Lỗi unable to execute file stp selector fifa 17 năm 2024

Question

Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.

Nội dung chính Show

File Details
File Sections
Screenshots
Hybrid Analysis
Network Analysis
DNS Requests
HTTP Traffic
Memory Forensics
Suricata Alerts
Extracted Files
Notifications

Anti-Detection/Stealthyness
- details Process "taskkill.exe" with commandline "taskkill /f /im "search.exe"" () source Monitored Target relevance 9/10

External Systems

details Detected alert "ET TROJAN Ransomware/Cerber Checkin 2" (SID: 2023453, Rev: 5, Severity: 1) categorized as "A Network Trojan was detected" (Backdoor, ransomware, trojans, etc.)

Detected alert "ETPRO TROJAN Ransomware/Cerber Checkin Error ICMP Response" (SID: 2816764, Rev: 3, Severity: 1) categorized as "A Network Trojan was detected" (Backdoor, ransomware, trojans, etc.)  
Detected alert "ET TROJAN Ransomware/Cerber Onion Domain Lookup" (SID: 2023425, Rev: 1, Severity: 1) categorized as "A Network Trojan was detected" (Backdoor, ransomware, trojans, etc.)  
Detected alert "ETPRO TROJAN W32.Cerber Ransomware HTTP Pattern" (SID: 2822889, Rev: 2, Severity: 1) categorized as "A Network Trojan was detected" (Backdoor, ransomware, trojans, etc.) source Suricata Alerts relevance 10/10

details 5/57 Antivirus vendors marked sample as malicious (8% detection rate) source External System relevance 8/10

General
- details 1/80 Antivirus vendors marked dropped file "System.dll" as malicious (classified as "W32.eHeur" with 1% detection rate) source Extracted File relevance 10/10

Network Related

details Contacted 60 (or more) hosts in at least 1 different countries source Network Traffic relevance 9/10

details Found malicious artifacts related to "63.55.11.0" (ASN: , Owner: ): ... File SHA256: 83f4baf5b5b4a08c77e37cd3e25a4af12bf851d4d6bc103e3d9d1b0cf8c97c16 (AV positives: 24/56 scanned on 11/25/2016 01:45:55)

File SHA256: 210323c1c1eb25ef67a9d66ff21f9bb46c470c937bdb86f5d8ff25f429fe4a8b (AV positives: 20/56 scanned on 11/24/2016 08:17:19)  
Found malicious artifacts related to "63.55.11.1" (ASN: , Owner: ): ...

File SHA256: 83f4baf5b5b4a08c77e37cd3e25a4af12bf851d4d6bc103e3d9d1b0cf8c97c16 (AV positives: 24/56 scanned on 11/25/2016 01:45:55)

File SHA256: 210323c1c1eb25ef67a9d66ff21f9bb46c470c937bdb86f5d8ff25f429fe4a8b (AV positives: 20/56 scanned on 11/24/2016 08:17:18)  
Found malicious artifacts related to "63.55.11.2" (ASN: , Owner: ): ...

File SHA256: 83f4baf5b5b4a08c77e37cd3e25a4af12bf851d4d6bc103e3d9d1b0cf8c97c16 (AV positives: 24/56 scanned on 11/25/2016 01:45:55)

File SHA256: 210323c1c1eb25ef67a9d66ff21f9bb46c470c937bdb86f5d8ff25f429fe4a8b (AV positives: 20/56 scanned on 11/24/2016 08:17:19)  
Found malicious artifacts related to "63.55.11.3" (ASN: , Owner: ): ...

File SHA256: 83f4baf5b5b4a08c77e37cd3e25a4af12bf851d4d6bc103e3d9d1b0cf8c97c16 (AV positives: 24/56 scanned on 11/25/2016 01:45:55)

File SHA256: 210323c1c1eb25ef67a9d66ff21f9bb46c470c937bdb86f5d8ff25f429fe4a8b (AV positives: 20/56 scanned on 11/24/2016 08:17:19)  
Found malicious artifacts related to "63.55.11.4" (ASN: 701, Owner: MCI Communications Services, Inc. d/b/a Verizon Business): ...

File SHA256: 83f4baf5b5b4a08c77e37cd3e25a4af12bf851d4d6bc103e3d9d1b0cf8c97c16 (AV positives: 24/56 scanned on 11/25/2016 01:45:55)

File SHA256: 210323c1c1eb25ef67a9d66ff21f9bb46c470c937bdb86f5d8ff25f429fe4a8b (AV positives: 20/56 scanned on 11/24/2016 08:17:19)  
Found malicious artifacts related to "63.55.11.5" (ASN: 701, Owner: MCI Communications Services, Inc. d/b/a Verizon Business): ...

File SHA256: 83f4baf5b5b4a08c77e37cd3e25a4af12bf851d4d6bc103e3d9d1b0cf8c97c16 (AV positives: 24/56 scanned on 11/25/2016 01:45:55)

File SHA256: 210323c1c1eb25ef67a9d66ff21f9bb46c470c937bdb86f5d8ff25f429fe4a8b (AV positives: 20/56 scanned on 11/24/2016 08:17:19)  
Found malicious artifacts related to "63.55.11.6" (ASN: , Owner: ): ...

File SHA256: 83f4baf5b5b4a08c77e37cd3e25a4af12bf851d4d6bc103e3d9d1b0cf8c97c16 (AV positives: 24/56 scanned on 11/25/2016 01:45:55)

File SHA256: 210323c1c1eb25ef67a9d66ff21f9bb46c470c937bdb86f5d8ff25f429fe4a8b (AV positives: 20/56 scanned on 11/24/2016 08:17:20)  
Found malicious artifacts related to "63.55.11.7" (ASN: , Owner: ): ...

File SHA256: 83f4baf5b5b4a08c77e37cd3e25a4af12bf851d4d6bc103e3d9d1b0cf8c97c16 (AV positives: 24/56 scanned on 11/25/2016 01:45:55)

File SHA256: 210323c1c1eb25ef67a9d66ff21f9bb46c470c937bdb86f5d8ff25f429fe4a8b (AV positives: 20/56 scanned on 11/24/2016 08:17:19)  
Found malicious artifacts related to "63.55.11.8" (ASN: , Owner: ): ...

File SHA256: 83f4baf5b5b4a08c77e37cd3e25a4af12bf851d4d6bc103e3d9d1b0cf8c97c16 (AV positives: 24/56 scanned on 11/25/2016 01:45:55)

File SHA256: 210323c1c1eb25ef67a9d66ff21f9bb46c470c937bdb86f5d8ff25f429fe4a8b (AV positives: 20/56 scanned on 11/24/2016 08:17:20)  
Found malicious artifacts related to "63.55.11.9" (ASN: , Owner: ): ...

File SHA256: 83f4baf5b5b4a08c77e37cd3e25a4af12bf851d4d6bc103e3d9d1b0cf8c97c16 (AV positives: 24/56 scanned on 11/25/2016 01:45:55)

File SHA256: 210323c1c1eb25ef67a9d66ff21f9bb46c470c937bdb86f5d8ff25f429fe4a8b (AV positives: 20/56 scanned on 11/24/2016 08:17:20)  
Found malicious artifacts related to "63.55.11.10" (ASN: , Owner: ): ...

File SHA256: 83f4baf5b5b4a08c77e37cd3e25a4af12bf851d4d6bc103e3d9d1b0cf8c97c16 (AV positives: 24/56 scanned on 11/25/2016 01:44:41)

File SHA256: 210323c1c1eb25ef67a9d66ff21f9bb46c470c937bdb86f5d8ff25f429fe4a8b (AV positives: 20/56 scanned on 11/24/2016 08:16:32)  
Found malicious artifacts related to "63.55.11.11" (ASN: , Owner: ): ...

File SHA256: 83f4baf5b5b4a08c77e37cd3e25a4af12bf851d4d6bc103e3d9d1b0cf8c97c16 (AV positives: 24/56 scanned on 11/25/2016 01:44:40)

File SHA256: 210323c1c1eb25ef67a9d66ff21f9bb46c470c937bdb86f5d8ff25f429fe4a8b (AV positives: 20/56 scanned on 11/24/2016 08:16:32)  
Found malicious artifacts related to "63.55.11.12" (ASN: , Owner: ): ...

File SHA256: 83f4baf5b5b4a08c77e37cd3e25a4af12bf851d4d6bc103e3d9d1b0cf8c97c16 (AV positives: 24/56 scanned on 11/25/2016 01:44:42)

File SHA256: 210323c1c1eb25ef67a9d66ff21f9bb46c470c937bdb86f5d8ff25f429fe4a8b (AV positives: 20/56 scanned on 11/24/2016 08:16:33)  
Found malicious artifacts related to "63.55.11.13" (ASN: , Owner: ): ...

File SHA256: 83f4baf5b5b4a08c77e37cd3e25a4af12bf851d4d6bc103e3d9d1b0cf8c97c16 (AV positives: 24/56 scanned on 11/25/2016 01:44:41)

File SHA256: 210323c1c1eb25ef67a9d66ff21f9bb46c470c937bdb86f5d8ff25f429fe4a8b (AV positives: 20/56 scanned on 11/24/2016 08:16:32)  
Found malicious artifacts related to "63.55.11.14" (ASN: , Owner: ): ...

File SHA256: 83f4baf5b5b4a08c77e37cd3e25a4af12bf851d4d6bc103e3d9d1b0cf8c97c16 (AV positives: 24/56 scanned on 11/25/2016 01:44:40)

File SHA256: 210323c1c1eb25ef67a9d66ff21f9bb46c470c937bdb86f5d8ff25f429fe4a8b (AV positives: 20/56 scanned on 11/24/2016 08:16:31)  
Found malicious artifacts related to "63.55.11.15" (ASN: , Owner: ): ...

File SHA256: 83f4baf5b5b4a08c77e37cd3e25a4af12bf851d4d6bc103e3d9d1b0cf8c97c16 (AV positives: 24/56 scanned on 11/25/2016 01:44:40)

File SHA256: 210323c1c1eb25ef67a9d66ff21f9bb46c470c937bdb86f5d8ff25f429fe4a8b (AV positives: 20/56 scanned on 11/24/2016 08:16:31)  
Found malicious artifacts related to "63.55.11.16" (ASN: , Owner: ): ...

File SHA256: 83f4baf5b5b4a08c77e37cd3e25a4af12bf851d4d6bc103e3d9d1b0cf8c97c16 (AV positives: 24/56 scanned on 11/25/2016 01:44:40)

File SHA256: 210323c1c1eb25ef67a9d66ff21f9bb46c470c937bdb86f5d8ff25f429fe4a8b (AV positives: 20/56 scanned on 11/24/2016 08:16:32)  
Found malicious artifacts related to "63.55.11.17" (ASN: , Owner: ): ...

File SHA256: 83f4baf5b5b4a08c77e37cd3e25a4af12bf851d4d6bc103e3d9d1b0cf8c97c16 (AV positives: 24/56 scanned on 11/25/2016 01:44:40)

File SHA256: 210323c1c1eb25ef67a9d66ff21f9bb46c470c937bdb86f5d8ff25f429fe4a8b (AV positives: 20/56 scanned on 11/24/2016 08:16:32)  
Found malicious artifacts related to "63.55.11.18" (ASN: , Owner: ): ...

File SHA256: 83f4baf5b5b4a08c77e37cd3e25a4af12bf851d4d6bc103e3d9d1b0cf8c97c16 (AV positives: 24/56 scanned on 11/25/2016 01:44:42)

File SHA256: 210323c1c1eb25ef67a9d66ff21f9bb46c470c937bdb86f5d8ff25f429fe4a8b (AV positives: 20/56 scanned on 11/24/2016 08:16:33)  
Found malicious artifacts related to "63.55.11.19" (ASN: 701, Owner: MCI Communications Services, Inc. d/b/a Verizon Business): ...

File SHA256: 83f4baf5b5b4a08c77e37cd3e25a4af12bf851d4d6bc103e3d9d1b0cf8c97c16 (AV positives: 24/56 scanned on 11/25/2016 01:44:42)

File SHA256: 210323c1c1eb25ef67a9d66ff21f9bb46c470c937bdb86f5d8ff25f429fe4a8b (AV positives: 20/56 scanned on 11/24/2016 08:16:33) source Network Traffic relevance 10/10

details Found malicious artifacts related to "63.55.11.0" (ASN: , Owner: ): ...

File SHA256: 83f4baf5b5b4a08c77e37cd3e25a4af12bf851d4d6bc103e3d9d1b0cf8c97c16 (AV positives: 24/56 scanned on 11/25/2016 01:45:55)

File SHA256: 210323c1c1eb25ef67a9d66ff21f9bb46c470c937bdb86f5d8ff25f429fe4a8b (AV positives: 20/56 scanned on 11/24/2016 08:17:19)  
Found malicious artifacts related to "63.55.11.1" (ASN: , Owner: ): ...

File SHA256: 83f4baf5b5b4a08c77e37cd3e25a4af12bf851d4d6bc103e3d9d1b0cf8c97c16 (AV positives: 24/56 scanned on 11/25/2016 01:45:55)

File SHA256: 210323c1c1eb25ef67a9d66ff21f9bb46c470c937bdb86f5d8ff25f429fe4a8b (AV positives: 20/56 scanned on 11/24/2016 08:17:18)  
Found malicious artifacts related to "63.55.11.2" (ASN: , Owner: ): ...

File SHA256: 83f4baf5b5b4a08c77e37cd3e25a4af12bf851d4d6bc103e3d9d1b0cf8c97c16 (AV positives: 24/56 scanned on 11/25/2016 01:45:55)

File SHA256: 210323c1c1eb25ef67a9d66ff21f9bb46c470c937bdb86f5d8ff25f429fe4a8b (AV positives: 20/56 scanned on 11/24/2016 08:17:19)  
Found malicious artifacts related to "63.55.11.3" (ASN: , Owner: ): ...

File SHA256: 83f4baf5b5b4a08c77e37cd3e25a4af12bf851d4d6bc103e3d9d1b0cf8c97c16 (AV positives: 24/56 scanned on 11/25/2016 01:45:55)

File SHA256: 210323c1c1eb25ef67a9d66ff21f9bb46c470c937bdb86f5d8ff25f429fe4a8b (AV positives: 20/56 scanned on 11/24/2016 08:17:19)  
Found malicious artifacts related to "63.55.11.4" (ASN: 701, Owner: MCI Communications Services, Inc. d/b/a Verizon Business): ...

File SHA256: 83f4baf5b5b4a08c77e37cd3e25a4af12bf851d4d6bc103e3d9d1b0cf8c97c16 (AV positives: 24/56 scanned on 11/25/2016 01:45:55)

File SHA256: 210323c1c1eb25ef67a9d66ff21f9bb46c470c937bdb86f5d8ff25f429fe4a8b (AV positives: 20/56 scanned on 11/24/2016 08:17:19)  
Found malicious artifacts related to "63.55.11.5" (ASN: 701, Owner: MCI Communications Services, Inc. d/b/a Verizon Business): ...

File SHA256: 83f4baf5b5b4a08c77e37cd3e25a4af12bf851d4d6bc103e3d9d1b0cf8c97c16 (AV positives: 24/56 scanned on 11/25/2016 01:45:55)

File SHA256: 210323c1c1eb25ef67a9d66ff21f9bb46c470c937bdb86f5d8ff25f429fe4a8b (AV positives: 20/56 scanned on 11/24/2016 08:17:19)  
Found malicious artifacts related to "63.55.11.6" (ASN: , Owner: ): ...

File SHA256: 83f4baf5b5b4a08c77e37cd3e25a4af12bf851d4d6bc103e3d9d1b0cf8c97c16 (AV positives: 24/56 scanned on 11/25/2016 01:45:55)

File SHA256: 210323c1c1eb25ef67a9d66ff21f9bb46c470c937bdb86f5d8ff25f429fe4a8b (AV positives: 20/56 scanned on 11/24/2016 08:17:20)  
Found malicious artifacts related to "63.55.11.7" (ASN: , Owner: ): ...

File SHA256: 83f4baf5b5b4a08c77e37cd3e25a4af12bf851d4d6bc103e3d9d1b0cf8c97c16 (AV positives: 24/56 scanned on 11/25/2016 01:45:55)

File SHA256: 210323c1c1eb25ef67a9d66ff21f9bb46c470c937bdb86f5d8ff25f429fe4a8b (AV positives: 20/56 scanned on 11/24/2016 08:17:19)  
Found malicious artifacts related to "63.55.11.8" (ASN: , Owner: ): ...

File SHA256: 83f4baf5b5b4a08c77e37cd3e25a4af12bf851d4d6bc103e3d9d1b0cf8c97c16 (AV positives: 24/56 scanned on 11/25/2016 01:45:55)

File SHA256: 210323c1c1eb25ef67a9d66ff21f9bb46c470c937bdb86f5d8ff25f429fe4a8b (AV positives: 20/56 scanned on 11/24/2016 08:17:20)  
Found malicious artifacts related to "63.55.11.9" (ASN: , Owner: ): ...

File SHA256: 83f4baf5b5b4a08c77e37cd3e25a4af12bf851d4d6bc103e3d9d1b0cf8c97c16 (AV positives: 24/56 scanned on 11/25/2016 01:45:55)

File SHA256: 210323c1c1eb25ef67a9d66ff21f9bb46c470c937bdb86f5d8ff25f429fe4a8b (AV positives: 20/56 scanned on 11/24/2016 08:17:20)  
Found malicious artifacts related to "63.55.11.10" (ASN: , Owner: ): ...

File SHA256: 83f4baf5b5b4a08c77e37cd3e25a4af12bf851d4d6bc103e3d9d1b0cf8c97c16 (AV positives: 24/56 scanned on 11/25/2016 01:44:41)

File SHA256: 210323c1c1eb25ef67a9d66ff21f9bb46c470c937bdb86f5d8ff25f429fe4a8b (AV positives: 20/56 scanned on 11/24/2016 08:16:32)  
Found malicious artifacts related to "63.55.11.11" (ASN: , Owner: ): ...

File SHA256: 83f4baf5b5b4a08c77e37cd3e25a4af12bf851d4d6bc103e3d9d1b0cf8c97c16 (AV positives: 24/56 scanned on 11/25/2016 01:44:40)

File SHA256: 210323c1c1eb25ef67a9d66ff21f9bb46c470c937bdb86f5d8ff25f429fe4a8b (AV positives: 20/56 scanned on 11/24/2016 08:16:32)  
Found malicious artifacts related to "63.55.11.12" (ASN: , Owner: ): ...

File SHA256: 83f4baf5b5b4a08c77e37cd3e25a4af12bf851d4d6bc103e3d9d1b0cf8c97c16 (AV positives: 24/56 scanned on 11/25/2016 01:44:42)

File SHA256: 210323c1c1eb25ef67a9d66ff21f9bb46c470c937bdb86f5d8ff25f429fe4a8b (AV positives: 20/56 scanned on 11/24/2016 08:16:33)  
Found malicious artifacts related to "63.55.11.13" (ASN: , Owner: ): ...

File SHA256: 83f4baf5b5b4a08c77e37cd3e25a4af12bf851d4d6bc103e3d9d1b0cf8c97c16 (AV positives: 24/56 scanned on 11/25/2016 01:44:41)

File SHA256: 210323c1c1eb25ef67a9d66ff21f9bb46c470c937bdb86f5d8ff25f429fe4a8b (AV positives: 20/56 scanned on 11/24/2016 08:16:32)  
Found malicious artifacts related to "63.55.11.14" (ASN: , Owner: ): ...

File SHA256: 83f4baf5b5b4a08c77e37cd3e25a4af12bf851d4d6bc103e3d9d1b0cf8c97c16 (AV positives: 24/56 scanned on 11/25/2016 01:44:40)

File SHA256: 210323c1c1eb25ef67a9d66ff21f9bb46c470c937bdb86f5d8ff25f429fe4a8b (AV positives: 20/56 scanned on 11/24/2016 08:16:31)  
Found malicious artifacts related to "63.55.11.15" (ASN: , Owner: ): ...

File SHA256: 83f4baf5b5b4a08c77e37cd3e25a4af12bf851d4d6bc103e3d9d1b0cf8c97c16 (AV positives: 24/56 scanned on 11/25/2016 01:44:40)

File SHA256: 210323c1c1eb25ef67a9d66ff21f9bb46c470c937bdb86f5d8ff25f429fe4a8b (AV positives: 20/56 scanned on 11/24/2016 08:16:31)  
Found malicious artifacts related to "63.55.11.16" (ASN: , Owner: ): ...

File SHA256: 83f4baf5b5b4a08c77e37cd3e25a4af12bf851d4d6bc103e3d9d1b0cf8c97c16 (AV positives: 24/56 scanned on 11/25/2016 01:44:40)

File SHA256: 210323c1c1eb25ef67a9d66ff21f9bb46c470c937bdb86f5d8ff25f429fe4a8b (AV positives: 20/56 scanned on 11/24/2016 08:16:32)  
Found malicious artifacts related to "63.55.11.17" (ASN: , Owner: ): ...

File SHA256: 83f4baf5b5b4a08c77e37cd3e25a4af12bf851d4d6bc103e3d9d1b0cf8c97c16 (AV positives: 24/56 scanned on 11/25/2016 01:44:40)

File SHA256: 210323c1c1eb25ef67a9d66ff21f9bb46c470c937bdb86f5d8ff25f429fe4a8b (AV positives: 20/56 scanned on 11/24/2016 08:16:32)  
Found malicious artifacts related to "63.55.11.18" (ASN: , Owner: ): ...

File SHA256: 83f4baf5b5b4a08c77e37cd3e25a4af12bf851d4d6bc103e3d9d1b0cf8c97c16 (AV positives: 24/56 scanned on 11/25/2016 01:44:42)

File SHA256: 210323c1c1eb25ef67a9d66ff21f9bb46c470c937bdb86f5d8ff25f429fe4a8b (AV positives: 20/56 scanned on 11/24/2016 08:16:33)  
Found malicious artifacts related to "63.55.11.19" (ASN: 701, Owner: MCI Communications Services, Inc. d/b/a Verizon Business): ...

File SHA256: 83f4baf5b5b4a08c77e37cd3e25a4af12bf851d4d6bc103e3d9d1b0cf8c97c16 (AV positives: 24/56 scanned on 11/25/2016 01:44:42)

File SHA256: 210323c1c1eb25ef67a9d66ff21f9bb46c470c937bdb86f5d8ff25f429fe4a8b (AV positives: 20/56 scanned on 11/24/2016 08:16:33) source Network Traffic relevance 10/10

Ransomware/Banking
- details Deletes volume snapshots files "WMIC.exe" with commandline "%WINDIR%\system32\wbem\wmic.exe shadowcopy delete" () source Monitored Target relevance 10/10
- details "decypt" (Source: screen_2.png, Indicator: "decrypt") source String relevance 8/10
Spyware/Information Retrieval
- details Process "PING.EXE" with commandline "ping -n 1 127.0.0.1" () source Monitored Target relevance 5/10
System Destruction
- details Deletes volume snapshots files "WMIC.exe" with commandline "%WINDIR%\system32\wbem\wmic.exe shadowcopy delete" () source Monitored Target relevance 10/10
System Security
- details "[gt5{W0Hl+uelsxB~f!W4>ECWaP)-cDeN,$9Fc{?$v1EOk8~8!t-ZbfeA@08}
  FNiP<# w1;" (Indicator: "bfe") source String relevance 7/10

Unusual Characteristics

details Spawned process "" ()

Spawned process "" ()  
Spawned process "cmd.exe" ()  
Spawned process "WMIC.exe" with commandline "%WINDIR%\\system32\\wbem\\wmic.exe shadowcopy delete" ()  
Spawned process "mshta.exe" with commandline ""%TEMP%\\\_README\_.hta"" ()  
Spawned process "cmd.exe" ()  
Spawned process "taskkill.exe" with commandline "taskkill /f /im "search.exe"" ()  
Spawned process "PING.EXE" with commandline "ping -n 1 127.0.0.1" () source Monitored Target relevance 8/10

Hiding 2 Malicious Indicators
- All indicators are available only in the private webservice or standalone version
Anti-Detection/Stealthyness
- details "" set its error mode to SEM_NOOPENFILEERRORBOX source API Call relevance 8/10
Environment Awareness
- details rdtsc from (PID: 2680) () source Hybrid Analysis Technology relevance 10/10
- details Found dropped filename "PSPUBWS.contact" containing the Windows username "PSPUBWS" source Extracted File relevance 5/10
- details "" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
```
"WMIC.exe" (Path: "HKLM\\SYSTEM\\CONTROLSET001\\CONTROL\\COMPUTERNAME\\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")  
"mshta.exe" (Path: "HKLM\\SYSTEM\\CONTROLSET001\\CONTROL\\COMPUTERNAME\\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")  
"taskkill.exe" (Path: "HKLM\\SYSTEM\\CONTROLSET001\\CONTROL\\COMPUTERNAME\\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")  
"PING.EXE" (Path: "HKLM\\SYSTEM\\CONTROLSET001\\CONTROL\\COMPUTERNAME\\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME") source Registry Access relevance 5/10  
```
- details "" (Path: "HKLM\\SOFTWARE\\MICROSOFT\\CRYPTOGRAPHY"; Key: "MACHINEGUID") "WMIC.exe" (Path: "HKLM\\SOFTWARE\\MICROSOFT\\CRYPTOGRAPHY"; Key: "MACHINEGUID") "mshta.exe" (Path: "HKLM\\SOFTWARE\\MICROSOFT\\CRYPTOGRAPHY"; Key: "MACHINEGUID") "taskkill.exe" (Path: "HKLM\\SOFTWARE\\MICROSOFT\\CRYPTOGRAPHY"; Key: "MACHINEGUID") source Registry Access relevance 10/10
General
- details "" read file "%USERPROFILE%\Desktop\desktop.ini"
```
"" read file "%USERPROFILE%\\Users\\PSPUBWS\\Downloads\\desktop.ini" source API Call relevance 4/10  
```
- details "UDP connection to 63.55.11.0" "UDP connection to 63.55.11.1" "UDP connection to 63.55.11.2" "UDP connection to 63.55.11.3" "UDP connection to 63.55.11.4" "UDP connection to 63.55.11.5" "UDP connection to 63.55.11.6" "UDP connection to 63.55.11.7" "UDP connection to 63.55.11.8" "UDP connection to 63.55.11.9" "UDP connection to 63.55.11.10" "UDP connection to 63.55.11.11" "UDP connection to 63.55.11.12" "UDP connection to 63.55.11.13" "UDP connection to 63.55.11.14" "UDP connection to 63.55.11.15" "UDP connection to 63.55.11.16" "UDP connection to 63.55.11.17" "UDP connection to 63.55.11.18" "UDP connection to 63.55.11.19" source Network Traffic relevance 7/10
Installation/Persistance
- details "System.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows" source Extracted File relevance 10/10
- details "" wrote 11776 bytes starting with PE header signature to file "%TEMP%\nsnE652.tmp\System.dll": 4d5a90000300000004000000ffff0000b800000000000000400000000000000000000000000000000000000000000000000000000000000000000000e00000000e1fba0e00b409cd21b8014ccd21546869732070726f6772616d2063616e6e6f742062652072756e20696e20444f53206d6f64652e0d0d0a2400000000000000 ... source API Call relevance 10/10
Network Related
- details "185.109.144.18"
```
"148.251.6.214"  
Heuristic match: ""  
Heuristic match: ""  
Heuristic match: ""  
Heuristic match: "... \_lcid="1033" \_version="14.0.4762.1000"-->"  
Heuristic match: "ping -n 1 127.0.0.1" source String relevance 3/10  
```
- details Found user agent(s): Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) source Network Traffic relevance 10/10

Ransomware/Banking

details "

It is normal because the files' names and the data in your files have been encrypted by "Cerber Ransomware".

" (Source: _README_.hta, Indicator: "files have been encrypted")

"The only way to decrypt your files safely is to buy the special decryption software "Cerber Decryptor"." (Source: \_README\_.hta, Indicator: "decrypt your files")  
"The instructions ("\*.hta") in the folders with your encrypted files are not viruses! The instructions ("\*.hta") will help you to decrypt your files.
" (Source: \_README\_.hta, Indicator: "decrypt your files") source String relevance 7/10

Remote Access Related

details "%WINDIR%\system32\wbem\wmic.exe shadowcopy delete" (Indicator: "wmic.exe")

"%WINDIR%\\system32\\wbem\\wmic.exe shadowcopy delete" (Indicator: "wmic.exe") source String relevance 10/10

Spyware/Information Retrieval
- details [email protected] from (PID: 2680) () source Hybrid Analysis Technology relevance 5/10
- details [email protected] from (PID: 2156) () source Hybrid Analysis Technology relevance 10/10
- details Process "WMIC.exe" with commandline "%WINDIR%\system32\wbem\wmic.exe shadowcopy delete" () source Monitored Target relevance 3/10
System Destruction
- details "C:\search.exe" marked "%TEMP%\nshE5E3.tmp" for deletion
```
"C:\\search.exe" marked "%TEMP%\\nsnE652.tmp" for deletion source API Call relevance 10/10  
```
- details "" opened "%TEMP%\\nshE5E3.tmp" with delete access "" opened "%TEMP%\\nsnE652.tmp" with delete access "" opened "C:\\MSOCache\\All Users\\{90140000-0012-0000-0000-0000000FF1CE}-C\\Office64WW.xml" with delete access "" opened "C:\\MSOCache\\All Users\\{90140000-0012-0000-0000-0000000FF1CE}-C\\Setup.xml" with delete access "" opened "C:\\MSOCache\\All Users\\{90140000-0012-0000-0000-0000000FF1CE}-C\\StandardWW.xml" with delete access "" opened "C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\OutlookMUI.xml" with delete access "" opened "C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\Setup.xml" with delete access "" opened "C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Setup.xml" with delete access "" opened "C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\branding.xml" with delete access "" opened "C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\OfficeMUI.xml" with delete access "" opened "C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\Setup.xml" with delete access source API Call relevance 7/10

System Security

details [email protected] from (PID: 2680) () source Hybrid Analysis Technology relevance 10/10

details "" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS")

"" (Access type: "DELETEVAL"; Path: "HKLM\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS\\ZONEMAP"; Key: "PROXYBYPASS")  
"mshta.exe" (Access type: "DELETEVAL"; Path: "HKCU\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS\\ZONEMAP"; Key: "PROXYBYPASS")  
"mshta.exe" (Access type: "DELETEVAL"; Path: "HKLM\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS\\ZONEMAP"; Key: "PROXYBYPASS")  
"mshta.exe" (Access type: "SETVAL"; Path: "HKCU\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS"; Key: "PROXYENABLE"; Value: "00000000")  
"mshta.exe" (Access type: "DELETEVAL"; Path: "HKCU\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS"; Key: "PROXYSERVER")  
"mshta.exe" (Access type: "DELETEVAL"; Path: "HKCU\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS"; Key: "PROXYOVERRIDE") source Registry Access relevance 10/10

details "" (Path: "HKCU\\SOFTWARE\\MICROSOFT\\INTERNET EXPLORER\\SECURITY"; Key: "DISABLESECURITYSETTINGSCHECK") "mshta.exe" (Path: "HKCU\\SOFTWARE\\MICROSOFT\\INTERNET EXPLORER\\SECURITY"; Key: "DISABLESECURITYSETTINGSCHECK") source Registry Access relevance 8/10

Unusual Characteristics
- details OpenProcessToken
```
RegCloseKey  
RegCreateKeyExW  
RegDeleteKeyW  
RegDeleteValueW  
RegEnumKeyW  
RegOpenKeyExW  
CopyFileW  
CreateDirectoryW  
CreateFileW  
CreateProcessW  
CreateThread  
DeleteFileW  
FindFirstFileW  
FindNextFileW  
GetCommandLineW  
GetFileAttributesW  
GetFileSize  
GetModuleFileNameW  
GetModuleHandleA  
GetModuleHandleW  
GetProcAddress  
GetTempFileNameW  
GetTempPathW  
GetTickCount  
LoadLibraryExW  
Sleep  
WriteFile  
ShellExecuteW  
FindWindowExW  
LoadLibraryW  
VirtualAlloc  
VirtualProtect source Static Parser relevance 1/10  
```
- details "" wrote bytes "4d372977f99c287778eb277718612a77fa8b2777d33329770e452977a41d2977d0d92877e8d92877013c2977e19c28772b452977b62f29774123287700bf2877000000006d42c07700000000ec227b7799e5787700000000" to virtual address "0x10003000" (part of module "SYSTEM.DLL") "" wrote bytes "0857537604785c760000000051c14c7794984c77ee9c4c7775dc4e77273e4e77efb252770000000046ce2877013d297738ed2977cfcd287731232877de2f2977c4ca287780bb287752ba28779fbb287792bb287746ba28770abf287700000000" to virtual address "0x6F071000" (part of module "SHFOLDER.DLL") "" wrote bytes "c2000000" to virtual address "0x1000405C" (part of module "SYSTEM.DLL") "" wrote bytes "92e6a87779a8ad77be72ad77d62dad771de2a87705a2ad77bee3a877616fad776841ab770050ab7700000000ad3720778b2d2077b641207700000000" to virtual address "0x750E1000" (part of module "WSHTCPIP.DLL") "" wrote bytes "0857537604785c760000000051c14c7794984c77ee9c4c7775dc4e77273e4e77efb252770000000046ce2877013d297738ed2977cfcd287731232877de2f2977c4ca287780bb287752ba28779fbb287792bb287746ba28770abf287700000000" to virtual address "0x6EEA1000" (part of module "SHFOLDER.DLL") "" wrote bytes "10994c7700000000653cad77c855ac7700000000d0bb287780122977d62dad7700000000" to virtual address "0x71781000" (part of module "KSUSER.DLL") "" wrote bytes "4053ab775858ac77186aac77653cad770000000000bf28770000000056cc2877000000007cca2877000000003768c5756a2cad77d62dad77000000002069c5750000000029a6287700000000a48dc57500000000f70e287700000000" to virtual address "0x77151000" (part of module "NSI.DLL") "WMIC.exe" wrote bytes "4053ab775858ac77186aac77653cad770000000000bf28770000000056cc2877000000007cca2877000000003768c5756a2cad77d62dad77000000002069c5750000000029a6287700000000a48dc57500000000f70e287700000000" to virtual address "0x77151000" (part of module "NSI.DLL") "taskkill.exe" wrote bytes "4053ab775858ac77186aac77653cad770000000000bf28770000000056cc2877000000007cca2877000000003768c5756a2cad77d62dad77000000002069c5750000000029a6287700000000a48dc57500000000f70e287700000000" to virtual address "0x77151000" (part of module "NSI.DLL") source Hook Detection relevance 10/10
- details "" (Path: "HKLM\\SYSTEM\\CONTROLSET001\\CONTROL\\NLS\\LOCALE"; Key: "00000409") "cmd.exe" (Path: "HKLM\\SYSTEM\\CONTROLSET001\\CONTROL\\NLS\\LOCALE"; Key: "00000409") "mshta.exe" (Path: "HKLM\\SYSTEM\\CONTROLSET001\\CONTROL\\NLS\\LOCALE"; Key: "00000409") source Registry Access relevance 3/10
Hiding 6 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version
Environment Awareness
- details [email protected] from (PID: 2680) () source Hybrid Analysis Technology relevance 1/10
- details Found API call [email protected] (Target: "search.exe"; Stream UID: "00018421-00002156-45012-1-004032A0")
```
which is directly followed by "cmp ax, 00000006h" and "je 004032E6h". See related instructions: "...  
```
  +41 call dword ptr [004080ACh] ;GetVersion +47 cmp ax, 00000006h +51 je 004032E6h" ... from (PID: 2156) ()
```
Found API call [email protected] (Target: "search.exe"; Stream UID: "00019703-00002680-50976-137-0040945B")  
which is directly followed by "cmp dword ptr \[ebp-00000110h\], 06h" and "jc 004094ACh". See related instructions: "...  
```
  +50 call dword ptr [00411214h] ;GetVersionExW +56 cmp dword ptr [ebp-00000110h], 06h +63 jc 004094ACh" ... from (PID: 2680) ()
```
Found API call [email protected] (Target: "search.exe"; Stream UID: "00019703-00002680-50976-138-0040A371")  
which is directly followed by "cmp dword ptr \[ebp-0000011Ch\], 05h" and "jnbe 0040A3B9h". See related instructions: "...  
```
  +50 call dword ptr [00411214h] ;GetVersionExW +56 cmp dword ptr [ebp-0000011Ch], 05h +63 jnbe 0040A3B9h" ... from (PID: 2680) () source Hybrid Analysis Technology relevance 10/10
- details [email protected] from (PID: 2680) () source Hybrid Analysis Technology relevance 1/10
General
- details "btc.blockr.io"
```
"ffoqr3ug7m726zou.5a2a7e.top" source Network Traffic relevance 1/10  
```
- details "63.55.11.0:6892" "63.55.11.1:6892" "63.55.11.2:6892" "63.55.11.3:6892" "63.55.11.4:6892" "63.55.11.5:6892" "63.55.11.6:6892" "63.55.11.7:6892" "63.55.11.8:6892" "63.55.11.9:6892" "63.55.11.10:6892" "63.55.11.11:6892" "63.55.11.12:6892" "63.55.11.13:6892" "63.55.11.14:6892" "63.55.11.15:6892" "63.55.11.16:6892" "63.55.11.17:6892" "63.55.11.18:6892" "63.55.11.19:6892" source Network Traffic relevance 1/10
- details "" created file "%TEMP%\\vlh\_logo.jpg" "" created file "%TEMP%\\logo1113197316.png" "" created file "%TEMP%\\pQuC118PA8" "" created file "%TEMP%\\scripts.js" "" created file "%TEMP%\\google-places-reviews.min.css" "" created file "%TEMP%\\favicon.ico794559375.x-icon" "" created file "%TEMP%\\feed1037456222.rss+xml" "" created file "%TEMP%\\IZmid6b2AG2nKskE7GA2.sGgnGJ3KUP" "" created file "%TEMP%\\nsnE652.tmp\\System.dll" "" created file "%TEMP%\\e47c61d2\\480e.tmp" "" created file "%TEMP%\\e47c61d2\\1dae.tmp" source API Call relevance 1/10
- details "\\Sessions\\1\\BaseNamedObjects\\Local\\ZonesCounterMutex" "\\Sessions\\1\\BaseNamedObjects\\Local\\ZonesCacheCounterMutex" "\\Sessions\\1\\BaseNamedObjects\\Local\\ZoneAttributeCacheCounterMutex" "\\Sessions\\1\\BaseNamedObjects\\Local\\ZonesLockedCacheCounterMutex" "\\Sessions\\1\\BaseNamedObjects\\shell.{D566BE1D-5877-3E2B-03B3-B843CE1F7988}" "\\Sessions\\1\\BaseNamedObjects\\Local\\HKEY\_LOCAL\_MACHINE\_SOFTWARE\_Microsoft\_Speech\_Voices\_Tokens\_MS-Anna-1033-20-DSK\_Mutex" "\\Sessions\\1\\BaseNamedObjects\\Local\\HKEY\_LOCAL\_MACHINE\_SOFTWARE\_Microsoft\_Speech\_Voices\_Tokens\_MS-Anna-1033-20-DSK\_Lex\_Mutex" "\\Sessions\\1\\BaseNamedObjects\\Local\\HKEY\_CURRENT\_USER\_SOFTWARE\_Microsoft\_Speech\_CurrentUserLexicon\_Mutex" "\\Sessions\\1\\BaseNamedObjects\\Local\\30F1B4D6-EEDA-11d2-9C23-00C04F8EF87C" "\\Sessions\\1\\BaseNamedObjects\\Local\\{9D29F3EC-5BAA-4900-B3F7-9826A3E4A441}-Mutex" "\\Sessions\\1\\BaseNamedObjects\\Local\\HKEY\_LOCAL\_MACHINE\_SOFTWARE\_Microsoft\_Speech\_PhoneConverters\_Tokens\_Chinese\_Mutex" "\\Sessions\\1\\BaseNamedObjects\\Local\\HKEY\_LOCAL\_MACHINE\_SOFTWARE\_Microsoft\_Speech\_PhoneConverters\_Tokens\_English\_Mutex" "\\Sessions\\1\\BaseNamedObjects\\Local\\HKEY\_LOCAL\_MACHINE\_SOFTWARE\_Microsoft\_Speech\_PhoneConverters\_Tokens\_French\_Mutex" "\\Sessions\\1\\BaseNamedObjects\\Local\\HKEY\_LOCAL\_MACHINE\_SOFTWARE\_Microsoft\_Speech\_PhoneConverters\_Tokens\_German\_Mutex" "\\Sessions\\1\\BaseNamedObjects\\Local\\HKEY\_LOCAL\_MACHINE\_SOFTWARE\_Microsoft\_Speech\_PhoneConverters\_Tokens\_Japanese\_Mutex" "\\Sessions\\1\\BaseNamedObjects\\Local\\HKEY\_LOCAL\_MACHINE\_SOFTWARE\_Microsoft\_Speech\_PhoneConverters\_Tokens\_Spanish\_Mutex" "\\Sessions\\1\\BaseNamedObjects\\Local\\HKEY\_LOCAL\_MACHINE\_SOFTWARE\_Microsoft\_Speech\_PhoneConverters\_Tokens\_TraditionalChinese\_Mutex" "\\Sessions\\1\\BaseNamedObjects\\Local\\HKEY\_LOCAL\_MACHINE\_SOFTWARE\_Microsoft\_Speech\_PhoneConverters\_Tokens\_Universal\_Mutex" "\\Sessions\\1\\BaseNamedObjects\\Local\\HKEY\_LOCAL\_MACHINE\_SOFTWARE\_Microsoft\_Speech\_AudioOutput\_TokenEnums\_MMAudioOut\_Mutex" "\\Sessions\\1\\BaseNamedObjects\\Local\\MidiMapper\_modLongMessage\_RefCnt" source Created Mutant relevance 3/10
- details "GET /9C05-481F-A860-0091-BDF9?iframe HTTP/1.1 Accept: */* Accept-Language: en-US Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: ffoqr3ug7m726zou.5a2a7e.top Connection: Keep-Alive"
```
"GET /api/v1/address/txs/17gd1msp5FnMcEMF1MitTNSsYs7w7AQyCt?\_=1480088040901 HTTP/1.1  
```
  Accept: */* Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: btc.blockr.io Connection: Keep-Alive"
```
"GET /api/v1/tx/info/710539a9c3278e859f3db5ce59d91dd24204133c405d8ff740332d7d5997f524?\_=1480088520030 HTTP/1.1  
```
  Accept: */* Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: btc.blockr.io Connection: Keep-Alive" source Network Traffic relevance 5/10
- details Spawned process "" ()
```
Spawned process "cmd.exe" ()  
Spawned process "WMIC.exe" with commandline "%WINDIR%\\system32\\wbem\\wmic.exe shadowcopy delete" ()  
Spawned process "mshta.exe" with commandline ""%TEMP%\\\_README\_.hta"" ()  
Spawned process "cmd.exe" ()  
Spawned process "taskkill.exe" with commandline "taskkill /f /im "search.exe"" ()  
Spawned process "PING.EXE" with commandline "ping -n 1 127.0.0.1" () source Monitored Target relevance 3/10
```

Installation/Persistance

details "" connecting to "\ThemeApiPort" source API Call relevance 1/10

details "BUSINESS.ONE" has type "data"

"OfficeMUI.xml" has type "XML document text"  
"System.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"  
"\_README\_.hta" has type "HTML document UTF-8 Unicode text with very long lines with CRLF line terminators"  
"NormalOld.dotm" has type "Zip archive data at least v2.0 to extract"  
"Setup.xml" has type "XML document text"  
"tmpBD58.bmp" has type "PC bitmap Windows 3.x format 1035 x 662 x 32"  
"StandardWW.xml" has type "XML document text"  
"Office64WW.xml" has type "XML document text"  
"1dae.tmp" has type "data"  
"favicon.ico794559375.x-icon" has type "MS Windows icon resource - 1 icon"  
"logo1113197316.png" has type "PNG image data 190 x 70 8-bit/color RGB non-interlaced"  
"scripts.js" has type "ASCII text with very long lines with no line terminators"  
"BLANK.ONE" has type "data"  
"PLANNERS.ONE" has type "data"  
"branding.xml" has type "XML document text"  
"IZmid6b2AG2nKskE7GA2.sGgnGJ3KUP" has type "data" source Extracted File relevance 3/10

details "" touched file "%WINDIR%\\system32\\OLEACCRC.DLL" "" touched file "%WINDIR%\\Globalization\\Sorting\\sortdefault.nls" "" touched file "%LOCALAPPDATA%\\Microsoft\\Windows\\Caches" "" touched file "%LOCALAPPDATA%\\Microsoft\\Windows\\Caches\\cversions.1.db" "" touched file "%LOCALAPPDATA%\\Microsoft\\Windows\\Caches\\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000007.db" "" touched file "%WINDIR%\\SYSTEM32\\ntdll.dll" "" touched file "%WINDIR%\\system32\\rsaenh.dll" source API Call relevance 7/10

Network Related

details Pattern match: "http://nsis.sf.net/NSIS_Error"

Pattern match: "PortableApps.com/VLCSGetQP1lPortable"  
Pattern match: "http://www.sgh.com/about/events/building-success-harnessing-process-technology-innovation-high-performance-projects"  
Pattern match: "http://purl.org/rss/1.0/modules/content/"  
Pattern match: "http://ffoqr3ug7m726zou.5a2a7e.top/9C05-481F-A860-0091-BDF9"  
Pattern match: "https://www.torproject.org/download/download-easy.html.en"  
Pattern match: "http://ffoqr3ug7m726zou.onion/9C05-481F-A860-0091-BDF9"  
Pattern match: "https://www.youtube.com/results?search\_query=Install+Tor+Browser+Windows"  
Pattern match: "https://www.baidu.com/s?wd=%E6%80%8E%E4%B9%88%E5%AE%89%E8%A3%85%20tor%20%E6%B5%8F%E8%A7%88%E5%99%A8"  
Pattern match: "http://btc.blockr.io/api/v1/address/txs/"  
Pattern match: "http://btc.blockr.io/api/v1/tx/info/"  
Pattern match: "http://api.blockcypher.com/v1/btc/main/addrs/"  
Pattern match: "http://api.blockcypher.com/v1/btc/main/txs/"  
Pattern match: "https://cha++in.so/api/v2/get\_tx\_spent/btc/"  
Pattern match: "https://chain.so/api/v2/get\_tx\_outputs/btc/"  
Pattern match: "http://ffoqr3ug7m726zou.5a2a7e.top/9C05-481F-A860-0091-BDF9?iframe"  
Pattern match: "m.mm/5vP\`J'\*"  
Heuristic match: "U9 (n^Q\[.mZPIDlc8tE2CI(Z0.gq"  
Heuristic match: "NvPHS@ZmKCKZvl|{\_\`(08{yZvU:6Wzx$0Il<+S?g,z}Pd+v)k

# ziYWB'*y~

Pattern match: "6.LI/,e&"
Pattern match: "lj.ZAH/.$GJOC^|7D#$:KW4f"
Pattern match: "931.uA/M;ywC%m\`\~-HehyQO7ZX3x1F^H3:P"
Heuristic match: "jJ&j<@}MVGaiPU)

# x;4LfXz!w~xZ~vSp}aS $\N\Aw|]t anOJd']}[email protected]"

Heuristic match: "/SHUVZ0p3rS/s

Spyware/Information Retrieval

details "

If you have any problems during installation or use of Tor Browser, please, visit https://www.youtube.com and type request in the search bar "Install Tor Browser Windows" and you will find a lot of training videos about Tor Browser installation and use.

" (Indicator: "youtube")

" Tor https://www.youtube.com "install tor browser windows" " Tor" Tor ." (Indicator: "youtube")  
"Indien uw problemen heeft tijdens de installatie of het gebruik van Tor Browser, ga dan naar https://www.youtube.com en typ in de zoekbalk install tor browser windows en u zult een heleboel training videos vinden over de installatie en het gebruik van Tor Browser." (Indicator: "youtube")  
"Si vous avez des problemes pendant linstallation ou lutilisation de Tor Browser, veuillez visiter https://www.youtube.com et saisir la demande dans la barre de recherche installer la fenetre tor browser vous y trouverez de nombreuses videos de formation sur l'installation et l'utilisation de Tor Browser." (Indicator: "youtube")  
"Falls Sie whrend der Installation von Tor Browser Probleme haben, besuchen Sie bitte https://www.youtube.com und geben als Suchanforderung "tor browser Windows installieren" ein und Sie erhalten in den Suchergebnossen viele Anleitungsvideos ber die Installation und Verwendung von Tor Browser." (Indicator: "youtube")  
"Se si riscontrano problemi durante l'installazione o l'utilizzo di Tor Browser, visitare https://www.youtube.com e immettere "install tor browser windows" nella barra di ricerca per trovare numerosi video esplicativi sull'installazione e utilizzo di Tor Browser." (Indicator: "youtube")  
"Tor https://www.youtube.com \[install tor browser windows Tor \] Tor " (Indicator: "youtube")  
"Tor Browser https://www.youtube.com "install tor browser windows" Tor Browser ." (Indicator: "youtube")  
"Jeli podczas instalacji lub uytkowania przegldarki Tor Browser wystpi problemy, wejd do portalu https://www.youtube.com i wpisz w wyszukiwarce install tor browser windows, aby znale filmy instruktaowe na temat instalowania i uywania Tor Browser." (Indicator: "youtube")  
"Caso tenha quaisquer problemas durante a instalao ou utilizao do Tor Browser, visite https://www.youtube.com e insira o pedido na barra de pesquisa instalar janelas Tor Browser e ir encontrar imensos vdeos de formao sobre a instalao e utilizao do Tor Browser." (Indicator: "youtube")  
"Si tiene problemas durante la instalacin, o durante el uso del Navegador Tor, visite https://www.youtube.com y escriba la solicitud en la barra de bsqueda "instalar para navegadores de Windows" y encontrar muchos vdeos sobre cmo instalar y usar el Navegador Tor." (Indicator: "youtube")  
"Tor Taraycy kurarken veya kullanrken herhangi bir sorununuz olursa https://www.youtube.com adresine gidin ve arama ubuuna install tor browser windows (tor tarayc windows kurulum) yazn; burada Tor Taraycnn kurulumu ve kullanm ile ilgili birok eitim videosu bulabilirsiniz.
" (Indicator: "youtube") source String relevance 7/10

System Security
- details "" opened "\Device\KsecDD" source API Call relevance 10/10

File Details

All Details:

search.exe

Filenamesearch.exe Size263KiB (269513 bytes) Typepeexe executable DescriptionPE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive ArchitectureWINDOWS SHA256d949f0f2118dc1077d9aff0b90efb81c16c7e927e153dd7f30ce1dae16bca919

Resources

LanguageENGLISH Icon

Visualization

Input File (PortEx)

Version Info

LegalCopyright John T. Haller InternalName VLC SGetQP1l Media Player Portable FileVersion 1.2.1.0 CompanyName PortableApps.com (John T. Haller) LegalTrademarks PortableApps.com is a Trademark of Rare Ideas, LLC. Comments Allows VLC to be run from a removable drive. For additional details, visit PortableApps.com/VLCSGetQP1lPortable ProductName VLC SGetQP1l Media Player Portable ProductVersion 1.2.1.0 FileDescription VLC SGetQP1l Media Player Portable OriginalFilename VLCSGetQP1lPortable.exe Translation 0x0409 0x04b0

Classification (TrID)

42.2% (.EXE) Win32 Executable MS Visual C++ (generic)
37.3% (.EXE) Win64 Executable (generic)
8.8% (.DLL) Win32 Dynamic Link Library (generic)
6.0% (.EXE) Win32 Executable (generic)
2.7% (.EXE) Generic Win/DOS Executable

File Sections

Details Name Entropy Virtual Address Virtual Size Raw Size MD5 Characteristics Name.text Entropy6.48463588503 Virtual Address0x1000 Virtual Size0x637b Raw Size0x6400 MD54219bc0ba21196c40804cc23644c3170.text 6.48463588503 0x1000 0x637b 0x6400 4219bc0ba21196c40804cc23644c3170 - Name.rdata Entropy5.033673391 Virtual Address0x8000 Virtual Size0x14b0 Raw Size0x1600 MD5d6b0bc2db2de2a3dd996fda6539cef0e.rdata 5.033673391 0x8000 0x14b0 0x1600 d6b0bc2db2de2a3dd996fda6539cef0e - Name.data Entropy4.03955137722 Virtual Address0xa000 Virtual Size0x2afd8 Raw Size0x600 MD52aa587c909999ca52be17d0f1ffbd186.data 4.03955137722 0xa000 0x2afd8 0x600 2aa587c909999ca52be17d0f1ffbd186 - Name.ndata Entropy0 Virtual Address0x35000 Virtual Size0x15000 Raw Size0x0 MD5d41d8cd98f00b204e9800998ecf8427e.ndata 0 0x35000 0x15000 0x0 d41d8cd98f00b204e9800998ecf8427e - Name.rsrc Entropy5.73291282413 Virtual Address0x4a000 Virtual Size0x7070 Raw Size0x7200 MD5bf274e323f58272a777cf52640495974.rsrc 5.73291282413 0x4a000 0x7070 0x7200 bf274e323f58272a777cf52640495974 -

Screenshots

Loading content, please wait...

Hybrid Analysis

Tip: Click an analysed process below to view more details.

Analysed 8 processes in total ().

(PID: 2156)
- (PID: 2680)
  - (PID: 2748)
    - %WINDIR%\system32\wbem\wmic.exe shadowcopy delete (PID: 2824)
  - "%TEMP%\_README_.hta" (PID: 1024)
  - (PID: 2128)

Network Analysis

DNS Requests

HTTP Traffic

Memory Forensics

Suricata Alerts

ET rules applied using Suricata. Find out more about proofpoint ET Intelligence here.

Extracted Files

Displaying 25 extracted file(s). The remaining 27 file(s) are available in the full version and XML/JSON reports.

Notifications

Added comment to Virus Total report
Dropped file "_README_.hta" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/e820ab3013866ccada3ee7242cb20d01d02c819a2b163f7bed02293e0282dc7c/analysis/1480076430/")
Not all sources for signature ID "api-55" are available in the report
Not all sources for signature ID "api-9" are available in the report
Not all sources for signature ID "binary-0" are available in the report
Not all sources for signature ID "mutant-0" are available in the report
Not all sources for signature ID "network-1" are available in the report
Not all sources for signature ID "network-17" are available in the report
Not all sources for signature ID "network-5" are available in the report
Not all sources for signature ID "registry-1" are available in the report
Not all sources for signature ID "string-43" are available in the report
Not all strings are visible in the report, because the maximum number of strings was reached (5000)
Parsed the maximum number of dropped files (20), report might not contain information about some dropped files

{"publicService":true,"flashFadeaway":true,"fadeawayTimeout":15,"autoLogout":false,"autoLogoutTimeout":0,"reCaptcha":"6LeJvv0SAAAAAG8IuH0lT5UnCjGxQHHqXJNsX-uT","enableCookieBanner":true}

Hybrid Analysis requires that users undergo the Hybrid Analysis Vetting Process prior to obtaining an API key or downloading malware samples. Please note that you must abide by the Hybrid Analysis Terms and Conditions and only use these samples for research purposes. You are not permitted to share your user credentials or API key with anyone else. Please notify Hybrid Analysis immediately if you believe that your API key or user credentials have been compromised.

mẹo hay Công Nghệ File

Lỗi unable to execute file stp selector fifa 17 năm 2024

FNiP<# w1;" (Indicator: "bfe") source String relevance 7/10

File Details

search.exe

Resources

Visualization

Version Info

Classification (TrID)

File Sections

Screenshots

Hybrid Analysis

Network Analysis

DNS Requests

HTTP Traffic

Memory Forensics

Suricata Alerts

Extracted Files

Notifications

Bài Viết Liên Quan

Quảng Cáo

Có thể bạn quan tâm

Toplist được quan tâm

Quảng cáo

Xem Nhiều

Quảng cáo

Chúng tôi

Điều khoản

Trợ giúp

Mạng xã hội