifest" id="MANIFEST_LINK" href="/data/manifest/" crossorigin="use-credentials" /><title id="pageTitle">Log into Facebook</title><meta name="google" content="notranslate" /><meta name="description" content="Log into Facebook to start sharing and connecting with your friends, family, and people you know." /><meta property="og:site_name" content="Facebook" /><meta property="og:url" content="https://www.facebook.com/login.php?next=https%3A%2F%2Fadsmanager.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing%2F" /><meta property="og:locale" content="en_US" /><link rel="canonical" href="https://www.facebook.com/login/web/" /><link rel="icon" href="https://static.xx.fbcdn.net/rsrc.php/yv/r/B8BxsscfVBr.ico" /><link type="text/css" rel="stylesheet" href="https://static.xx.fbcdn.net/rsrc.php/v3/yP/l/0,cross/6MB_F4yiWj8.css?_nc_x=Ij3Wp8lg5Kz" data-bootloader-hash="HLTHBFO" /> equals www.facebook.com (Facebook)
Source: aafg31.exe, 00000015.00000003.747091320.0000020955D07000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.727706340.0000020955D09000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.727277881.0000020955D05000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: {"max_age":259200,"endpoints":[{"url":"https:\/\/www.facebook.com\/ajax\/browser_error_reports\/?device_level=unknown"}]} equals www.facebook.com (Facebook)

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected SmokeLoader

Source: Yara match	File source: 00000029.00000002.507218040.0000000000830000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.460449041.00000000022E1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.397221431.0000000000871000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.460185114.00000000007F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.507318867.0000000002321000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.397209073.0000000000850000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Source: 02107799.exe, 00000000.00000002.397249500.000000000092A000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Spam, unwanted Advertisements and Ransom Demands

Found ransom note / readme

Source: C:\_readme.txt

Dropped file: ATTENTION!Don't worry, you can return all your files!All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key.The only method of recovering files is to purchase decrypt tool and unique key for you.This software will decrypt all your encrypted files.What guarantees you have?You can send one of your encrypted file from your PC and we decrypt it for free.But we can decrypt only 1 file for free. File must not contain valuable information.You can get and look video overview decrypt tool:https://we.tl/t-tnzomMj6HUPrice of private key and decrypt software is $980.Discount 50% available if you contact us first 72 hours, that's price for you is $490.Please note that you'll never restore your data without payment.Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours.To get this software you need write on our e-mail:support@freshmail.topReserve e-mail address to contact us:datarestorehelp@airmail.ccYour personal ID:0717JOsie5MivdxIsjUGGGxmy4wa3GzTKau2fLCnJ4rWgvwBY

Yara detected Babuk Ransomware

Source: Yara match	File source: Process Memory Space: BDC0.exe PID: 5484, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: BDC0.exe PID: 2900, type: MEMORYSTR

Yara detected Djvu Ransomware

Source: Yara match	File source: 39.2.794C.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.BDC0.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.BDC0.exe.24715a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.BDC0.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 37.2.8DD2.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.BDC0.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.2.794C.exe.24615a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.BDC0.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.BDC0.exe.24715a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.BDC0.exe.24115a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.BDC0.exe.24815a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.BDC0.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.BDC0.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.946D.exe.24b15a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.946D.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.BDC0.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.BDC0.exe.24815a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.BDC0.exe.24115a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.BDC0.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.BDC0.exe.25115a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.2.794C.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.8DD2.exe.25215a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.8DD2.exe.25215a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 37.2.8DD2.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.946D.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.2.794C.exe.24615a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.946D.exe.24b15a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.BDC0.exe.25115a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000012.00000002.463532414.0000000002410000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.453783695.0000000002510000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.507378893.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.508427363.0000000002520000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.512282252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.461344715.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.895547083.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.490394408.00000000024B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.895386251.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.498086364.0000000002460000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.463587041.0000000002480000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.509612718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.497982449.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.502966627.0000000002470000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: BDC0.exe PID: 6912, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: BDC0.exe PID: 7044, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: BDC0.exe PID: 4248, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: BDC0.exe PID: 5484, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: BDC0.exe PID: 1516, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: BDC0.exe PID: 2900, type: MEMORYSTR

Modifies existing user documents (likely ransomware behavior)

Source: C:\Users\user\AppData\Local\Temp\BDC0.exe	File moved: C:\Users\user\Desktop\NWCXBPIUYI.jpg
Source: C:\Users\user\AppData\Local\Temp\BDC0.exe	File deleted: C:\Users\user\Desktop\NWCXBPIUYI.jpg
Source: C:\Users\user\AppData\Local\Temp\BDC0.exe	File moved: C:\Users\user\Desktop\EIVQSAOTAQ.docx
Source: C:\Users\user\AppData\Local\Temp\BDC0.exe	File deleted: C:\Users\user\Desktop\EIVQSAOTAQ.docx
Source: C:\Users\user\AppData\Local\Temp\BDC0.exe	File moved: C:\Users\user\Desktop\KLIZUSIQEN.pdf

Writes a notice file (html or txt) to demand a ransom

Source: C:\Users\user\AppData\Local\Temp\BDC0.exe	File dropped: C:\_readme.txt -> decrypt tool and unique key for you.this software will decrypt all your encrypted files.what guarantees you have?you can send one of your encrypted file from your pc and we decrypt it for free.but we can decrypt only 1 file for free. file must not contain valuable information.you can get and look video overview decrypt tool:https://we.tl/t-tnzommj6huprice of private key and decrypt software is $980.discount 50% available if you contact us first 72 hours, that's price for you is $490.please note that you'll never restore your data without payment.check your e-mail "spam" or "junk" folder if you don't get answer more than 6 hours.to get this software you need write on our e-mail:support@freshmail.topreserve e-mail address to contact us:datarestorehelp@airmail.ccyour personal id:0717josie5mivdxisjugggxmy4wa3gztkau2flcnj4rwgvwby
Source: C:\Users\user\AppData\Local\Temp\BDC0.exe	File dropped: C:\Users\user\_readme.txt -> decrypt tool and unique key for you.this software will decrypt all your encrypted files.what guarantees you have?you can send one of your encrypted file from your pc and we decrypt it for free.but we can decrypt only 1 file for free. file must not contain valuable information.you can get and look video overview decrypt tool:https://we.tl/t-tnzommj6huprice of private key and decrypt software is $980.discount 50% available if you contact us first 72 hours, that's price for you is $490.please note that you'll never restore your data without payment.check your e-mail "spam" or "junk" folder if you don't get answer more than 6 hours.to get this software you need write on our e-mail:support@freshmail.topreserve e-mail address to contact us:datarestorehelp@airmail.ccyour personal id:0717josie5mivdxisjugggxmy4wa3gztkau2flcnj4rwgvwby

System Summary

Malicious sample detected (through community Yara rule)

Source: 39.2.794C.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 39.2.794C.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 31.2.BDC0.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 31.2.BDC0.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 26.2.BDC0.exe.24715a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 26.2.BDC0.exe.24715a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 17.2.BDC0.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 17.2.BDC0.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 37.2.8DD2.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 37.2.8DD2.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 31.2.BDC0.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 31.2.BDC0.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 36.2.794C.exe.24615a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 36.2.794C.exe.24615a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 17.2.BDC0.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 17.2.BDC0.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 26.2.BDC0.exe.24715a0.1.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 26.2.BDC0.exe.24715a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 18.2.BDC0.exe.24115a0.1.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 18.2.BDC0.exe.24115a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 11.2.BDC0.exe.24815a0.1.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 11.2.BDC0.exe.24815a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 19.2.BDC0.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 19.2.BDC0.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 6.2.BDC0.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 6.2.BDC0.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 30.2.946D.exe.24b15a0.1.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 30.2.946D.exe.24b15a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 32.2.946D.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 32.2.946D.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 19.2.BDC0.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 19.2.BDC0.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 11.2.BDC0.exe.24815a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 11.2.BDC0.exe.24815a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 18.2.BDC0.exe.24115a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 18.2.BDC0.exe.24115a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 6.2.BDC0.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 6.2.BDC0.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 5.2.BDC0.exe.25115a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 5.2.BDC0.exe.25115a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 39.2.794C.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 39.2.794C.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 33.2.8DD2.exe.25215a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 33.2.8DD2.exe.25215a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 33.2.8DD2.exe.25215a0.1.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 33.2.8DD2.exe.25215a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 37.2.8DD2.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 37.2.8DD2.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 32.2.946D.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 32.2.946D.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 36.2.794C.exe.24615a0.1.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 36.2.794C.exe.24615a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 30.2.946D.exe.24b15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 30.2.946D.exe.24b15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 5.2.BDC0.exe.25115a0.1.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 5.2.BDC0.exe.25115a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 20.0.223E.exe.700000.0.unpack, type: UNPACKEDPE	Matched rule: Detects downloader / injector Author: ditekSHen
Source: 00000029.00000002.507218040.0000000000830000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000007.00000002.466741568.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000007.00000002.466859544.0000000000818000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000012.00000002.463532414.0000000002410000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000004.00000002.460136042.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000004.00000002.460449041.00000000022E1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000021.00000002.506259651.000000000234D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.397201524.0000000000840000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000024.00000002.497942098.00000000023CD000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.397221431.0000000000871000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000004.00000002.460185114.00000000007F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000005.00000002.453783695.0000000002510000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000012.00000002.463290987.0000000002349000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000025.00000002.507378893.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000025.00000002.507378893.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0000001A.00000002.500648966.00000000022CF000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000021.00000002.508427363.0000000002520000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000027.00000002.512282252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000027.00000002.512282252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000029.00000002.507318867.0000000002321000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000004.00000002.460041377.00000000006E8000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000029.00000002.507033636.00000000006B8000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000006.00000002.461344715.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000006.00000002.461344715.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000011.00000002.895547083.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000011.00000002.895547083.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0000001E.00000002.490394408.00000000024B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0000002A.00000002.503393275.0000000000728000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.397292566.0000000000939000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000013.00000002.895386251.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000013.00000002.895386251.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000024.00000002.498086364.0000000002460000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0000000B.00000002.463353305.000000000232B000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000000B.00000002.463587041.0000000002480000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0000001E.00000002.489953243.000000000240F000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000020.00000002.509612718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000020.00000002.509612718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000029.00000002.507203480.0000000000820000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000005.00000002.453528210.00000000023BD000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.397209073.0000000000850000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 0000001F.00000002.497982449.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 0000001F.00000002.497982449.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0000001A.00000002.502966627.0000000002470000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: BDC0.exe PID: 6912, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: BDC0.exe PID: 7044, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: BDC0.exe PID: 4248, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: BDC0.exe PID: 5484, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: BDC0.exe PID: 1516, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: BDC0.exe PID: 2900, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\build3[1].exe, type: DROPPED	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\build3[1].exe, type: DROPPED	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: C:\Users\user\AppData\Local\205aa591-8aa8-4e2c-a5b1-c9b7aaf860cf\build3.exe, type: DROPPED	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: C:\Users\user\AppData\Local\205aa591-8aa8-4e2c-a5b1-c9b7aaf860cf\build3.exe, type: DROPPED	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\cred64[1].dll, type: DROPPED	Matched rule: OlympicDestroyer Payload Author: kevoreilly
Source: C:\Users\user\AppData\Roaming\07c6bc37dc5087\cred64.dll, type: DROPPED	Matched rule: OlympicDestroyer Payload Author: kevoreilly
Source: C:\Users\user\AppData\Local\Temp\EB26.exe, type: DROPPED	Matched rule: Detects downloader / injector Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\223E.exe, type: DROPPED	Matched rule: Detects downloader / injector Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\4445.exe, type: DROPPED	Matched rule: Detects downloader / injector Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\78BB.exe, type: DROPPED	Matched rule: Detects downloader / injector Author: ditekSHen

Source: C:\Windows\System32\svchost.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4724 -ip 4724

Source: C:\Users\user\Desktop\02107799.exe	Code function: 0_2_0041185E
Source: C:\Users\user\Desktop\02107799.exe	Code function: 0_2_00413261
Source: C:\Users\user\Desktop\02107799.exe	Code function: 0_2_0040A42A
Source: C:\Users\user\Desktop\02107799.exe	Code function: 0_2_0040C8E9
Source: C:\Users\user\Desktop\02107799.exe	Code function: 0_2_0041131A
Source: C:\Users\user\Desktop\02107799.exe	Code function: 0_2_00411DA2
Source: C:\Users\user\AppData\Roaming\cuwsgii	Code function: 4_2_0041185E
Source: C:\Users\user\AppData\Roaming\cuwsgii	Code function: 4_2_00413261
Source: C:\Users\user\AppData\Roaming\cuwsgii	Code function: 4_2_0040A42A
Source: C:\Users\user\AppData\Roaming\cuwsgii	Code function: 4_2_0040C8E9
Source: C:\Users\user\AppData\Roaming\cuwsgii	Code function: 4_2_0041131A
Source: C:\Users\user\AppData\Roaming\cuwsgii	Code function: 4_2_00411DA2
Source: C:\Users\user\AppData\Local\Temp\BDC0.exe	Code function: 5_2_004118DE
Source: C:\Users\user\AppData\Local\Temp\BDC0.exe	Code function: 5_2_0040A4AA
Source: C:\Users\user\AppData\Local\Temp\BDC0.exe	Code function: 5_2_0041251A
Source: C:\Users\user\AppData\Local\Temp\BDC0.exe	Code function: 5_2_004132E1
Source: C:\Users\user\AppData\Local\Temp\BDC0.exe	Code function: 5_2_0041139A

Source: XandETC.exe.20.dr

Static PE information: Number of sections : 11 > 10

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\205aa591-8aa8-4e2c-a5b1-c9b7aaf860cf\build2.exe C8B5119160D3301FC69657F1C23C8561E6290B953EC645298F436431D41BBD70

Source: 02107799.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 39.2.794C.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth (Nextron Systems), description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 39.2.794C.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 39.2.794C.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 31.2.BDC0.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth (Nextron Systems), description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 31.2.BDC0.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 31.2.BDC0.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 26.2.BDC0.exe.24715a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth (Nextron Systems), description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 26.2.BDC0.exe.24715a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 26.2.BDC0.exe.24715a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 17.2.BDC0.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth (Nextron Systems), description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 17.2.BDC0.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 17.2.BDC0.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 37.2.8DD2.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth (Nextron Systems), description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 37.2.8DD2.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 37.2.8DD2.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 31.2.BDC0.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth (Nextron Systems), description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 31.2.BDC0.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 31.2.BDC0.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 36.2.794C.exe.24615a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth (Nextron Systems), description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 36.2.794C.exe.24615a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 36.2.794C.exe.24615a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 17.2.BDC0.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth (Nextron Systems), description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 17.2.BDC0.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 17.2.BDC0.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 26.2.BDC0.exe.24715a0.1.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth (Nextron Systems), description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 26.2.BDC0.exe.24715a0.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 26.2.BDC0.exe.24715a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 18.2.BDC0.exe.24115a0.1.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth (Nextron Systems), description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 18.2.BDC0.exe.24115a0.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 18.2.BDC0.exe.24115a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 11.2.BDC0.exe.24815a0.1.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth (Nextron Systems), description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 11.2.BDC0.exe.24815a0.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 11.2.BDC0.exe.24815a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 19.2.BDC0.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth (Nextron Systems), description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 19.2.BDC0.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 19.2.BDC0.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 6.2.BDC0.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth (Nextron Systems), description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 6.2.BDC0.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 6.2.BDC0.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 30.2.946D.exe.24b15a0.1.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth (Nextron Systems), description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 30.2.946D.exe.24b15a0.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 30.2.946D.exe.24b15a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 32.2.946D.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth (Nextron Systems), description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 32.2.946D.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 32.2.946D.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 19.2.BDC0.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth (Nextron Systems), description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 19.2.BDC0.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 19.2.BDC0.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 11.2.BDC0.exe.24815a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth (Nextron Systems), description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 11.2.BDC0.exe.24815a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 11.2.BDC0.exe.24815a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 18.2.BDC0.exe.24115a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth (Nextron Systems), description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 18.2.BDC0.exe.24115a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 18.2.BDC0.exe.24115a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 6.2.BDC0.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth (Nextron Systems), description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 6.2.BDC0.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 6.2.BDC0.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 5.2.BDC0.exe.25115a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth (Nextron Systems), description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 5.2.BDC0.exe.25115a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 5.2.BDC0.exe.25115a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 39.2.794C.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth (Nextron Systems), description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 39.2.794C.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 39.2.794C.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 33.2.8DD2.exe.25215a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth (Nextron Systems), description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 33.2.8DD2.exe.25215a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 33.2.8DD2.exe.25215a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 33.2.8DD2.exe.25215a0.1.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth (Nextron Systems), description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 33.2.8DD2.exe.25215a0.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 33.2.8DD2.exe.25215a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 37.2.8DD2.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth (Nextron Systems), description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 37.2.8DD2.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 37.2.8DD2.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 32.2.946D.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth (Nextron Systems), description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 32.2.946D.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 32.2.946D.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 36.2.794C.exe.24615a0.1.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth (Nextron Systems), description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 36.2.794C.exe.24615a0.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 36.2.794C.exe.24615a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 30.2.946D.exe.24b15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth (Nextron Systems), description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 30.2.946D.exe.24b15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 30.2.946D.exe.24b15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 5.2.BDC0.exe.25115a0.1.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth (Nextron Systems), description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 5.2.BDC0.exe.25115a0.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 5.2.BDC0.exe.25115a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 20.0.223E.exe.700000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector04 author = ditekSHen, description = Detects downloader / injector
Source: 00000029.00000002.507218040.0000000000830000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000007.00000002.466741568.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000007.00000002.466859544.0000000000818000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000012.00000002.463532414.0000000002410000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000004.00000002.460136042.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000004.00000002.460449041.00000000022E1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000021.00000002.506259651.000000000234D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.397201524.0000000000840000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000024.00000002.497942098.00000000023CD000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.397221431.0000000000871000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000004.00000002.460185114.00000000007F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000005.00000002.453783695.0000000002510000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000012.00000002.463290987.0000000002349000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000025.00000002.507378893.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth (Nextron Systems), description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 00000025.00000002.507378893.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000025.00000002.507378893.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0000001A.00000002.500648966.00000000022CF000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000021.00000002.508427363.0000000002520000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000027.00000002.512282252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth (Nextron Systems), description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 00000027.00000002.512282252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000027.00000002.512282252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000029.00000002.507318867.0000000002321000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000004.00000002.460041377.00000000006E8000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000029.00000002.507033636.00000000006B8000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000006.00000002.461344715.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth (Nextron Systems), description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 00000006.00000002.461344715.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000006.00000002.461344715.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000011.00000002.895547083.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth (Nextron Systems), description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 00000011.00000002.895547083.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000011.00000002.895547083.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0000001E.00000002.490394408.00000000024B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0000002A.00000002.503393275.0000000000728000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.397292566.0000000000939000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000013.00000002.895386251.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth (Nextron Systems), description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 00000013.00000002.895386251.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000013.00000002.895386251.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000024.00000002.498086364.0000000002460000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0000000B.00000002.463353305.000000000232B000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000000B.00000002.463587041.0000000002480000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0000001E.00000002.489953243.000000000240F000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000020.00000002.509612718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth (Nextron Systems), description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 00000020.00000002.509612718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000020.00000002.509612718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000029.00000002.507203480.0000000000820000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000005.00000002.453528210.00000000023BD000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.397209073.0000000000850000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 0000001F.00000002.497982449.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth (Nextron Systems), description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 0000001F.00000002.497982449.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 0000001F.00000002.497982449.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0000001A.00000002.502966627.0000000002470000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: BDC0.exe PID: 6912, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: BDC0.exe PID: 7044, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: BDC0.exe PID: 4248, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: BDC0.exe PID: 5484, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: BDC0.exe PID: 1516, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: BDC0.exe PID: 2900, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\build3[1].exe, type: DROPPED	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\build3[1].exe, type: DROPPED	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: C:\Users\user\AppData\Local\205aa591-8aa8-4e2c-a5b1-c9b7aaf860cf\build3.exe, type: DROPPED	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: C:\Users\user\AppData\Local\205aa591-8aa8-4e2c-a5b1-c9b7aaf860cf\build3.exe, type: DROPPED	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\cred64[1].dll, type: DROPPED	Matched rule: OlympicDestroyer_1 author = kevoreilly, description = OlympicDestroyer Payload, cape_type = OlympicDestroyer Payload
Source: C:\Users\user\AppData\Roaming\07c6bc37dc5087\cred64.dll, type: DROPPED	Matched rule: OlympicDestroyer_1 author = kevoreilly, description = OlympicDestroyer Payload, cape_type = OlympicDestroyer Payload
Source: C:\Users\user\AppData\Local\Temp\EB26.exe, type: DROPPED	Matched rule: MALWARE_Win_DLInjector04 author = ditekSHen, description = Detects downloader / injector
Source: C:\Users\user\AppData\Local\Temp\223E.exe, type: DROPPED	Matched rule: MALWARE_Win_DLInjector04 author = ditekSHen, description = Detects downloader / injector
Source: C:\Users\user\AppData\Local\Temp\4445.exe, type: DROPPED	Matched rule: MALWARE_Win_DLInjector04 author = ditekSHen, description = Detects downloader / injector
Source: C:\Users\user\AppData\Local\Temp\78BB.exe, type: DROPPED	Matched rule: MALWARE_Win_DLInjector04 author = ditekSHen, description = Detects downloader / injector

Source: C:\Users\user\AppData\Local\Temp\BDC0.exe

Code function: String function: 00407404 appears 35 times

Source: C:\Users\user\Desktop\02107799.exe	Code function: 0_2_00401558 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,
Source: C:\Users\user\Desktop\02107799.exe	Code function: 0_2_00401749 NtMapViewOfSection,NtMapViewOfSection,
Source: C:\Users\user\Desktop\02107799.exe	Code function: 0_2_00401564 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,
Source: C:\Users\user\Desktop\02107799.exe	Code function: 0_2_00401577 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,
Source: C:\Users\user\Desktop\02107799.exe	Code function: 0_2_00401523 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,
Source: C:\Users\user\Desktop\02107799.exe	Code function: 0_2_00401585 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,
Source: C:\Users\user\Desktop\02107799.exe	Code function: 0_2_0040158C NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,
Source: C:\Users\user\Desktop\02107799.exe	Code function: 0_2_0040159A NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,
Source: C:\Users\user\AppData\Roaming\cuwsgii	Code function: 4_2_00401558 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,
Source: C:\Users\user\AppData\Roaming\cuwsgii	Code function: 4_2_00401749 NtMapViewOfSection,NtMapViewOfSection,
Source: C:\Users\user\AppData\Roaming\cuwsgii	Code function: 4_2_00401564 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,
Source: C:\Users\user\AppData\Roaming\cuwsgii	Code function: 4_2_00401577 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,
Source: C:\Users\user\AppData\Roaming\cuwsgii	Code function: 4_2_00401523 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,
Source: C:\Users\user\AppData\Roaming\cuwsgii	Code function: 4_2_00401585 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,
Source: C:\Users\user\AppData\Roaming\cuwsgii	Code function: 4_2_0040158C NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,
Source: C:\Users\user\AppData\Roaming\cuwsgii	Code function: 4_2_0040159A NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,

Source: build2.exe.19.dr	Static PE information: Resource name: RT_VERSION type: Intel ia64 COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: build2[1].exe.19.dr	Static PE information: Resource name: RT_VERSION type: Intel ia64 COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970

Source: 02107799.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 946D.exe.1.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: BDC0.exe.1.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: AD22.exe.1.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 8DD2.exe.1.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 794C.exe.1.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: DC0A.exe.1.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: D789.exe.1.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C45B.exe.1.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: AFA6.exe.1.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 110C.exe.1.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: ECED.exe.1.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: F0C7.exe.1.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 6A3D.exe.1.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 740E.exe.1.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 7439.exe.1.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 5B59.exe.1.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: cuwsgii.1.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: vwwsgii.1.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: BDC0.exe.6.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 02107799.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\cuwsgii

Jump to behavior

Source: classification engine

Classification label: mal100.rans.phis.troj.spyw.evad.winEXE@105/269@0/25

Source: C:\Windows\explorer.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: 02107799.exe	ReversingLabs: Detection: 37%
Source: 02107799.exe	Virustotal: Detection: 42%

Source: C:\Users\user\Desktop\02107799.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Users\user\Desktop\02107799.exe C:\Users\user\Desktop\02107799.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\cuwsgii C:\Users\user\AppData\Roaming\cuwsgii
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\BDC0.exe C:\Users\user\AppData\Local\Temp\BDC0.exe
Source: C:\Users\user\AppData\Local\Temp\BDC0.exe	Process created: C:\Users\user\AppData\Local\Temp\BDC0.exe C:\Users\user\AppData\Local\Temp\BDC0.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\AD22.exe C:\Users\user\AppData\Local\Temp\AD22.exe
Source: C:\Users\user\AppData\Local\Temp\BDC0.exe	Process created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Users\user\AppData\Local\9af1d69e-1bc5-4008-ad08-a746f07a48e8" /deny *S-1-1-0:(OI)(CI)(DE,DC)
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4724 -ip 4724
Source: unknown	Process created: C:\Users\user\AppData\Local\9af1d69e-1bc5-4008-ad08-a746f07a48e8\BDC0.exe C:\Users\user\AppData\Local\9af1d69e-1bc5-4008-ad08-a746f07a48e8\BDC0.exe --Task
Source: C:\Users\user\AppData\Local\Temp\AD22.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4724 -s 520
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\dllhost.exe C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}
Source: C:\Users\user\AppData\Local\9af1d69e-1bc5-4008-ad08-a746f07a48e8\BDC0.exe	Process created: C:\Users\user\AppData\Local\9af1d69e-1bc5-4008-ad08-a746f07a48e8\BDC0.exe C:\Users\user\AppData\Local\9af1d69e-1bc5-4008-ad08-a746f07a48e8\BDC0.exe --Task
Source: C:\Users\user\AppData\Local\Temp\BDC0.exe	Process created: C:\Users\user\AppData\Local\Temp\BDC0.exe "C:\Users\user\AppData\Local\Temp\BDC0.exe" --Admin IsNotAutoStart IsNotTask
Source: C:\Users\user\AppData\Local\Temp\BDC0.exe	Process created: C:\Users\user\AppData\Local\Temp\BDC0.exe "C:\Users\user\AppData\Local\Temp\BDC0.exe" --Admin IsNotAutoStart IsNotTask
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\223E.exe C:\Users\user\AppData\Local\Temp\223E.exe
Source: C:\Users\user\AppData\Local\Temp\223E.exe	Process created: C:\Users\user\AppData\Local\Temp\aafg31.exe "C:\Users\user\AppData\Local\Temp\aafg31.exe"
Source: C:\Users\user\AppData\Local\Temp\223E.exe	Process created: C:\Users\user\AppData\Local\Temp\NewPlayer.exe "C:\Users\user\AppData\Local\Temp\NewPlayer.exe"
Source: C:\Users\user\AppData\Local\Temp\NewPlayer.exe	Process created: C:\Users\user\AppData\Local\Temp\6d73a97b0c\mnolyk.exe "C:\Users\user\AppData\Local\Temp\6d73a97b0c\mnolyk.exe"
Source: C:\Users\user\AppData\Local\Temp\223E.exe	Process created: C:\Users\user\AppData\Local\Temp\XandETC.exe "C:\Users\user\AppData\Local\Temp\XandETC.exe"
Source: C:\Users\user\AppData\Local\Temp\6d73a97b0c\mnolyk.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN mnolyk.exe /TR "C:\Users\user\AppData\Local\Temp\6d73a97b0c\mnolyk.exe" /F
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\9af1d69e-1bc5-4008-ad08-a746f07a48e8\BDC0.exe "C:\Users\user\AppData\Local\9af1d69e-1bc5-4008-ad08-a746f07a48e8\BDC0.exe" --AutoStart
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\6d73a97b0c\mnolyk.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k echo Y\|CACLS "mnolyk.exe" /P "user:N"&&CACLS "mnolyk.exe" /P "user:R" /E&&echo Y\|CACLS "..\6d73a97b0c" /P "user:N"&&CACLS "..\6d73a97b0c" /P "user:R" /E&&Exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\946D.exe C:\Users\user\AppData\Local\Temp\946D.exe
Source: C:\Users\user\AppData\Local\9af1d69e-1bc5-4008-ad08-a746f07a48e8\BDC0.exe	Process created: C:\Users\user\AppData\Local\9af1d69e-1bc5-4008-ad08-a746f07a48e8\BDC0.exe "C:\Users\user\AppData\Local\9af1d69e-1bc5-4008-ad08-a746f07a48e8\BDC0.exe" --AutoStart
Source: C:\Users\user\AppData\Local\Temp\946D.exe	Process created: C:\Users\user\AppData\Local\Temp\946D.exe C:\Users\user\AppData\Local\Temp\946D.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\8DD2.exe C:\Users\user\AppData\Local\Temp\8DD2.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cacls.exe CACLS "mnolyk.exe" /P "user:N"
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\794C.exe C:\Users\user\AppData\Local\Temp\794C.exe
Source: C:\Users\user\AppData\Local\Temp\8DD2.exe	Process created: C:\Users\user\AppData\Local\Temp\8DD2.exe C:\Users\user\AppData\Local\Temp\8DD2.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cacls.exe CACLS "mnolyk.exe" /P "user:R" /E
Source: C:\Users\user\AppData\Local\Temp\794C.exe	Process created: C:\Users\user\AppData\Local\Temp\794C.exe C:\Users\user\AppData\Local\Temp\794C.exe
Source: C:\Users\user\AppData\Local\Temp\6d73a97b0c\mnolyk.exe	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\07c6bc37dc5087\cred64.dll, Main
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\DC0A.exe C:\Users\user\AppData\Local\Temp\DC0A.exe
Source: C:\Users\user\AppData\Local\Temp\BDC0.exe	Process created: C:\Users\user\AppData\Local\205aa591-8aa8-4e2c-a5b1-c9b7aaf860cf\build2.exe "C:\Users\user\AppData\Local\205aa591-8aa8-4e2c-a5b1-c9b7aaf860cf\build2.exe"
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\System32\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\07c6bc37dc5087\cred64.dll, Main
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\6d73a97b0c\mnolyk.exe C:\Users\user\AppData\Local\Temp\6d73a97b0c\mnolyk.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\BDC0.exe C:\Users\user\AppData\Local\Temp\BDC0.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\AD22.exe C:\Users\user\AppData\Local\Temp\AD22.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\223E.exe C:\Users\user\AppData\Local\Temp\223E.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4724 -ip 4724
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\946D.exe C:\Users\user\AppData\Local\Temp\946D.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\8DD2.exe C:\Users\user\AppData\Local\Temp\8DD2.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\794C.exe C:\Users\user\AppData\Local\Temp\794C.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\DC0A.exe C:\Users\user\AppData\Local\Temp\DC0A.exe
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\794C.exe C:\Users\user\AppData\Local\Temp\794C.exe
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\dllhost.exe C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\BDC0.exe	Process created: C:\Users\user\AppData\Local\Temp\BDC0.exe C:\Users\user\AppData\Local\Temp\BDC0.exe
Source: C:\Users\user\AppData\Local\Temp\BDC0.exe	Process created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Users\user\AppData\Local\9af1d69e-1bc5-4008-ad08-a746f07a48e8" /deny *S-1-1-0:(OI)(CI)(DE,DC)
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4724 -ip 4724
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4724 -s 520
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: C:\Users\user\AppData\Local\9af1d69e-1bc5-4008-ad08-a746f07a48e8\BDC0.exe "C:\Users\user\AppData\Local\9af1d69e-1bc5-4008-ad08-a746f07a48e8\BDC0.exe" --AutoStart
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\WerFault.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\9af1d69e-1bc5-4008-ad08-a746f07a48e8\BDC0.exe	Process created: C:\Users\user\AppData\Local\9af1d69e-1bc5-4008-ad08-a746f07a48e8\BDC0.exe C:\Users\user\AppData\Local\9af1d69e-1bc5-4008-ad08-a746f07a48e8\BDC0.exe --Task
Source: C:\Users\user\AppData\Local\Temp\BDC0.exe	Process created: C:\Users\user\AppData\Local\Temp\BDC0.exe "C:\Users\user\AppData\Local\Temp\BDC0.exe" --Admin IsNotAutoStart IsNotTask
Source: C:\Users\user\AppData\Local\Temp\BDC0.exe	Process created: C:\Users\user\AppData\Local\205aa591-8aa8-4e2c-a5b1-c9b7aaf860cf\build2.exe "C:\Users\user\AppData\Local\205aa591-8aa8-4e2c-a5b1-c9b7aaf860cf\build2.exe"
Source: C:\Users\user\AppData\Local\Temp\BDC0.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\223E.exe	Process created: C:\Users\user\AppData\Local\Temp\aafg31.exe "C:\Users\user\AppData\Local\Temp\aafg31.exe"
Source: C:\Users\user\AppData\Local\Temp\223E.exe	Process created: C:\Users\user\AppData\Local\Temp\NewPlayer.exe "C:\Users\user\AppData\Local\Temp\NewPlayer.exe"
Source: C:\Users\user\AppData\Local\Temp\223E.exe	Process created: C:\Users\user\AppData\Local\Temp\XandETC.exe "C:\Users\user\AppData\Local\Temp\XandETC.exe"
Source: C:\Users\user\AppData\Local\Temp\NewPlayer.exe	Process created: C:\Users\user\AppData\Local\Temp\6d73a97b0c\mnolyk.exe "C:\Users\user\AppData\Local\Temp\6d73a97b0c\mnolyk.exe"
Source: C:\Users\user\AppData\Local\Temp\6d73a97b0c\mnolyk.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN mnolyk.exe /TR "C:\Users\user\AppData\Local\Temp\6d73a97b0c\mnolyk.exe" /F
Source: C:\Users\user\AppData\Local\Temp\6d73a97b0c\mnolyk.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k echo Y\|CACLS "mnolyk.exe" /P "user:N"&&CACLS "mnolyk.exe" /P "user:R" /E&&echo Y\|CACLS "..\6d73a97b0c" /P "user:N"&&CACLS "..\6d73a97b0c" /P "user:R" /E&&Exit
Source: C:\Users\user\AppData\Local\Temp\6d73a97b0c\mnolyk.exe	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\07c6bc37dc5087\cred64.dll, Main
Source: C:\Users\user\AppData\Local\9af1d69e-1bc5-4008-ad08-a746f07a48e8\BDC0.exe	Process created: C:\Users\user\AppData\Local\9af1d69e-1bc5-4008-ad08-a746f07a48e8\BDC0.exe "C:\Users\user\AppData\Local\9af1d69e-1bc5-4008-ad08-a746f07a48e8\BDC0.exe" --AutoStart
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cacls.exe CACLS "mnolyk.exe" /P "user:N"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cacls.exe CACLS "mnolyk.exe" /P "user:R" /E
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\946D.exe	Process created: C:\Users\user\AppData\Local\Temp\946D.exe C:\Users\user\AppData\Local\Temp\946D.exe
Source: C:\Users\user\AppData\Local\Temp\8DD2.exe	Process created: C:\Users\user\AppData\Local\Temp\8DD2.exe C:\Users\user\AppData\Local\Temp\8DD2.exe
Source: C:\Users\user\AppData\Local\Temp\794C.exe	Process created: C:\Users\user\AppData\Local\Temp\794C.exe C:\Users\user\AppData\Local\Temp\794C.exe
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\System32\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\07c6bc37dc5087\cred64.dll, Main
Source: C:\Users\user\AppData\Local\205aa591-8aa8-4e2c-a5b1-c9b7aaf860cf\build2.exe	Process created: unknown unknown
Source: C:\Windows\System32\rundll32.exe	Process created: unknown unknown

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{603D3801-BD81-11d0-A3A5-00C04FD706EC}\InProcServer32

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Local\Temp\BDC0.tmp

Jump to behavior

Source: aafg31.exe, 00000015.00000003.809014287.0000020955CFA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT creation_utc,host_key,name,value,path,expires_utc,is_secure,is_httponly,last_access_utc,has_expires,is_persistent,priority,hex(encrypted_value) encrypted_value,samesite,source_scheme,source_port,is_same_party FROM cookies;0
Source: aafg31.exe, 00000015.00000002.963156667.0000020955A80000.00000040.00001000.00020000.00000000.sdmp, aafg31.exe, 00000015.00000002.928321825.0000020955550000.00000004.00001000.00020000.00000000.sdmp, aafg31.exe, 00000015.00000002.898715266.0000020953C70000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: aafg31.exe, 00000015.00000002.963156667.0000020955A80000.00000040.00001000.00020000.00000000.sdmp, aafg31.exe, 00000015.00000002.928321825.0000020955550000.00000004.00001000.00020000.00000000.sdmp, aafg31.exe, 00000015.00000002.898715266.0000020953C70000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: aafg31.exe, 00000015.00000002.963156667.0000020955A80000.00000040.00001000.00020000.00000000.sdmp, aafg31.exe, 00000015.00000002.928321825.0000020955550000.00000004.00001000.00020000.00000000.sdmp, aafg31.exe, 00000015.00000002.898715266.0000020953C70000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
Source: aafg31.exe, 00000015.00000003.821863131.0000020955D46000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.852501349.0000020955D46000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.809014287.0000020955CFA000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.892118052.0000020955D54000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.871983191.0000020955D54000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT creation_utc,host_key,name,value,path,expires_utc,is_secure,is_httponly,last_access_utc,has_expires,is_persistent,priority,hex(encrypted_value) encrypted_value,samesite,source_scheme,source_port,is_same_party FROM cookies;
Source: aafg31.exe, 00000015.00000002.963156667.0000020955A80000.00000040.00001000.00020000.00000000.sdmp, aafg31.exe, 00000015.00000002.928321825.0000020955550000.00000004.00001000.00020000.00000000.sdmp, aafg31.exe, 00000015.00000002.898715266.0000020953C70000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: aafg31.exe, 00000015.00000002.963156667.0000020955A80000.00000040.00001000.00020000.00000000.sdmp, aafg31.exe, 00000015.00000002.928321825.0000020955550000.00000004.00001000.00020000.00000000.sdmp, aafg31.exe, 00000015.00000002.898715266.0000020953C70000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: aafg31.exe, 00000015.00000002.963156667.0000020955A80000.00000040.00001000.00020000.00000000.sdmp, aafg31.exe, 00000015.00000002.928321825.0000020955550000.00000004.00001000.00020000.00000000.sdmp, aafg31.exe, 00000015.00000002.898715266.0000020953C70000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: aafg31.exe, 00000015.00000002.963156667.0000020955A80000.00000040.00001000.00020000.00000000.sdmp, aafg31.exe, 00000015.00000002.928321825.0000020955550000.00000004.00001000.00020000.00000000.sdmp, aafg31.exe, 00000015.00000002.898715266.0000020953C70000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

Source: C:\Users\user\AppData\Local\Temp\223E.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: C:\Users\user\Desktop\02107799.exe

Code function: 0_2_00940507 CreateToolhelp32Snapshot,Module32First,

Source: C:\Users\user\AppData\Local\Temp\6d73a97b0c\mnolyk.exe

Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\07c6bc37dc5087\cred64.dll, Main

Source: 223E.exe.1.dr, Stub/Program.cs	Base64 encoded string: 'U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVu'
Source: 4445.exe.1.dr, Stub/Program.cs	Base64 encoded string: 'U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVu'
Source: 78BB.exe.1.dr, Stub/Program.cs	Base64 encoded string: 'U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVu'
Source: EB26.exe.1.dr, Stub/Program.cs	Base64 encoded string: 'U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVu'

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4360:120:WilError_01
Source: C:\Users\user\AppData\Local\Temp\BDC0.exe	Mutant created: \Sessions\1\BaseNamedObjects\{1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1280:120:WilError_01
Source: C:\Users\user\AppData\Local\Temp\6d73a97b0c\mnolyk.exe	Mutant created: \Sessions\1\BaseNamedObjects\07c6bc37dc50874878dcb010336ed906
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4724
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \BaseNamedObjects\Local\SM0:256:64:WilError_01

Source: C:\Users\user\AppData\Local\Temp\BDC0.exe	Command line argument: T#0y
Source: C:\Users\user\AppData\Local\Temp\BDC0.exe	Command line argument: #"#
Source: C:\Users\user\AppData\Local\Temp\BDC0.exe	Command line argument: .d\|1
Source: C:\Users\user\AppData\Local\Temp\BDC0.exe	Command line argument: K[
Source: C:\Users\user\AppData\Local\Temp\BDC0.exe	Command line argument: kernel32.dll

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BDC0.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BDC0.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\9af1d69e-1bc5-4008-ad08-a746f07a48e8\BDC0.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\9af1d69e-1bc5-4008-ad08-a746f07a48e8\BDC0.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\9af1d69e-1bc5-4008-ad08-a746f07a48e8\BDC0.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\BDC0.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\BDC0.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\BDC0.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\aafg31.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\aafg31.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\aafg31.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\9af1d69e-1bc5-4008-ad08-a746f07a48e8\BDC0.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\9af1d69e-1bc5-4008-ad08-a746f07a48e8\BDC0.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\946D.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\946D.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\8DD2.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\8DD2.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\794C.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\794C.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\223E.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: C:\Users\user\Desktop\02107799.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Source: 02107799.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 02107799.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 02107799.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 02107799.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 02107799.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 02107799.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: 02107799.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\widejasediboh-roxujixawe\yoj\vumeso-lix.pdb source: 02107799.exe, 00000000.00000000.371224251.0000000000401000.00000020.00000001.01000000.00000003.sdmp, cuwsgii, 00000004.00000000.442476877.0000000000401000.00000020.00000001.01000000.00000006.sdmp
Source:	Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb source: BDC0.exe, 00000005.00000002.453783695.0000000002510000.00000040.00001000.00020000.00000000.sdmp, BDC0.exe, 00000006.00000002.461344715.0000000000400000.00000040.00000400.00020000.00000000.sdmp, BDC0.exe, 0000000B.00000002.463587041.0000000002480000.00000040.00001000.00020000.00000000.sdmp, BDC0.exe, 00000011.00000002.895547083.0000000000400000.00000040.00000400.00020000.00000000.sdmp, BDC0.exe, 00000012.00000002.463532414.0000000002410000.00000040.00001000.00020000.00000000.sdmp, BDC0.exe, 00000013.00000002.895386251.0000000000400000.00000040.00000400.00020000.00000000.sdmp
Source:	Binary string: P:\Target\x64\ship\groove\x-none\grooveex.pdbeex.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 source: explorer.exe, 00000001.00000000.395956328.00007FFA13021000.00000020.00000001.01000000.00000005.sdmp
Source:	Binary string: P:\Target\x64\ship\groove\x-none\grooveex.pdb source: explorer.exe, 00000001.00000000.395956328.00007FFA13021000.00000020.00000001.01000000.00000005.sdmp
Source:	Binary string: helppane.pdb source: 223E.exe, 00000014.00000002.513841779.00000000040C5000.00000004.00000800.00020000.00000000.sdmp, aafg31.exe, 00000015.00000000.472372573.00007FF6607D1000.00000020.00000001.01000000.00000010.sdmp
Source:	Binary string: D:\Mktmp\Amadey\Release\Amadey.pdb source: 223E.exe, 00000014.00000002.513841779.00000000040C5000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\huvuvig\juhohan\bamakexuvoni\vaxilil\javefi\5\liguvihahoca\suci.pdb source: explorer.exe, 00000001.00000003.451894424.0000000012E53000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.451378243.000000001344F000.00000004.00000010.00020000.00000000.sdmp, BDC0.exe
Source:	Binary string: CGC:\huvuvig\juhohan\bamakexuvoni\vaxilil\javefi\5\liguvihahoca\suci.pdb source: explorer.exe, 00000001.00000003.451894424.0000000012E53000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.451378243.000000001344F000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdbI source: BDC0.exe, 00000005.00000002.453783695.0000000002510000.00000040.00001000.00020000.00000000.sdmp, BDC0.exe, 00000006.00000002.461344715.0000000000400000.00000040.00000400.00020000.00000000.sdmp, BDC0.exe, 0000000B.00000002.463587041.0000000002480000.00000040.00001000.00020000.00000000.sdmp, BDC0.exe, 00000011.00000002.895547083.0000000000400000.00000040.00000400.00020000.00000000.sdmp, BDC0.exe, 00000012.00000002.463532414.0000000002410000.00000040.00001000.00020000.00000000.sdmp, BDC0.exe, 00000013.00000002.895386251.0000000000400000.00000040.00000400.00020000.00000000.sdmp
Source:	Binary string: vCC:\widejasediboh-roxujixawe\yoj\vumeso-lix.pdb source: 02107799.exe, 00000000.00000000.371224251.0000000000401000.00000020.00000001.01000000.00000003.sdmp, cuwsgii, 00000004.00000000.442476877.0000000000401000.00000020.00000001.01000000.00000006.sdmp
Source:	Binary string: eex.pdb source: explorer.exe, 00000001.00000000.395956328.00007FFA13021000.00000020.00000001.01000000.00000005.sdmp
Source:	Binary string: )5C:\rusuxenalo\dutaz jale\puyenotak\tipibu.pdb source: explorer.exe, 00000001.00000003.455193216.0000000012CB1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.455319120.0000000012E55000.00000004.00000001.00020000.00000000.sdmp, AD22.exe, 00000007.00000000.455578864.0000000000401000.00000020.00000001.01000000.00000009.sdmp
Source:	Binary string: C:\rusuxenalo\dutaz jale\puyenotak\tipibu.pdb source: explorer.exe, 00000001.00000003.455193216.0000000012CB1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.455319120.0000000012E55000.00000004.00000001.00020000.00000000.sdmp, AD22.exe, 00000007.00000000.455578864.0000000000401000.00000020.00000001.01000000.00000009.sdmp

Data Obfuscation

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\AppData\Local\Temp\BDC0.exe	Unpacked PE file: 6.2.BDC0.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\9af1d69e-1bc5-4008-ad08-a746f07a48e8\BDC0.exe	Unpacked PE file: 17.2.BDC0.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\BDC0.exe	Unpacked PE file: 19.2.BDC0.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\9af1d69e-1bc5-4008-ad08-a746f07a48e8\BDC0.exe	Unpacked PE file: 31.2.BDC0.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\946D.exe	Unpacked PE file: 32.2.946D.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\8DD2.exe	Unpacked PE file: 37.2.8DD2.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\794C.exe	Unpacked PE file: 39.2.794C.exe.400000.0.unpack

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\02107799.exe	Unpacked PE file: 0.2.02107799.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:EW;
Source: C:\Users\user\AppData\Roaming\cuwsgii	Unpacked PE file: 4.2.cuwsgii.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:EW;
Source: C:\Users\user\AppData\Local\Temp\BDC0.exe	Unpacked PE file: 6.2.BDC0.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Local\Temp\AD22.exe	Unpacked PE file: 7.2.AD22.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:EW;
Source: C:\Users\user\AppData\Local\9af1d69e-1bc5-4008-ad08-a746f07a48e8\BDC0.exe	Unpacked PE file: 17.2.BDC0.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Local\Temp\BDC0.exe	Unpacked PE file: 19.2.BDC0.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Local\9af1d69e-1bc5-4008-ad08-a746f07a48e8\BDC0.exe	Unpacked PE file: 31.2.BDC0.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Local\Temp\946D.exe	Unpacked PE file: 32.2.946D.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Local\Temp\8DD2.exe	Unpacked PE file: 37.2.8DD2.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Local\Temp\794C.exe	Unpacked PE file: 39.2.794C.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Local\Temp\DC0A.exe	Unpacked PE file: 41.2.DC0A.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:EW;

Source: C:\Users\user\Desktop\02107799.exe	Code function: 0_2_0040C6D7 push ebx; ret
Source: C:\Users\user\Desktop\02107799.exe	Code function: 0_2_00947287 push 6700D42Eh; retf
Source: C:\Users\user\Desktop\02107799.exe	Code function: 0_2_0094642F push 623D8A45h; retf
Source: C:\Users\user\AppData\Roaming\cuwsgii	Code function: 4_2_0040C6D7 push ebx; ret
Source: C:\Users\user\AppData\Local\Temp\BDC0.exe	Code function: 5_2_00407449 push ecx; ret
Source: C:\Users\user\AppData\Local\Temp\BDC0.exe	Code function: 5_2_00403770 push ecx; mov dword ptr [esp], 00000000h
Source: C:\Users\user\AppData\Local\Temp\BDC0.exe	Code function: 5_2_023C00AF push ecx; retf
Source: C:\Users\user\AppData\Local\Temp\BDC0.exe	Code function: 5_2_023C39AC push 00000015h; ret

Source: C:\Users\user\AppData\Local\Temp\BDC0.exe

Code function: 5_2_0040D6B0 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,

Source: XandETC.exe.20.dr	Static PE information: section name: .xdata
Source: cred64[1].dll.23.dr	Static PE information: section name: _RDATA
Source: cred64.dll.23.dr	Static PE information: section name: _RDATA

Source: cred64[1].dll.23.dr	Static PE information: real checksum: 0x0 should be: 0x10ec1f
Source: build3[1].exe.19.dr	Static PE information: real checksum: 0x0 should be: 0x3ca6
Source: mnolyk.exe.22.dr	Static PE information: real checksum: 0x0 should be: 0x462b6
Source: NewPlayer.exe.20.dr	Static PE information: real checksum: 0x0 should be: 0x462b6
Source: 78BB.exe.1.dr	Static PE information: real checksum: 0x0 should be: 0x4e4913
Source: aafg31.exe.20.dr	Static PE information: real checksum: 0xfc51b should be: 0xfd56a
Source: 223E.exe.1.dr	Static PE information: real checksum: 0x0 should be: 0x4e4913
Source: cred64.dll.23.dr	Static PE information: real checksum: 0x0 should be: 0x10ec1f
Source: 4445.exe.1.dr	Static PE information: real checksum: 0x0 should be: 0x4e4913
Source: EB26.exe.1.dr	Static PE information: real checksum: 0x0 should be: 0x4e4913
Source: build3.exe.19.dr	Static PE information: real checksum: 0x0 should be: 0x3ca6

Source: initial sample	Static PE information: section name: .text entropy: 7.578116721772191
Source: initial sample	Static PE information: section name: .text entropy: 7.957132142496877
Source: initial sample	Static PE information: section name: .text entropy: 7.957132142496877
Source: initial sample	Static PE information: section name: .text entropy: 7.5847412014460565
Source: initial sample	Static PE information: section name: .text entropy: 7.956564628368373
Source: initial sample	Static PE information: section name: .text entropy: 7.956564628368373
Source: initial sample	Static PE information: section name: .text entropy: 7.5847412014460565
Source: initial sample	Static PE information: section name: .text entropy: 7.957132142496877
Source: initial sample	Static PE information: section name: .text entropy: 7.956564628368373
Source: initial sample	Static PE information: section name: .text entropy: 7.956564628368373
Source: initial sample	Static PE information: section name: .text entropy: 7.5847412014460565
Source: initial sample	Static PE information: section name: .text entropy: 7.957132142496877
Source: initial sample	Static PE information: section name: .text entropy: 7.956564628368373
Source: initial sample	Static PE information: section name: .text entropy: 7.5847412014460565
Source: initial sample	Static PE information: section name: .text entropy: 7.957132142496877
Source: initial sample	Static PE information: section name: .text entropy: 7.890261806957562
Source: initial sample	Static PE information: section name: .text entropy: 7.9249481955685654
Source: initial sample	Static PE information: section name: .text entropy: 7.578116721772191
Source: initial sample	Static PE information: section name: .text entropy: 7.5847412014460565
Source: initial sample	Static PE information: section name: .text entropy: 7.957132142496877

Persistence and Installation Behavior

Yara detected Amadey bot

Source: Yara match

File source: 00000017.00000003.507221089.0000000000877000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Roaming\cuwsgii			Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Roaming\vwwsgii			Jump to dropped file

Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Roaming\cuwsgii	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\7439.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\110C.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\C45B.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\223E.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\AFA6.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\DC0A.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\78BB.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\6A3D.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\BDC0.exe	File created: C:\Users\user\AppData\Local\205aa591-8aa8-4e2c-a5b1-c9b7aaf860cf\build2.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\223E.exe	File created: C:\Users\user\AppData\Local\Temp\aafg31.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\946D.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\NewPlayer.exe	File created: C:\Users\user\AppData\Local\Temp\6d73a97b0c\mnolyk.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\4445.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\ECED.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\8DD2.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\D789.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\BDC0.exe	File created: C:\Users\user\AppData\Local\9af1d69e-1bc5-4008-ad08-a746f07a48e8\BDC0.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\BDC0.exe	File created: C:\Users\user\AppData\Local\205aa591-8aa8-4e2c-a5b1-c9b7aaf860cf\build3.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\223E.exe	File created: C:\Users\user\AppData\Local\Temp\XandETC.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\EB26.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\6d73a97b0c\mnolyk.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\cred64[1].dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\5B59.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\BDC0.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\794C.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\223E.exe	File created: C:\Users\user\AppData\Local\Temp\NewPlayer.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\F0C7.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Roaming\vwwsgii	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\6d73a97b0c\mnolyk.exe	File created: C:\Users\user\AppData\Roaming\07c6bc37dc5087\cred64.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\740E.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\AD22.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\BDC0.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\build2[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\BDC0.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\build3[1].exe	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\BDC0.exe	File created: C:\_readme.txt
Source: C:\Users\user\AppData\Local\Temp\BDC0.exe	File created: C:\Users\user\_readme.txt

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\AppData\Local\Temp\6d73a97b0c\mnolyk.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN mnolyk.exe /TR "C:\Users\user\AppData\Local\Temp\6d73a97b0c\mnolyk.exe" /F

Creates an undocumented autostart registry key

Source: C:\Users\user\AppData\Local\Temp\6d73a97b0c\mnolyk.exe

Key value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup

Source: C:\Users\user\AppData\Local\Temp\BDC0.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run SysHelper			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BDC0.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run SysHelper			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Deletes itself after installation

Source: C:\Windows\explorer.exe

File deleted: c:\users\user\desktop\02107799.exe

Jump to behavior

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Roaming\cuwsgii:Zone.Identifier read attributes \| delete
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Roaming\vwwsgii:Zone.Identifier read attributes \| delete

Source: C:\Users\user\AppData\Local\Temp\BDC0.exe

Process created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Users\user\AppData\Local\9af1d69e-1bc5-4008-ad08-a746f07a48e8" /deny *S-1-1-0:(OI)(CI)(DE,DC)

Source: C:\Users\user\AppData\Local\9af1d69e-1bc5-4008-ad08-a746f07a48e8\BDC0.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\Users\user\AppData\Local\Temp\223E.exe	Registry key monitored for changes: HKEY_CURRENT_USER_Classes
Source: C:\Users\user\AppData\Local\Temp\6d73a97b0c\mnolyk.exe	Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\BDC0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\BDC0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\223E.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\223E.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\223E.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\223E.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\223E.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\223E.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\223E.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\223E.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\223E.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\223E.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\223E.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\223E.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\223E.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\NewPlayer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\6d73a97b0c\mnolyk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\946D.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\946D.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\946D.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\946D.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\946D.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\946D.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\946D.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\946D.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\946D.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\946D.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\946D.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\946D.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\8DD2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\8DD2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\8DD2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\8DD2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\794C.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\794C.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\794C.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\794C.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\794C.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\794C.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\794C.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\794C.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\794C.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\794C.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\794C.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\794C.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: 223E.exe, 00000014.00000000.468302885.0000000000702000.00000002.00000001.01000000.0000000C.sdmp	Binary or memory string: SBIEDLL.DLL/
Source: 02107799.exe, 00000000.00000002.397249500.000000000092A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ASWHOOKF

Checks if the current machine is a virtual machine (disk enumeration)

Source: C:\Users\user\Desktop\02107799.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\Desktop\02107799.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\Desktop\02107799.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\Desktop\02107799.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\Desktop\02107799.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\Desktop\02107799.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Roaming\cuwsgii	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Roaming\cuwsgii	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Roaming\cuwsgii	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Roaming\cuwsgii	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Roaming\cuwsgii	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Roaming\cuwsgii	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Local\Temp\DC0A.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Local\Temp\DC0A.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Local\Temp\DC0A.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Local\Temp\DC0A.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Local\Temp\DC0A.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Local\Temp\DC0A.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI

Source: C:\Windows\explorer.exe TID: 3772	Thread sleep time: -58800s >= -30000s
Source: C:\Windows\explorer.exe TID: 1980	Thread sleep time: -42100s >= -30000s
Source: C:\Windows\explorer.exe TID: 3688	Thread sleep time: -900000s >= -30000s
Source: C:\Windows\explorer.exe TID: 4600	Thread sleep time: -47400s >= -30000s
Source: C:\Windows\explorer.exe TID: 400	Thread sleep time: -55200s >= -30000s
Source: C:\Windows\explorer.exe TID: 6720	Thread sleep time: -41500s >= -30000s
Source: C:\Windows\explorer.exe TID: 6680	Thread sleep time: -47500s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\BDC0.exe TID: 2332	Thread sleep time: -1200000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\223E.exe TID: 4968	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\aafg31.exe TID: 2452	Thread sleep count: 46 > 30
Source: C:\Users\user\AppData\Local\Temp\aafg31.exe TID: 2452	Thread sleep time: -46000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\aafg31.exe TID: 2452	Thread sleep time: -900000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\6d73a97b0c\mnolyk.exe TID: 6948	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\6d73a97b0c\mnolyk.exe TID: 1252	Thread sleep time: -50000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\6d73a97b0c\mnolyk.exe TID: 6784	Thread sleep time: -180000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\6d73a97b0c\mnolyk.exe TID: 5064	Thread sleep time: -360000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\6d73a97b0c\mnolyk.exe TID: 6784	Thread sleep time: -180000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\6d73a97b0c\mnolyk.exe TID: 6948	Thread sleep time: -30000s >= -30000s

Source: C:\Users\user\AppData\Local\Temp\aafg31.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\aafg31.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\6d73a97b0c\mnolyk.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\BDC0.exe	Thread delayed: delay time: 1200000
Source: C:\Users\user\AppData\Local\Temp\223E.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\aafg31.exe	Thread delayed: delay time: 300000
Source: C:\Users\user\AppData\Local\Temp\6d73a97b0c\mnolyk.exe	Thread delayed: delay time: 180000
Source: C:\Users\user\AppData\Local\Temp\6d73a97b0c\mnolyk.exe	Thread delayed: delay time: 360000
Source: C:\Users\user\AppData\Local\Temp\6d73a97b0c\mnolyk.exe	Thread delayed: delay time: 180000

Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 410
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 588
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 421
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 474
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 552
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 415
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 475
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 711
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 745

Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7439.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\BDC0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\205aa591-8aa8-4e2c-a5b1-c9b7aaf860cf\build3.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\6d73a97b0c\mnolyk.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\cred64[1].dll	Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\5B59.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\BDC0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\build3[1].exe	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\BDC0.exe

Code function: 5_2_023BE71C rdtsc

Source: C:\Users\user\AppData\Local\Temp\BDC0.exe	Thread delayed: delay time: 1200000
Source: C:\Users\user\AppData\Local\Temp\223E.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\aafg31.exe	Thread delayed: delay time: 300000
Source: C:\Users\user\AppData\Local\Temp\6d73a97b0c\mnolyk.exe	Thread delayed: delay time: 30000
Source: C:\Users\user\AppData\Local\Temp\6d73a97b0c\mnolyk.exe	Thread delayed: delay time: 50000
Source: C:\Users\user\AppData\Local\Temp\6d73a97b0c\mnolyk.exe	Thread delayed: delay time: 180000
Source: C:\Users\user\AppData\Local\Temp\6d73a97b0c\mnolyk.exe	Thread delayed: delay time: 360000
Source: C:\Users\user\AppData\Local\Temp\6d73a97b0c\mnolyk.exe	Thread delayed: delay time: 180000
Source: C:\Users\user\AppData\Local\Temp\6d73a97b0c\mnolyk.exe	Thread delayed: delay time: 30000

Source: C:\Users\user\AppData\Local\Temp\BDC0.exe

Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\Videos\desktop.ini
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\Music\desktop.ini
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\Searches\desktop.ini
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local

Source: explorer.exe, 00000001.00000000.388639986.0000000008631000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000001.00000000.382909770.000000000091F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000001.00000000.388639986.00000000086E7000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}i
Source: explorer.exe, 00000001.00000000.388639986.00000000086E7000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: 223E.exe, 00000014.00000000.468302885.0000000000702000.00000002.00000001.01000000.0000000C.sdmp	Binary or memory string: vmware
Source: BDC0.exe, 00000006.00000002.461754674.0000000000653000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}oy
Source: explorer.exe, 00000001.00000000.383501675.00000000043B0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: BDC0.exe, 00000006.00000002.461754674.0000000000660000.00000004.00000020.00020000.00000000.sdmp, BDC0.exe, 00000011.00000002.897516846.0000000000613000.00000004.00000020.00020000.00000000.sdmp, BDC0.exe, 00000011.00000003.466616880.0000000000613000.00000004.00000020.00020000.00000000.sdmp, BDC0.exe, 00000011.00000002.897516846.0000000000568000.00000004.00000020.00020000.00000000.sdmp, BDC0.exe, 00000013.00000002.912417927.0000000000868000.00000004.00000020.00020000.00000000.sdmp, BDC0.exe, 00000013.00000003.464201683.00000000008F8000.00000004.00000020.00020000.00000000.sdmp, BDC0.exe, 00000013.00000002.912417927.00000000008F8000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.574580170.0000020953BEF000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.518091220.0000020953BEF000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.527562190.0000020953BEF000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.493686172.0000020953BEF000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000001.00000000.388639986.00000000086E7000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: 223E.exe, 00000014.00000000.468302885.0000000000702000.00000002.00000001.01000000.0000000C.sdmp	Binary or memory string: DetectVirtualMachine
Source: 223E.exe, 00000014.00000000.468302885.0000000000702000.00000002.00000001.01000000.0000000C.sdmp	Binary or memory string: <Module>power.exeProgramStubWriterRunnerRunTimeAntiAntismscorlibSystemObjectdelaydelayTimeantiVMantiSandboxantiDebugantiEmulatorenablePersistenceenableFakeErrorencryptTypecompressedcversSystem.Collections.GenericList`1fileNamesfileTypesfileRunTypesfileDropPathsMainDecompressEncryptOrDecryptXORDecryptEncryptInitalizeIEnumerable`1EncryptOutputSwapGetResourceRunOnStartup.ctorWriteAllBytesExecuteDetectVirtualMachineGetModuleHandleDetectSandboxieCheckRemoteDebuggerPresentDetectDebuggerCheckEmulatordatatextkeysijfileregNameAppPathHidefileBytesfinalPathpathrunTypelpModuleNamehProcessisDebuggerPresentSystem.ReflectionAssemblyTitleAttributeAssemblyDescriptionAttributeAssemblyCompanyAttributeAssemblyProductAttributeAssemblyCopyrightAttributeAssemblyTrademarkAttributeAssemblyFileVersionAttributeAssemblyVersionAttributeSystem.Runtime.InteropServicesComVisibleAttributeGuidAttributeSystem.Runtime.CompilerServicesCompilationRelaxationsAttributeRuntimeCompatibilityAttributepowerEnvironmentExitSystem.ThreadingThreadSleepget_ItemStringop_EqualitySystem.TextEncodingget_UnicodeGetBytesConcatSystem.IOPathCombineget_CountMemoryStreamSystem.IO.CompressionDeflateStreamStreamCompressionModeCopyToIDisposableDisposeToArrayByteSystem.CoreSystem.LinqEnumerable<EncryptInitalize>b__0Func`2CS$<>9__CachedAnonymousMethodDelegate1CompilerGeneratedAttributeRangeSelect<>c__DisplayClass3<EncryptOutput>b__2bAssemblyGetExecutingAssemblySystem.ResourcesResourceManagerGetObjectAppDomainget_CurrentDomainget_FriendlyNameFileExistsGetEntryAssemblyget_Locationop_InequalityCopyFileAttributesGetAttributesSetAttributesMicrosoft.Win32RegistryRegistryKeyLocalMachineget_UTF8GetStringOpenSubKeySetValueCurrentUserException.cctorConvertFromBase64StringAddGetTempPathSystem.DiagnosticsProcessProcessStartInfoget_StartInfoset_FileNameStartSystem.ManagementManagementObjectSearcherManagementObjectCollectionGetManagementObjectEnumeratorGetEnumeratorManagementBaseObjectget_CurrentToStringToLowerToUpperInvariantContainsMoveNextDllImportAttributekernel32.dllIntPtrToInt32GetCurrentProcessget_HandleDateTimeget_Nowget_Ticksu3g1msyl5i1.resources
Source: BDC0.exe, 00000006.00000002.461754674.0000000000653000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: BDC0.exe, 00000006.00000002.461754674.0000000000622000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`
Source: explorer.exe, 00000001.00000000.388639986.0000000008631000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000

Source: C:\Users\user\Desktop\02107799.exe

Process information queried: ProcessInformation

Source: C:\Users\user\Desktop\02107799.exe

System information queried: ModuleInformation

Source: C:\Windows\System32\rundll32.exe

File Volume queried: C:\ FullSizeInformation

Anti Debugging

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Source: C:\Users\user\Desktop\02107799.exe	System information queried: CodeIntegrityInformation
Source: C:\Users\user\AppData\Roaming\cuwsgii	System information queried: CodeIntegrityInformation
Source: C:\Users\user\AppData\Local\Temp\DC0A.exe	System information queried: CodeIntegrityInformation

Source: C:\Users\user\AppData\Local\Temp\BDC0.exe

Source: C:\Users\user\Desktop\02107799.exe	Code function: 0_2_00840D90 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\02107799.exe	Code function: 0_2_0084092B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\02107799.exe	Code function: 0_2_0093FDE4 push dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\cuwsgii	Code function: 4_2_007E092B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\cuwsgii	Code function: 4_2_007E0D90 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\BDC0.exe	Code function: 5_2_023BD0A3 push dword ptr fs:[00000030h]

Source: C:\Users\user\Desktop\02107799.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Roaming\cuwsgii	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\DC0A.exe	Process queried: DebugPort

Source: C:\Users\user\AppData\Local\Temp\BDC0.exe

Code function: 5_2_0040533B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

Source: C:\Users\user\AppData\Local\Temp\BDC0.exe

Code function: 5_2_023BE71C rdtsc

Source: C:\Users\user\AppData\Local\Temp\223E.exe

Memory allocated: page read and write | page guard

Source: C:\Users\user\AppData\Local\Temp\BDC0.exe	Code function: 5_2_004084CF SetUnhandledExceptionFilter,
Source: C:\Users\user\AppData\Local\Temp\BDC0.exe	Code function: 5_2_0040D9F8 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,RtlUnwind,
Source: C:\Users\user\AppData\Local\Temp\BDC0.exe	Code function: 5_2_0040533B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\AppData\Local\Temp\BDC0.exe	Code function: 5_2_004063C4 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 123.140.161.243 80
Source: C:\Windows\explorer.exe	Network Connect: 80.66.203.53 443
Source: C:\Windows\System32\rundll32.exe	Network Connect: 45.9.74.80 80
Source: C:\Windows\explorer.exe	Network Connect: 217.174.148.28 443
Source: C:\Windows\explorer.exe	Network Connect: 175.119.10.231 80
Source: C:\Windows\explorer.exe	Network Connect: 188.114.97.7 80
Source: C:\Windows\explorer.exe	Network Connect: 211.40.39.251 80
Source: C:\Windows\explorer.exe	Network Connect: 211.171.233.129 80
Source: C:\Windows\explorer.exe	Network Connect: 188.114.96.7 80
Source: C:\Windows\explorer.exe	Network Connect: 211.119.84.112 80
Source: C:\Windows\explorer.exe	Network Connect: 183.100.39.157 80
Source: C:\Windows\explorer.exe	Network Connect: 80.210.25.252 80
Source: C:\Windows\explorer.exe	Network Connect: 222.236.49.123 80
Source: C:\Windows\explorer.exe	Network Connect: 194.180.48.90 80
Source: C:\Windows\explorer.exe	Network Connect: 222.236.49.124 80

Benign windows process drops PE files

Source: C:\Windows\explorer.exe

File created: 946D.exe.1.dr

Jump to dropped file

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\02107799.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write
Source: C:\Users\user\Desktop\02107799.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read
Source: C:\Users\user\AppData\Roaming\cuwsgii	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write
Source: C:\Users\user\AppData\Roaming\cuwsgii	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read
Source: C:\Users\user\AppData\Local\Temp\DC0A.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write
Source: C:\Users\user\AppData\Local\Temp\DC0A.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Temp\BDC0.exe	Memory written: C:\Users\user\AppData\Local\Temp\BDC0.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\9af1d69e-1bc5-4008-ad08-a746f07a48e8\BDC0.exe	Memory written: C:\Users\user\AppData\Local\9af1d69e-1bc5-4008-ad08-a746f07a48e8\BDC0.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\Temp\BDC0.exe	Memory written: C:\Users\user\AppData\Local\Temp\BDC0.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\9af1d69e-1bc5-4008-ad08-a746f07a48e8\BDC0.exe	Memory written: C:\Users\user\AppData\Local\9af1d69e-1bc5-4008-ad08-a746f07a48e8\BDC0.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\Temp\946D.exe	Memory written: C:\Users\user\AppData\Local\Temp\946D.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\Temp\8DD2.exe	Memory written: C:\Users\user\AppData\Local\Temp\8DD2.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\Temp\794C.exe	Memory written: C:\Users\user\AppData\Local\Temp\794C.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\205aa591-8aa8-4e2c-a5b1-c9b7aaf860cf\build2.exe	Memory written: C:\Users\user\AppData\Local\205aa591-8aa8-4e2c-a5b1-c9b7aaf860cf\build2.exe base: 400000 value starts with: 4D5A

Creates a thread in another existing process (thread injection)

Source: C:\Users\user\Desktop\02107799.exe	Thread created: C:\Windows\explorer.exe EIP: 5331B14
Source: C:\Users\user\AppData\Roaming\cuwsgii	Thread created: unknown EIP: 6151B14
Source: C:\Users\user\AppData\Local\Temp\DC0A.exe	Thread created: unknown EIP: 61719C0

Sample uses process hollowing technique

Source: C:\Users\user\AppData\Local\205aa591-8aa8-4e2c-a5b1-c9b7aaf860cf\build2.exe

Section unmapped: unknown base address: 400000

Source: C:\Users\user\AppData\Local\Temp\BDC0.exe	Process created: C:\Users\user\AppData\Local\Temp\BDC0.exe C:\Users\user\AppData\Local\Temp\BDC0.exe
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4724 -ip 4724
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4724 -s 520
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: C:\Users\user\AppData\Local\9af1d69e-1bc5-4008-ad08-a746f07a48e8\BDC0.exe "C:\Users\user\AppData\Local\9af1d69e-1bc5-4008-ad08-a746f07a48e8\BDC0.exe" --AutoStart
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\9af1d69e-1bc5-4008-ad08-a746f07a48e8\BDC0.exe	Process created: C:\Users\user\AppData\Local\9af1d69e-1bc5-4008-ad08-a746f07a48e8\BDC0.exe C:\Users\user\AppData\Local\9af1d69e-1bc5-4008-ad08-a746f07a48e8\BDC0.exe --Task
Source: C:\Users\user\AppData\Local\Temp\BDC0.exe	Process created: C:\Users\user\AppData\Local\Temp\BDC0.exe "C:\Users\user\AppData\Local\Temp\BDC0.exe" --Admin IsNotAutoStart IsNotTask
Source: C:\Users\user\AppData\Local\Temp\BDC0.exe	Process created: C:\Users\user\AppData\Local\205aa591-8aa8-4e2c-a5b1-c9b7aaf860cf\build2.exe "C:\Users\user\AppData\Local\205aa591-8aa8-4e2c-a5b1-c9b7aaf860cf\build2.exe"
Source: C:\Users\user\AppData\Local\Temp\BDC0.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\223E.exe	Process created: C:\Users\user\AppData\Local\Temp\aafg31.exe "C:\Users\user\AppData\Local\Temp\aafg31.exe"
Source: C:\Users\user\AppData\Local\Temp\223E.exe	Process created: C:\Users\user\AppData\Local\Temp\NewPlayer.exe "C:\Users\user\AppData\Local\Temp\NewPlayer.exe"
Source: C:\Users\user\AppData\Local\Temp\223E.exe	Process created: C:\Users\user\AppData\Local\Temp\XandETC.exe "C:\Users\user\AppData\Local\Temp\XandETC.exe"
Source: C:\Users\user\AppData\Local\Temp\NewPlayer.exe	Process created: C:\Users\user\AppData\Local\Temp\6d73a97b0c\mnolyk.exe "C:\Users\user\AppData\Local\Temp\6d73a97b0c\mnolyk.exe"
Source: C:\Users\user\AppData\Local\Temp\6d73a97b0c\mnolyk.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN mnolyk.exe /TR "C:\Users\user\AppData\Local\Temp\6d73a97b0c\mnolyk.exe" /F
Source: C:\Users\user\AppData\Local\Temp\6d73a97b0c\mnolyk.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k echo Y\|CACLS "mnolyk.exe" /P "user:N"&&CACLS "mnolyk.exe" /P "user:R" /E&&echo Y\|CACLS "..\6d73a97b0c" /P "user:N"&&CACLS "..\6d73a97b0c" /P "user:R" /E&&Exit
Source: C:\Users\user\AppData\Local\Temp\6d73a97b0c\mnolyk.exe	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\07c6bc37dc5087\cred64.dll, Main
Source: C:\Users\user\AppData\Local\9af1d69e-1bc5-4008-ad08-a746f07a48e8\BDC0.exe	Process created: C:\Users\user\AppData\Local\9af1d69e-1bc5-4008-ad08-a746f07a48e8\BDC0.exe "C:\Users\user\AppData\Local\9af1d69e-1bc5-4008-ad08-a746f07a48e8\BDC0.exe" --AutoStart
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cacls.exe CACLS "mnolyk.exe" /P "user:N"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cacls.exe CACLS "mnolyk.exe" /P "user:R" /E
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\946D.exe	Process created: C:\Users\user\AppData\Local\Temp\946D.exe C:\Users\user\AppData\Local\Temp\946D.exe
Source: C:\Users\user\AppData\Local\Temp\8DD2.exe	Process created: C:\Users\user\AppData\Local\Temp\8DD2.exe C:\Users\user\AppData\Local\Temp\8DD2.exe
Source: C:\Users\user\AppData\Local\Temp\794C.exe	Process created: C:\Users\user\AppData\Local\Temp\794C.exe C:\Users\user\AppData\Local\Temp\794C.exe
Source: C:\Users\user\AppData\Local\205aa591-8aa8-4e2c-a5b1-c9b7aaf860cf\build2.exe	Process created: unknown unknown
Source: C:\Windows\System32\rundll32.exe	Process created: unknown unknown

Source: explorer.exe, 00000001.00000000.384440340.0000000005910000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.388639986.00000000086B6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.383063630.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000001.00000000.383063630.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: uProgram Manager*r
Source: explorer.exe, 00000001.00000000.383063630.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000001.00000000.383063630.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000001.00000000.382909770.0000000000878000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ProgmanLoc*U

Source: C:\Users\user\AppData\Local\Temp\BDC0.exe

Code function: GetLocaleInfoA,

Source: C:\Users\user\AppData\Local\Temp\223E.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\223E.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\6d73a97b0c\mnolyk.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\6d73a97b0c\mnolyk.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\6d73a97b0c\mnolyk.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\6d73a97b0c\mnolyk.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\6d73a97b0c\mnolyk.exe	Queries volume information: C:\Users\user\AppData\Roaming\07c6bc37dc5087\cred64.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\6d73a97b0c\mnolyk.exe	Queries volume information: C:\Users\user\AppData\Roaming\07c6bc37dc5087\cred64.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\6d73a97b0c\mnolyk.exe	Queries volume information: C:\Users\user\AppData\Roaming\07c6bc37dc5087\clip64.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\6d73a97b0c\mnolyk.exe	Queries volume information: C:\Users\user\AppData\Roaming\07c6bc37dc5087\clip64.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\6d73a97b0c\mnolyk.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\6d73a97b0c\mnolyk.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\6d73a97b0c\mnolyk.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\6d73a97b0c\mnolyk.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\6d73a97b0c\mnolyk.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\6d73a97b0c\mnolyk.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\6d73a97b0c\mnolyk.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\6d73a97b0c\mnolyk.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\6d73a97b0c\mnolyk.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\6d73a97b0c\mnolyk.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\6d73a97b0c\mnolyk.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\6d73a97b0c\mnolyk.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\6d73a97b0c\mnolyk.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\6d73a97b0c\mnolyk.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\6d73a97b0c\mnolyk.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\6d73a97b0c\mnolyk.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212_Desktop.tar VolumeInformation

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: C:\Users\user\AppData\Local\Temp\BDC0.exe

Code function: 5_2_0040963C GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

Source: C:\Users\user\AppData\Local\Temp\BDC0.exe

Source: C:\Users\user\AppData\Local\Temp\8DD2.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct

Stealing of Sensitive Information

Yara detected Amadeys stealer DLL

Source: Yara match	File source: 23.0.mnolyk.exe.60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.0.NewPlayer.exe.ff0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.223E.exe.42def90.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 44.0.mnolyk.exe.60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 44.2.mnolyk.exe.60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.NewPlayer.exe.ff0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.223E.exe.42def90.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.223E.exe.41b2f50.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000002C.00000002.513002003.0000000000061000.00000020.00000001.01000000.00000012.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.513841779.00000000040C5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000000.475587099.0000000000061000.00000020.00000001.01000000.00000012.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000000.473283405.0000000000FF1000.00000020.00000001.01000000.00000011.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000000.492656572.0000000000061000.00000020.00000001.01000000.00000012.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.476001535.0000000000FF1000.00000020.00000001.01000000.00000011.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\NewPlayer.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\6d73a97b0c\mnolyk.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\cred64[1].dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\07c6bc37dc5087\cred64.dll, type: DROPPED

Yara detected SmokeLoader

Source: Yara match	File source: 00000029.00000002.507218040.0000000000830000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.460449041.00000000022E1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.397221431.0000000000871000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.460185114.00000000007F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.507318867.0000000002321000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.397209073.0000000000850000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected Amadey bot

Source: Yara match

File source: 00000017.00000003.507221089.0000000000877000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Yara detected Clipboard Hijacker

Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\build3[1].exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\205aa591-8aa8-4e2c-a5b1-c9b7aaf860cf\build3.exe, type: DROPPED

Yara detected Vidar stealer

Source: Yara match	File source: 42.2.build2.exe.22f15a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 42.2.build2.exe.22f15a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000002A.00000002.506376694.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Login Data
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Comodo\Dragon\User Data\Default\Login Data
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\CocCoc\Browser\User Data\Default\Login Data
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Orbitum\User Data\Default\Login Data
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Vivaldi\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\aafg31.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Chromium\User Data\Default\Login Data
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\CentBrowser\User Data\Default\Login Data
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Chedot\User Data\Default\Login Data

Tries to harvest and steal ftp login credentials

Source: C:\Windows\System32\rundll32.exe

File opened: C:\Users\user\AppData\Roaming\FileZilla\sitemanager.xml

Tries to steal Instant Messenger accounts or passwords

Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Roaming.purple\accounts.xml
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Windows\System32\.purple\accounts.xml
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Windows\.purple\accounts.xml
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\.purple\accounts.xml
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\.purple\accounts.xml
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.8827.22055.0_x64__8wekyb3d8bbwe\.purple\accounts.xml
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Program Files (x86)\QVrytdPZBUYdNiJYnLHPsczRRlbAXAwNbblqFiidIkjwqdwG\.purple\accounts.xml
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\9af1d69e-1bc5-4008-ad08-a746f07a48e8\.purple\accounts.xml
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Temp\.purple\accounts.xml
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Temp\6d73a97b0c\.purple\accounts.xml
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Windows\SysWOW64\.purple\accounts.xml

Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\cred64[1].dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\07c6bc37dc5087\cred64.dll, type: DROPPED

Remote Access Functionality

Yara detected SmokeLoader

Source: Yara match	File source: 00000029.00000002.507218040.0000000000830000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.460449041.00000000022E1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.397221431.0000000000871000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.460185114.00000000007F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.507318867.0000000002321000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.397209073.0000000000850000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected Vidar stealer

Source: Yara match	File source: 42.2.build2.exe.22f15a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 42.2.build2.exe.22f15a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000002A.00000002.506376694.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Windows Management Instrumentation	1 Scheduled Task/Job	512 Process Injection	1 Disable or Modify Tools	2 OS Credential Dumping	1 System Time Discovery	Remote Services	11 Archive Collected Data	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	2 Data Encrypted for Impact
Default Accounts	1 Native API	11 Registry Run Keys / Startup Folder	1 Scheduled Task/Job	1 Deobfuscate/Decode Files or Information	1 Input Capture	3 File and Directory Discovery	Remote Desktop Protocol	2 Data from Local System	Exfiltration Over Bluetooth	1 Application Layer Protocol	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	1 Shared Modules	1 Services File Permissions Weakness	11 Registry Run Keys / Startup Folder	31 Obfuscated Files or Information	1 Credentials in Registry	26 System Information Discovery	SMB/Windows Admin Shares	1 Input Capture	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	1 Exploitation for Client Execution	Logon Script (Mac)	1 Services File Permissions Weakness	22 Software Packing	1 Credentials In Files	1 Query Registry	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	2 Command and Scripting Interpreter	Network Logon Script	Network Logon Script	1 File Deletion	LSA Secrets	441 Security Software Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	1 Scheduled Task/Job	Rc.common	Rc.common	11 Masquerading	Cached Domain Credentials	131 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	131 Virtualization/Sandbox Evasion	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	512 Process Injection	Proc Filesystem	1 Application Window Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	1 Hidden Files and Directories	/etc/passwd and /etc/shadow	1 Remote System Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	1 Services File Permissions Weakness	Network Sniffing	Process Discovery	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact
Compromise Software Dependencies and Development Tools	Windows Command Shell	Cron	Cron	1 Rundll32	Input Capture	Permission Groups Discovery	Replication Through Removable Media	Remote Data Staging	Exfiltration Over Physical Medium	Mail Protocols			Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Link
02107799.exe	38%	ReversingLabs
02107799.exe	42%	Virustotal	Browse
02107799.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\cred64[1].dll	100%	Avira	HEUR/AGEN.1301090
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\build3[1].exe	100%	Avira	TR/Crypt.XPACK.Gen8
C:\Users\user\AppData\Local\Temp\223E.exe	100%	Avira	HEUR/AGEN.1357339
C:\Users\user\AppData\Local\Temp\4445.exe	100%	Avira	HEUR/AGEN.1357339
C:\Users\user\AppData\Local\205aa591-8aa8-4e2c-a5b1-c9b7aaf860cf\build3.exe	100%	Avira	TR/Crypt.XPACK.Gen8
C:\Users\user\AppData\Local\Temp\6d73a97b0c\mnolyk.exe	100%	Avira	HEUR/AGEN.1319380
C:\Users\user\AppData\Local\Temp\5B59.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\6A3D.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\9af1d69e-1bc5-4008-ad08-a746f07a48e8\BDC0.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\205aa591-8aa8-4e2c-a5b1-c9b7aaf860cf\build2.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\110C.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\build2[1].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\223E.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\4445.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\6d73a97b0c\mnolyk.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\205aa591-8aa8-4e2c-a5b1-c9b7aaf860cf\build2.exe	87%	ReversingLabs	Win32.Trojan.Smokeloader
C:\Users\user\AppData\Local\205aa591-8aa8-4e2c-a5b1-c9b7aaf860cf\build3.exe	88%	ReversingLabs	Win32.Trojan.ClipBanker
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\build2[1].exe	87%	ReversingLabs	Win32.Trojan.Smokeloader
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\build3[1].exe	88%	ReversingLabs	Win32.Trojan.ClipBanker
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\cred64[1].dll	83%	ReversingLabs	Win64.Trojan.Amadey
C:\Users\user\AppData\Local\Temp\223E.exe	70%	ReversingLabs	ByteCode-MSIL.Trojan.Smokeloader
C:\Users\user\AppData\Local\Temp\4445.exe	70%	ReversingLabs	ByteCode-MSIL.Trojan.Smokeloader
C:\Users\user\AppData\Local\Temp\6d73a97b0c\mnolyk.exe	88%	ReversingLabs	Win32.Trojan.Privateloader
C:\Users\user\AppData\Local\Temp\7439.exe	43%	ReversingLabs
C:\Users\user\AppData\Local\Temp\78BB.exe	70%	ReversingLabs	ByteCode-MSIL.Trojan.Smokeloader
C:\Users\user\AppData\Local\Temp\794C.exe	71%	ReversingLabs	Win32.Trojan.Smokeloader
C:\Users\user\AppData\Local\Temp\8DD2.exe	71%	ReversingLabs	Win32.Trojan.Smokeloader
C:\Users\user\AppData\Local\Temp\AFA6.exe	71%	ReversingLabs	Win32.Trojan.Smokeloader
C:\Users\user\AppData\Local\Temp\C45B.exe	71%	ReversingLabs	Win32.Trojan.Smokeloader
C:\Users\user\AppData\Local\Temp\EB26.exe	70%	ReversingLabs	ByteCode-MSIL.Trojan.Smokeloader
C:\Users\user\AppData\Local\Temp\F0C7.exe	71%	ReversingLabs	Win32.Trojan.Smokeloader
C:\Users\user\AppData\Local\Temp\NewPlayer.exe	88%	ReversingLabs	Win32.Trojan.Privateloader
C:\Users\user\AppData\Local\Temp\XandETC.exe	73%	ReversingLabs	Win64.Coinminer.Xmrig
C:\Users\user\AppData\Local\Temp\aafg31.exe	33%	ReversingLabs	Win64.Trojan.Generic
C:\Users\user\AppData\Roaming\07c6bc37dc5087\cred64.dll	83%	ReversingLabs	Win64.Trojan.Amadey
C:\Users\user\AppData\Roaming\cuwsgii	38%	ReversingLabs

Source	Detection	Scanner	Label
http://components.groove.net/Groove/Components/SystemComponents/SystemComponents.osd?Package=net.gro	0%	URL Reputation	safe
http://jp.imgjeoighw.com/sts/image.jpg	0%	URL Reputation	safe
http://colisumy.com/dl/build2.exe$run	100%	URL Reputation	malware
http://ss.apjeoighw.com/	0%	URL Reputation	safe
http://zexeq.com/files/1/build3.exe$run	100%	URL Reputation	malware
http://zexeq.com/raud/get.php	100%	URL Reputation	malware
http://kingpirate.ru/tmp/	0%	URL Reputation	safe
http://components.groove.net/Groove/Components/Root.osd?Package=net.groove.Groove.Tools.System.Groov	0%	URL Reputation	safe
http://zexeq.com/raud/get.php?pid=903E7F261711F85395E5CEFBF4173C544.	100%	Avira URL Cloud	malware
http://ss.apjeoighw.com/check/safe	0%	URL Reputation	safe
http://colisumy.com/dl/build2.exe	100%	URL Reputation	malware
http://ss.apjeoighw.com:80/check/?sid=437284&key=c4d583a983211d53f326aa000dca4127MjIzMSIsICJ1bl9wd2Q	0%	Avira URL Cloud	safe
http://ss.apjeoighw.com/check/?sid=437284&key=c4d583a983211d53f326aa000dca4127	0%	Avira URL Cloud	safe
http://zexeq.com/raud/get.phpL	100%	Avira URL Cloud	malware
http://www.wikipedia.com/	0%	URL Reputation	safe
http://zexeq.com/files/1/build3.exe	0%	URL Reputation	safe
http://wuc11.com/tmp/	0%	Avira URL Cloud	safe
http://45.9.74.80/0bjds.apjeoighw.com/	100%	Avira URL Cloud	malware
http://ss.apjeoighw.com/check/?sid=437114&key=556b8e8f2c0037a585c40888436f6c33f	0%	Avira URL Cloud	safe
http://ss.apjeoighw.com/check/?sid=436898&key=31b04f4e86a5030e55172a3ce21438a6f	0%	Avira URL Cloud	safe
http://zexeq.com/raud/get.php?pid=903E7F261711F85395E5CEFBF4173C54&first=truey	100%	Avira URL Cloud	malware
http://colisumy.com/dl/build2.exerun417	100%	Avira URL Cloud	malware
http://https://ns1.kriston.ugns2.chalekin.ugns3.unalelath.ugns4.andromath.ug/Error	0%	Avira URL Cloud	safe
http://colisumy.com/dl/build2.exe/p	100%	Avira URL Cloud	malware
http://ss.apjeoighw.com/check/safeS	0%	Avira URL Cloud	safe
http://ss.apjeoighw.com/check/?sid=437232&key=35a897019d4d6b7304232007313f15f2	0%	Avira URL Cloud	safe
45.9.74.80/0bjdn2Z/index.php	100%	Avira URL Cloud	malware
http://zexeq.com/files/1/build3.exerun	100%	Avira URL Cloud	malware
https://we.tl/t-tnzomMj6	0%	Avira URL Cloud	safe
http://ss.apjeoighw.com/check/safe13f15f2	0%	Avira URL Cloud	safe
http://colisumy.com/dlget.php?pid=903E7F261711F85395E5CEFBF4173C54	100%	Avira URL Cloud	malware
http://ss.apjeoighw.com/check/?sid=437712&key=e0936dbb5215a1cc85afbf7dbb62727d	0%	Avira URL Cloud	safe
http://ss.apjeoighw.com:80/check/?sid=436898&key=31b04f4e86a5030e55172a3ce21438a6	0%	Avira URL Cloud	safe
http://zexeq.com/files/1/build3.exe$runyinstall020921_delay721_sec.exe0	100%	Avira URL Cloud	malware
http://ss.apjeoighw.com:80/check/safe	0%	Avira URL Cloud	safe
http://ss.apjeoighw.com:80/check/?sid=437058&key=7c45c7b8ba54fad24dbc26b647ebd1bc	0%	Avira URL Cloud	safe
http://zexeq.com/files/1/build3.exe$rung	100%	Avira URL Cloud	malware
http://ss.apjeoighw.com/check/safe1B	0%	Avira URL Cloud	safe
http://45.9.74.80/0bjds.apjeoighw.com/check/?sid=436838&key=0f2526fc923d8a6ab4c43d0a56a5696e	100%	Avira URL Cloud	malware
http://ss.apjeoighw.com:80/check/?sid=437114&key=556b8e8f2c0037a585c40888436f6c335	0%	Avira URL Cloud	safe
http://zexeq.com/files/1/build3.exe$runP	100%	Avira URL Cloud	malware
http://zexeq.com/raud/get.phpep	100%	Avira URL Cloud	malware
http://ss.apjeoighw.com:80/check/safeD	0%	Avira URL Cloud	safe
https://we.tl/t-tnzomMj6$	0%	Avira URL Cloud	safe
http://ladogatur.ru/tmp/	0%	Avira URL Cloud	safe
http://ss.apjeoighw.com/check/?sid=437058&key=7c45c7b8ba54fad24dbc26b647ebd1bcf	0%	Avira URL Cloud	safe
http://toobussy.com/tmp/	100%	Avira URL Cloud	malware
https://we.tl/t-tnzomMj6HU	0%	Avira URL Cloud	safe
http://zexeq.com/raud/get.php?pid=903E7F261711F85395E5CEFBF4173C54&first=trueb	100%	Avira URL Cloud	malware
http://zexeq.com/raud/get.php?pid=903E7F261711F85395E5CEFBF4173C54	100%	Avira URL Cloud	malware

Name	Malicious	Antivirus Detection	Reputation
https://t.me/looking_glassbot	false		high
http://wuc11.com/tmp/	true	Avira URL Cloud: safe	unknown
http://zexeq.com/raud/get.php	true	URL Reputation: malware	unknown
45.9.74.80/0bjdn2Z/index.php	true	Avira URL Cloud: malware	low
https://steamcommunity.com/profiles/76561199508624021	false		high
http://kingpirate.ru/tmp/	true	URL Reputation: safe	unknown
http://toobussy.com/tmp/	true	Avira URL Cloud: malware	unknown
http://ladogatur.ru/tmp/	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://45.9.74.80/0bjds.apjeoighw.com/	aafg31.exe, 00000015.00000003.747091320.0000020955D07000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.785925314.0000020955D0E000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.872189879.0000020955D0E000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.802910134.0000020955D0E000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.847680947.0000020955D0E000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.747762577.0000020955D10000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.679386130.0000020953C59000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.839605379.0000020955D12000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.764921022.0000020955D12000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://zexeq.com/raud/get.php?pid=903E7F261711F85395E5CEFBF4173C544.	BDC0.exe, 00000011.00000002.897516846.00000000005B4000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://static.xx.fbcdn.net/rsrc.php/v3/yn/r/A-4As8UDAZ8.js?_nc_x=Ij3Wp8lg5Kz	aafg31.exe, 00000015.00000003.871483645.0000020955D5B000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.661860603.0000020955D4B000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.682406444.0000020955D44000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.682234652.0000020955D9B000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.610458087.0000020955D0D000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.661265412.0000020955D14000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.725252342.0000020955D9B000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.727653565.0000020955D47000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.726734363.0000020955D43000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.748027526.0000020955D9B000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.608542388.0000020955D2B000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.869877378.0000020955C11000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.609917388.0000020955D07000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.661265412.0000020955D4B000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.587487365.0000020955D3F000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.746443120.0000020955D95000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.891215691.0000020955C11000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.610990462.0000020955D0F000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.892118052.0000020955D54000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.746443120.0000020955D4A000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.727362332.0000020955D46000.00000004.00000020.00020000.00000000.sdmp	false		high
http://zexeq.com/raud/get.phpL	BDC0.exe, 00000011.00000002.897516846.0000000000613000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://ss.apjeoighw.com/check/?sid=437284&key=c4d583a983211d53f326aa000dca4127	aafg31.exe, 00000015.00000003.785925314.0000020955D0E000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.802910134.0000020955D0E000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.847680947.0000020955D0E000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.839605379.0000020955D12000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.764921022.0000020955D12000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://static.xx.fbcdn.net/rsrc.php/v3/y-/l/0	aafg31.exe, 00000015.00000003.727362332.0000020955D46000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.661661754.0000020955D07000.00000004.00000020.00020000.00000000.sdmp	false		high
https://static.xx.fbcdn.net/rsrc.php/v3/y4/r/ZZnKfYusN8Z.js?_nc_x=Ij3Wp8lg5Kz	aafg31.exe, 00000015.00000003.871483645.0000020955D5B000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.661860603.0000020955D4B000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.682406444.0000020955D44000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.682234652.0000020955D9B000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.610458087.0000020955D0D000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.661265412.0000020955D14000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.725252342.0000020955D9B000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.727653565.0000020955D47000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.726734363.0000020955D43000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.748027526.0000020955D9B000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.608542388.0000020955D2B000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.869877378.0000020955C11000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.609917388.0000020955D07000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.661265412.0000020955D4B000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.587487365.0000020955D3F000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.746443120.0000020955D95000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.891215691.0000020955C11000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.610990462.0000020955D0F000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.892118052.0000020955D54000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.746443120.0000020955D4A000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.727362332.0000020955D46000.00000004.00000020.00020000.00000000.sdmp	false		high
https://static.xx.fbcdn.net/rsrc.php/v3/yt/r/v75M7CPu9-P.js?_nc_x=Ij3Wp8lg5Kz	aafg31.exe, 00000015.00000003.871483645.0000020955D5B000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.661860603.0000020955D4B000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.682406444.0000020955D44000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.682234652.0000020955D9B000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.610458087.0000020955D0D000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.661265412.0000020955D14000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.725252342.0000020955D9B000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.727653565.0000020955D47000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.726734363.0000020955D43000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.748027526.0000020955D9B000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.608542388.0000020955D2B000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.869877378.0000020955C11000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.609917388.0000020955D07000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.661265412.0000020955D4B000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.587487365.0000020955D3F000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.746443120.0000020955D95000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.891215691.0000020955C11000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.610990462.0000020955D0F000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.892118052.0000020955D54000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.746443120.0000020955D4A000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.727362332.0000020955D46000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ss.apjeoighw.com:80/check/?sid=437284&key=c4d583a983211d53f326aa000dca4127MjIzMSIsICJ1bl9wd2Q	aafg31.exe, 00000015.00000003.765330499.0000020953C0C000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.775551486.0000020953C0C000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.853929000.0000020953C14000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.789517605.0000020953C1A000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.767549181.0000020953C1A000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.803618288.0000020953C1A000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.853735463.0000020953C0C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://messenger.com/	aafg31.exe, 00000015.00000003.871483645.0000020955D5B000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.661860603.0000020955D4B000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.682406444.0000020955D44000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.682234652.0000020955D9B000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.891564020.0000020955D76000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.725526339.0000020955D63000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.610458087.0000020955D0D000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.661265412.0000020955D14000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.725252342.0000020955D9B000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.727653565.0000020955D47000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.726734363.0000020955D43000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.748027526.0000020955D9B000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.608542388.0000020955D2B000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.869877378.0000020955C11000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.609917388.0000020955D07000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.661265412.0000020955D4B000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.587487365.0000020955D3F000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.746443120.0000020955D95000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.891215691.0000020955C11000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.610990462.0000020955D0F000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.892118052.0000020955D54000.00000004.00000020.00020000.00000000.sdmp	false		high
http://components.groove.net/Groove/Components/SystemComponents/SystemComponents.osd?Package=net.gro	explorer.exe, 00000001.00000000.396414870.00007FFA13109000.00000002.00000001.01000000.00000005.sdmp	false	URL Reputation: safe	unknown
http://jp.imgjeoighw.com/sts/image.jpg	aafg31.exe, 00000015.00000003.518091220.0000020953BEF000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.527562190.0000020953BEF000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.493686172.0000020953BEF000.00000004.00001000.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.511244929.0000020953BEF000.00000004.00000001.00020000.00000000.sdmp, aafg31.exe, 00000015.00000002.895672737.0000020953BC3000.00000004.00000001.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.502518645.0000020953BEF000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://static.xx.fbcdn.net/rsrc.php/v3/yL/r/camCPYrr6r7.js?_nc_x=Ij3Wp8lg5Kz	aafg31.exe, 00000015.00000003.871483645.0000020955D5B000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.661860603.0000020955D4B000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.682406444.0000020955D44000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.872402384.0000020953C62000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.682234652.0000020955D9B000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.610458087.0000020955D0D000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.585095031.0000020953C04000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.872402384.0000020953C16000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.682568528.0000020955D10000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.872189879.0000020955D0E000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.892118052.0000020955D48000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.661265412.0000020955D14000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.725252342.0000020955D9B000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.727653565.0000020955D47000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.747896229.0000020955CFE000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.871983191.0000020955D48000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.726734363.0000020955D43000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.748027526.0000020955D9B000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.608542388.0000020955D2B000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.869877378.0000020955C11000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.609917388.0000020955D07000.00000004.00000020.00020000.00000000.sdmp	false		high
http://colisumy.com/dl/build2.exe$run	BDC0.exe, 00000013.00000002.912417927.00000000008ED000.00000004.00000020.00020000.00000000.sdmp	true	URL Reputation: malware	unknown
http://ss.apjeoighw.com/	aafg31.exe, 00000015.00000003.702328602.0000020955D15000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000002.963156667.0000020955A80000.00000040.00001000.00020000.00000000.sdmp, aafg31.exe, 00000015.00000002.928321825.0000020955550000.00000004.00001000.00020000.00000000.sdmp, aafg31.exe, 00000015.00000002.898715266.0000020953C70000.00000040.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://ss.apjeoighw.com/check/?sid=437114&key=556b8e8f2c0037a585c40888436f6c33f	aafg31.exe, 00000015.00000003.685325297.0000020953C59000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.amazon.com/	BDC0.exe, 00000013.00000003.476305321.0000000009890000.00000004.00001000.00020000.00000000.sdmp	false		high
http://ss.apjeoighw.com/check/?sid=436898&key=31b04f4e86a5030e55172a3ce21438a6f	aafg31.exe, 00000015.00000003.613408935.0000020953C59000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://zexeq.com/files/1/build3.exe$run	BDC0.exe, 00000013.00000002.912417927.00000000008ED000.00000004.00000020.00020000.00000000.sdmp	true	URL Reputation: malware	unknown
http://www.twitter.com/	BDC0.exe, 00000013.00000003.476625971.0000000009890000.00000004.00001000.00020000.00000000.sdmp	false		high
http://zexeq.com/raud/get.php?pid=903E7F261711F85395E5CEFBF4173C54&first=truey	BDC0.exe, 00000013.00000002.912417927.00000000008F8000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://colisumy.com/dl/build2.exerun417	BDC0.exe, 00000013.00000002.912417927.00000000008ED000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://colisumy.com/dl/build2.exe/p	BDC0.exe, 00000013.00000002.912417927.0000000000868000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.openssl.org/support/faq.html	BDC0.exe, 00000013.00000002.895386251.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false		high
http://ss.apjeoighw.com/check/?sid=437232&key=35a897019d4d6b7304232007313f15f2	aafg31.exe, 00000015.00000003.747091320.0000020955D07000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.785925314.0000020955D0E000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.802910134.0000020955D0E000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.847680947.0000020955D0E000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.747762577.0000020955D10000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.839605379.0000020955D12000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.764921022.0000020955D12000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ss.apjeoighw.com/check/safeS	aafg31.exe, 00000015.00000003.753128296.0000020953C01000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.748891799.0000020953C04000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://https://ns1.kriston.ugns2.chalekin.ugns3.unalelath.ugns4.andromath.ug/Error	BDC0.exe, 00000005.00000002.453783695.0000000002510000.00000040.00001000.00020000.00000000.sdmp, BDC0.exe, 00000006.00000002.461344715.0000000000400000.00000040.00000400.00020000.00000000.sdmp, BDC0.exe, 0000000B.00000002.463587041.0000000002480000.00000040.00001000.00020000.00000000.sdmp, BDC0.exe, 00000011.00000002.895547083.0000000000400000.00000040.00000400.00020000.00000000.sdmp, BDC0.exe, 00000012.00000002.463532414.0000000002410000.00000040.00001000.00020000.00000000.sdmp, BDC0.exe, 00000013.00000002.895386251.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://static.xx.fbcdn.net/rsrc.php/v3/yT/r/Kp9IMjEGN_T.js?_nc_x=Ij3Wp8lg5Kz	aafg31.exe, 00000015.00000003.871483645.0000020955D5B000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.661860603.0000020955D4B000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.682406444.0000020955D44000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.682234652.0000020955D9B000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.610458087.0000020955D0D000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.661265412.0000020955D14000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.725252342.0000020955D9B000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.727653565.0000020955D47000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.726734363.0000020955D43000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.748027526.0000020955D9B000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.608542388.0000020955D2B000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.869877378.0000020955C11000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.609917388.0000020955D07000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.661265412.0000020955D4B000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.587487365.0000020955D3F000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.746443120.0000020955D95000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.891215691.0000020955C11000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.610990462.0000020955D0F000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.892118052.0000020955D54000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.746443120.0000020955D4A000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.727362332.0000020955D46000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.2ip.ua/geo.jsonFA	BDC0.exe, 00000013.00000003.464201683.00000000008AD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://static.xx.fbcdn.net/rsrc.php/v3/yE/r/yWg6mkUCjYR.js?_nc_x=Ij3Wp8lg5Kz	aafg31.exe, 00000015.00000003.871483645.0000020955D5B000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.661860603.0000020955D4B000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.682406444.0000020955D44000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.682234652.0000020955D9B000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.610458087.0000020955D0D000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.661265412.0000020955D14000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.725252342.0000020955D9B000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.727653565.0000020955D47000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.726734363.0000020955D43000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.748027526.0000020955D9B000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.608542388.0000020955D2B000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.869877378.0000020955C11000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.609917388.0000020955D07000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.661265412.0000020955D4B000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.587487365.0000020955D3F000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.746443120.0000020955D95000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.891215691.0000020955C11000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.610990462.0000020955D0F000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.892118052.0000020955D54000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.746443120.0000020955D4A000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.727362332.0000020955D46000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.2ip.ua/geo.jsonz	BDC0.exe, 00000013.00000003.464201683.00000000008AD000.00000004.00000020.00020000.00000000.sdmp, BDC0.exe, 00000013.00000002.912417927.0000000000868000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.2ip.ua/geo.jsonr	BDC0.exe, 00000013.00000003.464201683.00000000008AD000.00000004.00000020.00020000.00000000.sdmp, BDC0.exe, 00000013.00000002.912417927.0000000000868000.00000004.00000020.00020000.00000000.sdmp	false		high
https://static.xx.fbcdn.net	aafg31.exe, 00000015.00000003.589214326.0000020953C64000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.586782794.0000020953C64000.00000004.00000020.00020000.00000000.sdmp	false		high
https://we.tl/t-tnzomMj6	BDC0.exe, 00000011.00000002.897516846.0000000000613000.00000004.00000020.00020000.00000000.sdmp, BDC0.exe, 00000013.00000002.912417927.0000000000907000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://zexeq.com/files/1/build3.exerun	BDC0.exe, 00000013.00000002.912417927.00000000008ED000.00000004.00000020.00020000.00000000.sdmp, BDC0.exe, 00000013.00000002.937078432.00000000031F7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://ss.apjeoighw.com/check/safe13f15f2	aafg31.exe, 00000015.00000003.748891799.0000020953C0C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.reddit.com/	BDC0.exe, 00000013.00000003.476541733.0000000009890000.00000004.00001000.00020000.00000000.sdmp	false		high
https://static.xx.fbcdn.net/rsrc.php/v3/yq/l/0	aafg31.exe, 00000015.00000003.727362332.0000020955D46000.00000004.00000020.00020000.00000000.sdmp	false		high
http://colisumy.com/dlget.php?pid=903E7F261711F85395E5CEFBF4173C54	BDC0.exe, 00000011.00000002.897516846.0000000000568000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://zexeq.com/files/1/build3.exe$runyinstall020921_delay721_sec.exe0	BDC0.exe, 00000013.00000002.912417927.0000000000868000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.autoitscript.com/autoit3/J	explorer.exe, 00000001.00000000.382909770.000000000091F000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.nytimes.com/	BDC0.exe, 00000013.00000003.476513071.0000000009890000.00000004.00001000.00020000.00000000.sdmp	false		high
https://api.2ip.ua/geo.jsonX	BDC0.exe, 00000006.00000002.461754674.0000000000622000.00000004.00000020.00020000.00000000.sdmp	false		high
https://static.xx.fbcdn.net/rsrc.php/v3/yE/l/0	aafg31.exe, 00000015.00000003.727362332.0000020955D46000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.661661754.0000020955D07000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.2ip.ua/	BDC0.exe, 00000013.00000003.464201683.00000000008AD000.00000004.00000020.00020000.00000000.sdmp, BDC0.exe, 00000013.00000002.912417927.0000000000868000.00000004.00000020.00020000.00000000.sdmp	false		high
https://static.xx.fbcdn.net/rsrc.php/v3/y2/l/0	aafg31.exe, 00000015.00000003.871483645.0000020955D5B000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.661860603.0000020955D4B000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.682406444.0000020955D44000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.682234652.0000020955D9B000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.610458087.0000020955D0D000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.661265412.0000020955D14000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.725252342.0000020955D9B000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.727653565.0000020955D47000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.726734363.0000020955D43000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.748027526.0000020955D9B000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.608542388.0000020955D2B000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.869877378.0000020955C11000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.609917388.0000020955D07000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.661265412.0000020955D4B000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.587487365.0000020955D3F000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.746443120.0000020955D95000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.891215691.0000020955C11000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.610990462.0000020955D0F000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.892118052.0000020955D54000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.746443120.0000020955D4A000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.727362332.0000020955D46000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ss.apjeoighw.com/check/?sid=437712&key=e0936dbb5215a1cc85afbf7dbb62727d	aafg31.exe, 00000015.00000002.972077905.0000020955BFD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://static.xx.fbcdn.net/rsrc.php/v3/yP/l/0	aafg31.exe, 00000015.00000003.727362332.0000020955D46000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.661661754.0000020955D07000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ss.apjeoighw.com:80/check/?sid=436898&key=31b04f4e86a5030e55172a3ce21438a6	aafg31.exe, 00000015.00000003.644636498.0000020953C1A000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.633428878.0000020953C0C000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.626742491.0000020953C0C000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.640779902.0000020953C1A000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.653577716.0000020953C0C000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.635219550.0000020953C1A000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.615362679.0000020953C0C000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.613408935.0000020953C0C000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.648060767.0000020953C1A000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.639945801.0000020953C0C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://components.groove.net/Groove/Components/Root.osd?Package=net.groove.Groove.Tools.System.Groov	explorer.exe, 00000001.00000000.396414870.00007FFA13109000.00000002.00000001.01000000.00000005.sdmp	false	URL Reputation: safe	unknown
http://ss.apjeoighw.com/check/safe	aafg31.exe, 00000015.00000003.589214326.0000020953C04000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000002.928321825.0000020955550000.00000004.00001000.00020000.00000000.sdmp, aafg31.exe, 00000015.00000002.895672737.0000020953B7B000.00000004.00000001.00020000.00000000.sdmp, aafg31.exe, 00000015.00000002.898715266.0000020953C70000.00000040.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://colisumy.com/dl/build2.exe	BDC0.exe, 00000013.00000002.912417927.0000000000868000.00000004.00000020.00020000.00000000.sdmp, BDC0.exe, 00000013.00000002.912417927.00000000008ED000.00000004.00000020.00020000.00000000.sdmp	true	URL Reputation: malware	unknown
http://ss.apjeoighw.com:80/check/safe	aafg31.exe, 00000015.00000003.644636498.0000020953C1A000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.718720439.0000020953C1A000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.633428878.0000020953C0C000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.708902609.0000020953C18000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.626742491.0000020953C0C000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.640779902.0000020953C1A000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.703897096.0000020953C18000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.653577716.0000020953C0C000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.686001799.0000020953C18000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.697812636.0000020953C18000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.678658664.0000020953C0C000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.703042210.0000020953C0C000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.685325297.0000020953C18000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.691479412.0000020953C0C000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.708488932.0000020953C0C000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.718518496.0000020953C0C000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.635219550.0000020953C1A000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.679386130.0000020953C18000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.684916045.0000020953C0C000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.615362679.0000020953C0C000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.613408935.0000020953C0C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.2ip.ua/geo.json;?	BDC0.exe, 00000011.00000002.897516846.00000000005B4000.00000004.00000020.00020000.00000000.sdmp, BDC0.exe, 00000011.00000003.466616880.00000000005B3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://static.xx.fbcdn.net/rsrc.php/v3/yO/r/_tJ17sGyxOX.js?_nc_x=Ij3Wp8lg5Kz	aafg31.exe, 00000015.00000002.896936074.0000020953C0C000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.610052648.0000020953C62000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.747458130.0000020953C62000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.748891799.0000020953C62000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.727495452.0000020953C63000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.610737115.0000020953C62000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.2ip.ua/geo.json	BDC0.exe, 00000005.00000002.453783695.0000000002510000.00000040.00001000.00020000.00000000.sdmp, BDC0.exe, 00000006.00000002.461344715.0000000000400000.00000040.00000400.00020000.00000000.sdmp, BDC0.exe, 00000006.00000002.461754674.0000000000622000.00000004.00000020.00020000.00000000.sdmp, BDC0.exe, 0000000B.00000002.463587041.0000000002480000.00000040.00001000.00020000.00000000.sdmp, BDC0.exe, 00000011.00000002.897516846.00000000005B4000.00000004.00000020.00020000.00000000.sdmp, BDC0.exe, 00000011.00000002.895547083.0000000000400000.00000040.00000400.00020000.00000000.sdmp, BDC0.exe, 00000011.00000002.897516846.0000000000568000.00000004.00000020.00020000.00000000.sdmp, BDC0.exe, 00000011.00000003.466616880.00000000005B3000.00000004.00000020.00020000.00000000.sdmp, BDC0.exe, 00000012.00000002.463532414.0000000002410000.00000040.00001000.00020000.00000000.sdmp, BDC0.exe, 00000013.00000003.464201683.00000000008AD000.00000004.00000020.00020000.00000000.sdmp, BDC0.exe, 00000013.00000002.895386251.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false		high
http://ss.apjeoighw.com:80/check/?sid=437058&key=7c45c7b8ba54fad24dbc26b647ebd1bc	aafg31.exe, 00000015.00000003.678658664.0000020953C0C000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.679386130.0000020953C18000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://zexeq.com/files/1/build3.exe$rung	BDC0.exe, 00000013.00000002.912417927.00000000008ED000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://ss.apjeoighw.com:80/check/?sid=437114&key=556b8e8f2c0037a585c40888436f6c335	aafg31.exe, 00000015.00000003.718720439.0000020953C1A000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.708902609.0000020953C18000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.703897096.0000020953C18000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.686001799.0000020953C18000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.725776709.0000020953C0C000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.697812636.0000020953C18000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.703042210.0000020953C0C000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.685325297.0000020953C18000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.691479412.0000020953C0C000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.708488932.0000020953C0C000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.718518496.0000020953C0C000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.684916045.0000020953C0C000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.727495452.0000020953C18000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ss.apjeoighw.com/check/safe1B	aafg31.exe, 00000015.00000002.972077905.0000020955BFD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://45.9.74.80/0bjds.apjeoighw.com/check/?sid=436838&key=0f2526fc923d8a6ab4c43d0a56a5696e	aafg31.exe, 00000015.00000003.589214326.0000020953C59000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://api.2ip.ua/geo.json#?	BDC0.exe, 00000011.00000002.897516846.00000000005B4000.00000004.00000020.00020000.00000000.sdmp, BDC0.exe, 00000011.00000003.466616880.00000000005B3000.00000004.00000020.00020000.00000000.sdmp	false		high
http://zexeq.com/files/1/build3.exe$runP	BDC0.exe, 00000013.00000002.912417927.00000000008ED000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://zexeq.com/raud/get.phpep	BDC0.exe, 00000011.00000002.897516846.0000000000613000.00000004.00000020.00020000.00000000.sdmp, BDC0.exe, 00000013.00000002.912417927.0000000000907000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://ss.apjeoighw.com:80/check/safeD	aafg31.exe, 00000015.00000003.718720439.0000020953C1A000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.708902609.0000020953C18000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.703897096.0000020953C18000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.686001799.0000020953C18000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.725776709.0000020953C0C000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.697812636.0000020953C18000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.703042210.0000020953C0C000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.685325297.0000020953C18000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.691479412.0000020953C0C000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.708488932.0000020953C0C000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.718518496.0000020953C0C000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.684916045.0000020953C0C000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.727495452.0000020953C18000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.youtube.com/	BDC0.exe, 00000013.00000003.476682552.0000000009890000.00000004.00001000.00020000.00000000.sdmp	false		high
https://api.2ip.ua/H	BDC0.exe, 00000013.00000003.464201683.00000000008AD000.00000004.00000020.00020000.00000000.sdmp, BDC0.exe, 00000013.00000002.912417927.0000000000868000.00000004.00000020.00020000.00000000.sdmp	false		high
https://we.tl/t-tnzomMj6$	BDC0.exe, 00000011.00000002.897516846.0000000000613000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ss.apjeoighw.com/check/?sid=437058&key=7c45c7b8ba54fad24dbc26b647ebd1bcf	aafg31.exe, 00000015.00000003.679386130.0000020953C59000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://static.xx.fbcdn.net/rsrc.php/v3/ye/r/sczXDyPA0UL.js?_nc_x=Ij3Wp8lg5Kz	aafg31.exe, 00000015.00000003.871483645.0000020955D5B000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.661860603.0000020955D4B000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.682406444.0000020955D44000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.682234652.0000020955D9B000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.610458087.0000020955D0D000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.661265412.0000020955D14000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.725252342.0000020955D9B000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.727653565.0000020955D47000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.726734363.0000020955D43000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.748027526.0000020955D9B000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.608542388.0000020955D2B000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.869877378.0000020955C11000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.609917388.0000020955D07000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.661265412.0000020955D4B000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.587487365.0000020955D3F000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.746443120.0000020955D95000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.891215691.0000020955C11000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.610990462.0000020955D0F000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.892118052.0000020955D54000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.746443120.0000020955D4A000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.727362332.0000020955D46000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.wikipedia.com/	BDC0.exe, 00000013.00000003.476659640.0000000009890000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://we.tl/t-tnzomMj6HU	BDC0.exe, 00000011.00000002.897516846.0000000000613000.00000004.00000020.00020000.00000000.sdmp, BDC0.exe, 00000011.00000002.897516846.0000000000632000.00000004.00000020.00020000.00000000.sdmp, BDC0.exe, 00000013.00000002.912417927.0000000000907000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://zexeq.com/raud/get.php?pid=903E7F261711F85395E5CEFBF4173C54&first=trueb	BDC0.exe, 00000013.00000002.912417927.00000000008F8000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://static.xx.fbcdn.net/rsrc.php/v3/yB/l/0	aafg31.exe, 00000015.00000003.871483645.0000020955D5B000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.661860603.0000020955D4B000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.682406444.0000020955D44000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.682234652.0000020955D9B000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.610458087.0000020955D0D000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.661265412.0000020955D14000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.725252342.0000020955D9B000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.727653565.0000020955D47000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.726734363.0000020955D43000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.748027526.0000020955D9B000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.608542388.0000020955D2B000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.869877378.0000020955C11000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.609917388.0000020955D07000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.661265412.0000020955D4B000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.587487365.0000020955D3F000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.746443120.0000020955D95000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.891215691.0000020955C11000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.610990462.0000020955D0F000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.892118052.0000020955D54000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.746443120.0000020955D4A000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.727362332.0000020955D46000.00000004.00000020.00020000.00000000.sdmp	false		high
https://static.xx.fbcdn.net/rsrc.php/v3i7M54/yx/l/en_US/LsRZeEzcd6B.js?_nc_x=Ij3Wp8lg5Kz	aafg31.exe, 00000015.00000003.871483645.0000020955D5B000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.661860603.0000020955D4B000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.682406444.0000020955D44000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.682234652.0000020955D9B000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.610458087.0000020955D0D000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.661265412.0000020955D14000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.725252342.0000020955D9B000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.727653565.0000020955D47000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.726734363.0000020955D43000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.748027526.0000020955D9B000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.608542388.0000020955D2B000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.869877378.0000020955C11000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.609917388.0000020955D07000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.661265412.0000020955D4B000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.587487365.0000020955D3F000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.746443120.0000020955D95000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.891215691.0000020955C11000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.610990462.0000020955D0F000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.892118052.0000020955D54000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.746443120.0000020955D4A000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.727362332.0000020955D46000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.live.com/	BDC0.exe, 00000013.00000003.476481044.0000000009890000.00000004.00001000.00020000.00000000.sdmp	false		high
https://api.2ip.ua/:m	BDC0.exe, 00000006.00000002.461754674.0000000000653000.00000004.00000020.00020000.00000000.sdmp	false		high
http://zexeq.com/files/1/build3.exe	BDC0.exe, 00000013.00000002.937078432.00000000031EB000.00000004.00000020.00020000.00000000.sdmp, BDC0.exe, 00000013.00000002.912417927.0000000000907000.00000004.00000020.00020000.00000000.sdmp, BDC0.exe, 00000013.00000002.912417927.00000000008ED000.00000004.00000020.00020000.00000000.sdmp, BDC0.exe, 00000013.00000002.937078432.00000000031F7000.00000004.00000020.00020000.00000000.sdmp	true	URL Reputation: safe	unknown
https://static.xx.fbcdn.net/rsrc.php/v3/yI/r/Ib90vcVxYzI.js?_nc_x=Ij3Wp8lg5Kz	aafg31.exe, 00000015.00000003.661727127.0000020953C60000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000002.896936074.0000020953C0C000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.610052648.0000020953C62000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.747458130.0000020953C62000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.678658664.0000020953C63000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.748891799.0000020953C62000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.727495452.0000020953C63000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.586782794.0000020953C64000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.610737115.0000020953C62000.00000004.00000020.00020000.00000000.sdmp	false		high
http://zexeq.com/raud/get.php?pid=903E7F261711F85395E5CEFBF4173C54	BDC0.exe, 00000011.00000002.897516846.00000000005B4000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.google.com/	BDC0.exe, 00000013.00000003.476398741.0000000009890000.00000004.00001000.00020000.00000000.sdmp	false		high
https://static.xx.fbcdn.net/rsrc.php/v3/yK/l/0	aafg31.exe, 00000015.00000003.727362332.0000020955D46000.00000004.00000020.00020000.00000000.sdmp, aafg31.exe, 00000015.00000003.661661754.0000020955D07000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
157.240.9.35	unknown	United States	32934	FACEBOOKUS	false
103.100.211.218	unknown	Hong Kong	133115	HKKFGL-AS-APHKKwaifongGroupLimitedHK	false
154.221.31.191	unknown	Seychelles	133115	HKKFGL-AS-APHKKwaifongGroupLimitedHK	false
157.240.17.35	unknown	United States	32934	FACEBOOKUS	false
217.174.148.28	unknown	Bulgaria	31083	TELEPOINTBG	true
175.119.10.231	unknown	Korea Republic of	9318	SKB-ASSKBroadbandCoLtdKR	true
8.8.8.8	unknown	United States	15169	GOOGLEUS	false
211.40.39.251	unknown	Korea Republic of	3786	LGDACOMLGDACOMCorporationKR	true
157.240.17.17	unknown	United States	32934	FACEBOOKUS	false
211.171.233.129	unknown	Korea Republic of	3786	LGDACOMLGDACOMCorporationKR	true
211.119.84.112	unknown	Korea Republic of	3786	LGDACOMLGDACOMCorporationKR	true
162.0.217.254	unknown	Canada	35893	ACPCA	false
194.180.48.90	unknown	Germany	10753	LVLT-10753US	true
123.140.161.243	unknown	Korea Republic of	3786	LGDACOMLGDACOMCorporationKR	true
80.66.203.53	unknown	United Kingdom	61323	UKFASTGB	true
45.9.74.80	unknown	Russian Federation	200740	FIRST-SERVER-EU-ASRU	true
211.59.14.90	unknown	Korea Republic of	9318	SKB-ASSKBroadbandCoLtdKR	false
20.189.173.21	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
188.114.97.7	unknown	European Union	13335	CLOUDFLARENETUS	true
188.114.96.7	unknown	European Union	13335	CLOUDFLARENETUS	true
183.100.39.157	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	true
80.210.25.252	unknown	Iran (ISLAMIC Republic Of)	12880	DCI-ASIR	true
222.236.49.123	unknown	Korea Republic of	9318	SKB-ASSKBroadbandCoLtdKR	true
222.236.49.124	unknown	Korea Republic of	9318	SKB-ASSKBroadbandCoLtdKR	true

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	37.1.0 Beryl
Analysis ID:	877000
Start date and time:	2023-05-28 10:43:07 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 16m 14s
Hypervisor based Inspection enabled:	false
Report type:	light
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	50
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	2
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	02107799.exe
Detection:	MAL
Classification:	mal100.rans.phis.troj.spyw.evad.winEXE@105/269@0/25
EGA Information:	Failed
HDC Information:	Successful, ratio: 40.5% (good quality ratio 34.6%) Quality average: 62.2% Quality standard deviation: 35.8%
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240s for rundll32

Warnings

Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
Created / dropped Files have been reduced to 100
Exclude process from analysis (whitelisted): MpCmdRun.exe, Conhost.exe, dllhost.exe, consent.exe, conhost.exe, svchost.exe
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Skipping network analysis since amount of network traffic is too extensive

Simulations

Behavior and APIs

Time	Type	Description
10:44:29	API Interceptor	1552x Sleep call for process: explorer.exe modified
10:44:30	Task Scheduler	Run new task: Firefox Default Browser Agent 8DB0A56B8EC45137 path: C:\Users\user\AppData\Roaming\cuwsgii
10:44:37	Task Scheduler	Run new task: Time Trigger Task path: C:\Users\user\AppData\Local\9af1d69e-1bc5-4008-ad08-a746f07a48e8\BDC0.exe s>--Task
10:44:38	API Interceptor	1x Sleep call for process: dllhost.exe modified
10:44:38	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run SysHelper "C:\Users\user\AppData\Local\9af1d69e-1bc5-4008-ad08-a746f07a48e8\BDC0.exe" --AutoStart
10:44:41	API Interceptor	1x Sleep call for process: WerFault.exe modified
10:44:43	API Interceptor	1x Sleep call for process: BDC0.exe modified
10:44:47	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run SysHelper "C:\Users\user\AppData\Local\9af1d69e-1bc5-4008-ad08-a746f07a48e8\BDC0.exe" --AutoStart
10:44:48	API Interceptor	1827x Sleep call for process: mnolyk.exe modified
10:44:53	Task Scheduler	Run new task: mnolyk.exe path: C:\Users\user\AppData\Local\Temp\6d73a97b0c\mnolyk.exe
10:44:59	Task Scheduler	Run new task: Azure-Update-Task path: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe
10:45:20	Task Scheduler	Run new task: Firefox Default Browser Agent 77EB2ECBEC3BD541 path: C:\Users\user\AppData\Roaming\vwwsgii
10:45:49	API Interceptor	3x Sleep call for process: aafg31.exe modified
10:45:56	Task Scheduler	Run new task: NoteUpdateTaskMachineQC path: C:\Program Files\Notepad\Chrome\updater.exe

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8200346039459757
Encrypted:	false
SSDEEP:	96:ebo1FE6KZIo+4Eyyo9Cto07RP6tpXIQcQjc6ieAcElcw3kvz+HbHg/8BRTf3o8FI:X+x3DvHtGZvPjIg/u7sBS274Itf8
MD5:	21837DE30B9C41BCF5572CF4984E6C4D
SHA1:	4B9B7534939C5FF21C2BB5B31F62CB679039754D
SHA-256:	A7B579230F92DEF3571B761BA0B55551D189E10126077487128F943F0F69F920
SHA-512:	AF176DB9A5240D9FBD1CF35BAB0DE7A0A7B4DED30B32B49E45B03BC0EC36F8C1D5DCAC99D83A8E7E1710F3EFF2BABE78272AD3AD6BF0BEBBC6B6F252C67C3EFA
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.2.9.7.6.9.4.7.7.7.8.8.0.0.2.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.2.9.7.6.9.4.7.8.7.4.1.1.1.2.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.5.d.6.b.1.c.2.-.2.b.2.a.-.4.7.0.5.-.b.c.3.b.-.6.c.2.2.f.9.7.4.1.f.f.c.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.d.b.c.6.5.4.e.-.8.9.5.a.-.4.1.6.5.-.a.c.0.f.-.b.4.b.e.b.9.1.0.e.e.5.e.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.A.D.2.2...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.2.7.4.-.0.0.0.1.-.0.0.1.9.-.2.6.3.f.-.d.f.1.1.8.c.9.1.d.9.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.2.1.0.1.e.4.1.3.4.2.6.1.6.e.a.b.e.5.e.3.a.1.9.2.f.9.9.5.2.a.5.c.0.0.0.0.f.b.0.2.!.0.0.0.0.2.d.f.f.9.4.4.f.9.7.0.f.a.e.f.5.c.6.f.a.9.2.a.c.8.f.b.e.8.2.c.9.2.5.1.5.5.3.f.3.!.A.D.2.2...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.3././.0.3././.1.3.:.

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	84502
Entropy (8bit):	3.0502356873357246
Encrypted:	false
SSDEEP:	768:IMHf3EX994+iZmlPnXMlnGacOnuXvrZEiOS2fkRQzN:IMHfE949mlMGaJuXTZEiOSDReN
MD5:	9054E137D33482218DED22C21F21E3AB
SHA1:	5E023D86972727F14614534AF8484CD63963CB3F
SHA-256:	B0F06D73C08A1F0EAC02B5F95C9C0001B6CEB2AF60F7CC77DFF51FD7C7B1DFB1
SHA-512:	7384CC6BAF5FFA7B3B79BA02F8660E99A537567A9C44520A46716F04F94D012539B441160B78B266524B8A84F0082DEC0A39032240C1226BA4744B4771FD30BA
Malicious:	false
Preview:	I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.

Process:	C:\Users\user\AppData\Local\Temp\BDC0.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	42
Entropy (8bit):	4.963745994207334
Encrypted:	false
SSDEEP:	3:oTXoaMC45vn:2oDn
MD5:	0156D0C4447C9DC5F0995701DC91FB59
SHA1:	763CCC86E08AA791AD0E6085472518697535095F
SHA-256:	29E03691D1E3DB7DFB5542555DAECD4DDBC881033A574B28720401FC272B9E56
SHA-512:	D73D70CB6F3D6B647D39147902F8767A9645483FC1ED5D62E57232F47D6251A9BDF5AADFA447748F0E6DED8D2AC50FC5A632EDE00E8962C030C52D9853F219CE
Malicious:	false
Preview:	5MivdxIsjUGGGxmy4wa3GzTKau2fLCnJ4rWgvwBY..

Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	288768
Entropy (8bit):	6.584915706285476
Encrypted:	false
SSDEEP:	3072:tiaWGvA5BMvdYuAJ2qiGD0swth9Ewaf/s7htn5gYTtic7:t4GvAMdj40th7a3s7SYTtic
MD5:	7A8E3D000FBA0F5765B98E2D78EB9D12
SHA1:	2DFF944F970FAEF5C6FA92AC8FBE82C9251553F3
SHA-256:	13744BE5698FFDDC96D55415FDEEBDE4921ED199B4174251D83F1FD5B5A05C66
SHA-512:	1D56B0DD129D7A1C1E76B110F9CEE4C63D2F021BCDCACA53CD780CC5E6B6CAFD6CEBC70FB62198910CAE2E4E9EA083216611923C72A4120FCC30CA3894A058DA
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......&...b...b...b...\|.......\|.......\|...H...EX..k...b.....\|...c...\|...c...\|...c...Richb...................PE..L...G..c.................~..."&.....YN............@...........................(.................................................d.....&.......................(..... ...............................P1..@............................................text....}.......~.................. ..`.data...DX$.........................@....rsrc.........&.....................@..@.reloc...3....(..4...4..............@..B........................................................................................................................................................................................................................................................................................................................................................................

Entrypoint:	0x404dd9
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x6297F6D6 [Wed Jun 1 23:31:34 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	d302e4ac3406067f8ed838633897aebb

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x283a8	0x64	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x26f000	0x17700	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x287000	0xdf4	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x1220	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x30c8	0x40	.text
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x1d4	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x27e62	0x28000	False	0.785137939453125	data	7.578116721772191	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x29000	0x245844	0x1e00	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x26f000	0x17700	0x17800	False	0.3848175698138298	DIY-Thermocam raw data (Lepton 3.x), scale -32383-32383, spot sensor temperature -0.000000, unit celsius, color scheme 0, calibration: offset 170141183460469231731687303715884105728.000000, slope 338285908496422218588534207645931798528.000000	4.2257902008995	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x287000	0x331e	0x3400	False	0.22611177884615385	data	2.5288792513598777	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Name	RVA	Size	Type
RT_ICON	0x26f6d0	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0
RT_ICON	0x26fd98	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0
RT_ICON	0x272340	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0
RT_ICON	0x2727d8	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0
RT_ICON	0x273680	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0
RT_ICON	0x273f28	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0
RT_ICON	0x274490	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0
RT_ICON	0x276a38	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0
RT_ICON	0x277ae0	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0
RT_ICON	0x278468	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0
RT_ICON	0x278938	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0
RT_ICON	0x2797e0	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0
RT_ICON	0x27a088	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0
RT_ICON	0x27a750	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0
RT_ICON	0x27acb8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0
RT_ICON	0x27d260	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0
RT_ICON	0x27e308	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0
RT_ICON	0x27e7d8	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0
RT_ICON	0x27f680	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0
RT_ICON	0x27ff28	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0
RT_ICON	0x280490	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0
RT_ICON	0x282a38	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0
RT_ICON	0x283ae0	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0
RT_ICON	0x284468	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0
RT_STRING	0x284b70	0x6fa	data
RT_STRING	0x285270	0x6a8	data
RT_STRING	0x285918	0x4b8	data
RT_STRING	0x285dd0	0x1da	data
RT_STRING	0x285fb0	0x74c	data
RT_GROUP_ICON	0x2848d0	0x68	data
RT_GROUP_ICON	0x27e770	0x68	data
RT_GROUP_ICON	0x2727a8	0x30	data
RT_GROUP_ICON	0x2788d0	0x68	data
RT_VERSION	0x284938	0x234	data

DLL	Import
KERNEL32.dll	GetModuleHandleW, GetTickCount, IsBadReadPtr, GetConsoleAliasesLengthA, GetPrivateProfileIntA, FreeConsole, GetVersionExW, WritePrivateProfileStructW, MulDiv, GetModuleFileNameW, CreateActCtxA, WritePrivateProfileStringW, ReplaceFileA, GetStringTypeExA, CreateJobObjectA, GetStdHandle, GetLogicalDriveStringsA, OpenMutexW, GetLastError, ReadConsoleOutputCharacterA, GetProcAddress, SleepEx, GetLongPathNameA, VirtualAlloc, EnterCriticalSection, _hwrite, LoadLibraryA, InterlockedExchangeAdd, LocalAlloc, GetFileType, CreateFileMappingW, FindFirstVolumeMountPointW, GetNumberFormatW, CreateEventW, GetModuleFileNameA, lstrcmpiW, GetModuleHandleA, CreateMutexA, GetFileAttributesExW, GetConsoleCursorInfo, ScrollConsoleScreenBufferA, FindAtomW, EnumResourceLanguagesW, DebugBreak, FindNextVolumeA, AddConsoleAliasW, CancelWaitableTimer, GetCommState, WaitForSingleObject, AttachConsole, GetCommandLineA, GetStartupInfoA, RaiseException, RtlUnwind, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, HeapAlloc, HeapFree, WideCharToMultiByte, SetHandleCount, DeleteCriticalSection, LeaveCriticalSection, Sleep, ExitProcess, WriteFile, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, InterlockedIncrement, SetLastError, GetCurrentThreadId, InterlockedDecrement, HeapCreate, VirtualFree, QueryPerformanceCounter, GetCurrentProcessId, GetSystemTimeAsFileTime, HeapReAlloc, SetFilePointer, GetConsoleCP, GetConsoleMode, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, InitializeCriticalSectionAndSpinCount, HeapSize, SetStdHandle, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, MultiByteToWideChar, LCMapStringA, LCMapStringW, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, FlushFileBuffers, CreateFileA, CloseHandle
USER32.dll	CharLowerBuffA
GDI32.dll	GetCharWidthW, EnumFontsW, GetCharABCWidthsFloatW
ADVAPI32.dll	MapGenericMask

Target ID:	0
Start time:	10:43:57
Start date:	28/05/2023
Path:	C:\Users\user\Desktop\02107799.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\02107799.exe
Imagebase:	0x400000
File size:	282112 bytes
MD5 hash:	6017E7C6F19DE9E3B0AAE0965FE25603
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.397201524.0000000000840000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000000.00000002.397221431.0000000000871000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000000.00000002.397221431.0000000000871000.00000004.10000000.00040000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.397292566.0000000000939000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000000.00000002.397209073.0000000000850000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000000.00000002.397209073.0000000000850000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
Reputation:	low

Target ID:	1
Start time:	10:44:02
Start date:	28/05/2023
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff69bc80000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Target ID:	5
Start time:	10:44:34
Start date:	28/05/2023
Path:	C:\Users\user\AppData\Local\Temp\BDC0.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\BDC0.exe
Imagebase:	0x400000
File size:	802304 bytes
MD5 hash:	6944FCA258A9009F9D3B7212CDB4874D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000005.00000002.453783695.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000005.00000002.453783695.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000005.00000002.453528210.00000000023BD000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
Reputation:	low

Target ID:	6
Start time:	10:44:35
Start date:	28/05/2023
Path:	C:\Users\user\AppData\Local\Temp\BDC0.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\BDC0.exe
Imagebase:	0x400000
File size:	802304 bytes
MD5 hash:	6944FCA258A9009F9D3B7212CDB4874D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 00000006.00000002.461344715.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000006.00000002.461344715.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 00000006.00000002.461344715.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000006.00000002.461344715.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
Reputation:	low

Target ID:	7
Start time:	10:44:36
Start date:	28/05/2023
Path:	C:\Users\user\AppData\Local\Temp\AD22.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\AD22.exe
Imagebase:	0x400000
File size:	288768 bytes
MD5 hash:	7A8E3D000FBA0F5765B98E2D78EB9D12
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000007.00000002.466741568.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000007.00000002.466859544.0000000000818000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
Reputation:	low

Target ID:	17
Start time:	10:44:39
Start date:	28/05/2023
Path:	C:\Users\user\AppData\Local\9af1d69e-1bc5-4008-ad08-a746f07a48e8\BDC0.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\9af1d69e-1bc5-4008-ad08-a746f07a48e8\BDC0.exe --Task
Imagebase:	0x400000
File size:	802304 bytes
MD5 hash:	6944FCA258A9009F9D3B7212CDB4874D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 00000011.00000002.895547083.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000011.00000002.895547083.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 00000011.00000002.895547083.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000011.00000002.895547083.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown

Target ID:	20
Start time:	10:44:42
Start date:	28/05/2023
Path:	C:\Users\user\AppData\Local\Temp\223E.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\223E.exe
Imagebase:	0x700000
File size:	5129728 bytes
MD5 hash:	2AF03D52F9CF9E53DFFC1183B403E1B7
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000014.00000002.513841779.00000000040C5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_DLInjector04, Description: Detects downloader / injector, Source: C:\Users\user\AppData\Local\Temp\223E.exe, Author: ditekSHen
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 70%, ReversingLabs

Target ID:	21
Start time:	10:44:44
Start date:	28/05/2023
Path:	C:\Users\user\AppData\Local\Temp\aafg31.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Temp\aafg31.exe"
Imagebase:	0x7ff6607d0000
File size:	973312 bytes
MD5 hash:	B4F79B3194235084A3EC85711EDFBD38
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 33%, ReversingLabs

Target ID:	23
Start time:	10:44:45
Start date:	28/05/2023
Path:	C:\Users\user\AppData\Local\Temp\6d73a97b0c\mnolyk.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\6d73a97b0c\mnolyk.exe"
Imagebase:	0x60000
File size:	255488 bytes
MD5 hash:	08240E71429B32855B418A4ACF0E38EC
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey, Description: Yara detected Amadey bot, Source: 00000017.00000003.507221089.0000000000877000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000017.00000000.475587099.0000000000061000.00000020.00000001.01000000.00000012.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: C:\Users\user\AppData\Local\Temp\6d73a97b0c\mnolyk.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 88%, ReversingLabs

Target ID:	24
Start time:	10:44:46
Start date:	28/05/2023
Path:	C:\Users\user\AppData\Local\Temp\XandETC.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Temp\XandETC.exe"
Imagebase:	0x7ff6e4340000
File size:	3890176 bytes
MD5 hash:	3006B49F3A30A80BB85074C279ACC7DF
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 73%, ReversingLabs

Target ID:	31
Start time:	10:44:49
Start date:	28/05/2023
Path:	C:\Users\user\AppData\Local\9af1d69e-1bc5-4008-ad08-a746f07a48e8\BDC0.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\9af1d69e-1bc5-4008-ad08-a746f07a48e8\BDC0.exe" --AutoStart
Imagebase:	0x400000
File size:	802304 bytes
MD5 hash:	6944FCA258A9009F9D3B7212CDB4874D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 0000001F.00000002.497982449.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 0000001F.00000002.497982449.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 0000001F.00000002.497982449.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 0000001F.00000002.497982449.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 02107799.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Amadey

Threatname: Djvu

Threatname: SmokeLoader

Threatname: Vidar

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_AD22.exe_bc3690d31fe876d95d6ec65d5dc56974b7b47db_5f8597d0_0d70ed7f\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER192B.tmp.csv

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1BEB.tmp.csv

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2429.tmp.txt

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2861.tmp.txt

C:\ProgramData\Microsoft\Windows\WER\Temp\WER338D.tmp.csv

Windows Analysis Report
02107799.exe

Target ID:	32
Start time:	10:44:51
Start date:	28/05/2023
Path:	C:\Users\user\AppData\Local\Temp\946D.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\946D.exe
Imagebase:	0x400000
File size:	802304 bytes
MD5 hash:	6944FCA258A9009F9D3B7212CDB4874D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 00000020.00000002.509612718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000020.00000002.509612718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 00000020.00000002.509612718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000020.00000002.509612718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown

Target ID:	38
Start time:	10:44:52
Start date:	28/05/2023
Path:	C:\Windows\SysWOW64\cacls.exe
Wow64 process (32bit):	true
Commandline:	CACLS "mnolyk.exe" /P "user:R" /E
Imagebase:	0x60000
File size:	27648 bytes
MD5 hash:	4CBB1C027DF71C53A8EE4C855FD35B25
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the binaries used by services. Adversaries may use flaws in the permissions of Windows services to replace the binary that is executed upon service start. These service processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Services
Platforms:	Windows
Url:	Open detailed description by Mitre