Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
bRlvBJEl6T.exe

Overview

General Information

Sample name:bRlvBJEl6T.exe
renamed because original name is a hash value
Original sample name:4efb38b934e4247c49ac1de662b4fe2c.exe
Analysis ID:1437978
MD5:4efb38b934e4247c49ac1de662b4fe2c
SHA1:121fe04be542a55b4ce6716d792e9ce4e8a5c0ae
SHA256:46b8ec4f65622595233743e8277a2980f69f866e6edd3a2ec610d0f2872a1e5f
Tags:exe
Infos:

Detection

Vidar
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (creates a PE file in dynamic memory)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sigma detected: Search for Antivirus process
Yara detected AntiVM3
Yara detected Vidar stealer
C2 URLs / IPs found in malware configuration
Drops PE files with a suspicious file extension
Machine Learning detection for dropped file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
OS version to string mapping found (often used in BOTs)
PE / OLE file has an invalid certificate
PE file contains sections with non-standard names
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Execution of Suspicious File Type Extension
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • bRlvBJEl6T.exe (PID: 916 cmdline: "C:\Users\user\Desktop\bRlvBJEl6T.exe" MD5: 4EFB38B934E4247C49AC1DE662B4FE2C)
    • cmd.exe (PID: 7180 cmdline: "C:\Windows\System32\cmd.exe" /k move Classics Classics.cmd & Classics.cmd & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7188 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • tasklist.exe (PID: 7252 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)
      • findstr.exe (PID: 7260 cmdline: findstr /I "wrsa.exe opssvc.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
      • tasklist.exe (PID: 7296 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)
      • findstr.exe (PID: 7304 cmdline: findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
      • cmd.exe (PID: 7340 cmdline: cmd /c md 334343 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • findstr.exe (PID: 7356 cmdline: findstr /V "BbcAdvisorsAndaleNowhere" Lease MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
      • cmd.exe (PID: 7372 cmdline: cmd /c copy /b Pharmacy + Experiences + Creating 334343\e MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Holdem.pif (PID: 7388 cmdline: 334343\Holdem.pif 334343\e MD5: 6EE7DDEBFF0A2B78C7AC30F6E00D1D11)
      • PING.EXE (PID: 7404 cmdline: ping -n 5 127.0.0.1 MD5: B3624DD758CCECF93A1226CEF252CA12)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
VidarVidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Malware Configuration

Threatname: Vidar

{"C2 url": ["https://steamcommunity.com/profiles/76561199680449169"], "Botnet": "94a10776e7ea3334ad5fb8a76bbebf42", "Version": "9.3"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000A.00000003.3135450130.00000000038AB000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
    0000000A.00000002.4096902193.00000000011D6000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
      0000000A.00000003.3135086350.00000000011D7000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
        0000000A.00000002.4096786614.00000000010B0000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
          0000000A.00000003.3135223602.0000000001141000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
            Click to see the 8 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            10.2.Holdem.pif.1025bd8.1.raw.unpackJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
              10.2.Holdem.pif.1025bd8.1.raw.unpackINDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulationDetects executables containing potential Windows Defender anti-emulation checksditekSHen
              • 0x1f3f8:$s1: JohnDoe
              • 0x1f3f0:$s2: HAL9TH
              10.2.Holdem.pif.1025bd8.1.unpackJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
                10.2.Holdem.pif.1025bd8.1.unpackINDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulationDetects executables containing potential Windows Defender anti-emulation checksditekSHen
                • 0x1e7f8:$s1: JohnDoe
                • 0x1e7f0:$s2: HAL9TH
                10.2.Holdem.pif.38a0000.2.unpackJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
                  Click to see the 1 entries

                  Sigma Signatures

                  System Summary

                  barindex
                  Sigma detected: Execution of Suspicious File Type Extension
                  Source: Process startedAuthor: Max Altgelt (Nextron Systems): Data: Command: 334343\Holdem.pif 334343\e, CommandLine: 334343\Holdem.pif 334343\e, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pif, NewProcessName: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pif, OriginalFileName: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pif, ParentCommandLine: "C:\Windows\System32\cmd.exe" /k move Classics Classics.cmd & Classics.cmd & exit, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7180, ParentProcessName: cmd.exe, ProcessCommandLine: 334343\Holdem.pif 334343\e, ProcessId: 7388, ProcessName: Holdem.pif

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Sigma detected: Search for Antivirus process
                  Source: Process startedAuthor: Joe Security: Data: Command: findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe" , CommandLine: findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe" , CommandLine|base64offset|contains: ~), Image: C:\Windows\SysWOW64\findstr.exe, NewProcessName: C:\Windows\SysWOW64\findstr.exe, OriginalFileName: C:\Windows\SysWOW64\findstr.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /k move Classics Classics.cmd & Classics.cmd & exit, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7180, ParentProcessName: cmd.exe, ProcessCommandLine: findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe" , ProcessId: 7304, ProcessName: findstr.exe

                  Snort Signatures

                  No Snort rule has matched

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Found malware configuration
                  Source: 0000000A.00000002.4096902193.00000000011D6000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Vidar {"C2 url": ["https://steamcommunity.com/profiles/76561199680449169"], "Botnet": "94a10776e7ea3334ad5fb8a76bbebf42", "Version": "9.3"}
                  Multi AV Scanner detection for domain / URL
                  Source: https://65.108.152.56:9000/(Virustotal: Detection: 10%Perma Link
                  Source: https://65.108.152.56:9000/DVirustotal: Detection: 6%Perma Link
                  Multi AV Scanner detection for submitted file
                  Source: bRlvBJEl6T.exeVirustotal: Detection: 56%Perma Link
                  Source: bRlvBJEl6T.exeReversingLabs: Detection: 39%
                  Machine Learning detection for dropped file
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifJoe Sandbox ML: detected

                  Compliance

                  barindex
                  Detected unpacking (creates a PE file in dynamic memory)
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifUnpacked PE file: 10.2.Holdem.pif.10000000.3.unpack
                  Source: bRlvBJEl6T.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                  Source: unknownHTTPS traffic detected: 23.195.238.96:443 -> 192.168.2.4:49743 version: TLS 1.2
                  Source: bRlvBJEl6T.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: Holdem.pif, 0000000A.00000002.4098090275.00000000063C1000.00000004.00000800.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4100893997.0000000010218000.00000002.00001000.00020000.00000000.sdmp, sqlx[1].dll.10.dr
                  Source: C:\Users\user\Desktop\bRlvBJEl6T.exeCode function: 0_2_0040689E FindFirstFileW,FindClose,
                  Source: C:\Users\user\Desktop\bRlvBJEl6T.exeCode function: 0_2_00405C4D GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,
                  Source: C:\Users\user\Desktop\bRlvBJEl6T.exeCode function: 0_2_00402930 FindFirstFileW,
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifCode function: 10_2_00B04005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifCode function: 10_2_00B0494A GetFileAttributesW,FindFirstFileW,FindClose,
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifCode function: 10_2_00B0C2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifCode function: 10_2_00B0CD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifCode function: 10_2_00B0CD14 FindFirstFileW,FindClose,
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifCode function: 10_2_00B0F5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifCode function: 10_2_00B0F735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifCode function: 10_2_00B0FA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifCode function: 10_2_00B03CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,
                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Microsoft\
                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\
                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Windows\
                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\
                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\
                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\

                  Networking

                  barindex
                  C2 URLs / IPs found in malware configuration
                  Source: Malware configuration extractorURLs: https://steamcommunity.com/profiles/76561199680449169
                  Uses ping.exe to check the status of other devices and networks
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping -n 5 127.0.0.1
                  Source: global trafficTCP traffic: 192.168.2.4:49744 -> 65.108.152.56:9000
                  Source: global trafficHTTP traffic detected: GET /profiles/76561199680449169 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache
                  Source: Joe Sandbox ViewIP Address: 65.108.152.56 65.108.152.56
                  Source: Joe Sandbox ViewIP Address: 23.195.238.96 23.195.238.96
                  Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
                  Source: unknownTCP traffic detected without corresponding DNS query: 65.108.152.56
                  Source: unknownTCP traffic detected without corresponding DNS query: 65.108.152.56
                  Source: unknownTCP traffic detected without corresponding DNS query: 65.108.152.56
                  Source: unknownTCP traffic detected without corresponding DNS query: 65.108.152.56
                  Source: unknownTCP traffic detected without corresponding DNS query: 65.108.152.56
                  Source: unknownTCP traffic detected without corresponding DNS query: 65.108.152.56
                  Source: unknownTCP traffic detected without corresponding DNS query: 65.108.152.56
                  Source: unknownTCP traffic detected without corresponding DNS query: 65.108.152.56
                  Source: unknownTCP traffic detected without corresponding DNS query: 65.108.152.56
                  Source: unknownTCP traffic detected without corresponding DNS query: 65.108.152.56
                  Source: unknownTCP traffic detected without corresponding DNS query: 65.108.152.56
                  Source: unknownTCP traffic detected without corresponding DNS query: 65.108.152.56
                  Source: unknownTCP traffic detected without corresponding DNS query: 65.108.152.56
                  Source: unknownTCP traffic detected without corresponding DNS query: 65.108.152.56
                  Source: unknownTCP traffic detected without corresponding DNS query: 65.108.152.56
                  Source: unknownTCP traffic detected without corresponding DNS query: 65.108.152.56
                  Source: unknownTCP traffic detected without corresponding DNS query: 65.108.152.56
                  Source: unknownTCP traffic detected without corresponding DNS query: 65.108.152.56
                  Source: unknownTCP traffic detected without corresponding DNS query: 65.108.152.56
                  Source: unknownTCP traffic detected without corresponding DNS query: 65.108.152.56
                  Source: unknownTCP traffic detected without corresponding DNS query: 65.108.152.56
                  Source: unknownTCP traffic detected without corresponding DNS query: 65.108.152.56
                  Source: unknownTCP traffic detected without corresponding DNS query: 65.108.152.56
                  Source: unknownTCP traffic detected without corresponding DNS query: 65.108.152.56
                  Source: unknownTCP traffic detected without corresponding DNS query: 65.108.152.56
                  Source: unknownTCP traffic detected without corresponding DNS query: 65.108.152.56
                  Source: unknownTCP traffic detected without corresponding DNS query: 65.108.152.56
                  Source: unknownTCP traffic detected without corresponding DNS query: 65.108.152.56
                  Source: unknownTCP traffic detected without corresponding DNS query: 65.108.152.56
                  Source: unknownTCP traffic detected without corresponding DNS query: 65.108.152.56
                  Source: unknownTCP traffic detected without corresponding DNS query: 65.108.152.56
                  Source: unknownTCP traffic detected without corresponding DNS query: 65.108.152.56
                  Source: unknownTCP traffic detected without corresponding DNS query: 65.108.152.56
                  Source: unknownTCP traffic detected without corresponding DNS query: 65.108.152.56
                  Source: unknownTCP traffic detected without corresponding DNS query: 65.108.152.56
                  Source: unknownTCP traffic detected without corresponding DNS query: 65.108.152.56
                  Source: unknownTCP traffic detected without corresponding DNS query: 65.108.152.56
                  Source: unknownTCP traffic detected without corresponding DNS query: 65.108.152.56
                  Source: unknownTCP traffic detected without corresponding DNS query: 65.108.152.56
                  Source: unknownTCP traffic detected without corresponding DNS query: 65.108.152.56
                  Source: unknownTCP traffic detected without corresponding DNS query: 65.108.152.56
                  Source: unknownTCP traffic detected without corresponding DNS query: 65.108.152.56
                  Source: unknownTCP traffic detected without corresponding DNS query: 65.108.152.56
                  Source: unknownTCP traffic detected without corresponding DNS query: 65.108.152.56
                  Source: unknownTCP traffic detected without corresponding DNS query: 65.108.152.56
                  Source: unknownTCP traffic detected without corresponding DNS query: 65.108.152.56
                  Source: unknownTCP traffic detected without corresponding DNS query: 65.108.152.56
                  Source: unknownTCP traffic detected without corresponding DNS query: 65.108.152.56
                  Source: unknownTCP traffic detected without corresponding DNS query: 65.108.152.56
                  Source: unknownTCP traffic detected without corresponding DNS query: 65.108.152.56
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifCode function: 10_2_00B129BA InternetReadFile,InternetQueryDataAvailable,InternetReadFile,
                  Source: global trafficHTTP traffic detected: GET /profiles/76561199680449169 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache
                  Source: global trafficDNS traffic detected: DNS query: ekyLBwoLvc.ekyLBwoLvc
                  Source: global trafficDNS traffic detected: DNS query: steamcommunity.com
                  Source: bRlvBJEl6T.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                  Source: bRlvBJEl6T.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                  Source: bRlvBJEl6T.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                  Source: bRlvBJEl6T.exeString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                  Source: Holdem.pif, 0000000A.00000002.4096850193.000000000114F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                  Source: bRlvBJEl6T.exe, 00000000.00000003.1638072683.0000000002784000.00000004.00000020.00020000.00000000.sdmp, bRlvBJEl6T.exe, 00000000.00000002.1728936111.0000000000414000.00000004.00000001.01000000.00000003.sdmp, Holdem.pif.1.dr, Returned.0.drString found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
                  Source: bRlvBJEl6T.exe, 00000000.00000003.1638072683.0000000002784000.00000004.00000020.00020000.00000000.sdmp, bRlvBJEl6T.exe, 00000000.00000002.1728936111.0000000000414000.00000004.00000001.01000000.00000003.sdmp, Holdem.pif.1.dr, Returned.0.drString found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
                  Source: bRlvBJEl6T.exe, 00000000.00000003.1638072683.0000000002784000.00000004.00000020.00020000.00000000.sdmp, bRlvBJEl6T.exe, 00000000.00000002.1728936111.0000000000414000.00000004.00000001.01000000.00000003.sdmp, Holdem.pif.1.dr, Returned.0.drString found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
                  Source: bRlvBJEl6T.exe, 00000000.00000003.1638072683.0000000002784000.00000004.00000020.00020000.00000000.sdmp, bRlvBJEl6T.exe, 00000000.00000002.1728936111.0000000000414000.00000004.00000001.01000000.00000003.sdmp, Holdem.pif.1.dr, Returned.0.drString found in binary or memory: http://crl.globalsign.net/root-r3.crl0
                  Source: bRlvBJEl6T.exeString found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
                  Source: bRlvBJEl6T.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                  Source: bRlvBJEl6T.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                  Source: bRlvBJEl6T.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                  Source: bRlvBJEl6T.exeString found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
                  Source: Holdem.pif, 0000000A.00000002.4096629893.0000000000FF2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
                  Source: Holdem.pif, 0000000A.00000002.4096599303.0000000000EFA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                  Source: bRlvBJEl6T.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
                  Source: bRlvBJEl6T.exeString found in binary or memory: http://ocsp.comodoca.com0
                  Source: bRlvBJEl6T.exeString found in binary or memory: http://ocsp.digicert.com0A
                  Source: bRlvBJEl6T.exeString found in binary or memory: http://ocsp.digicert.com0C
                  Source: bRlvBJEl6T.exeString found in binary or memory: http://ocsp.digicert.com0X
                  Source: bRlvBJEl6T.exeString found in binary or memory: http://ocsp.sectigo.com0
                  Source: bRlvBJEl6T.exe, 00000000.00000003.1638072683.0000000002784000.00000004.00000020.00020000.00000000.sdmp, bRlvBJEl6T.exe, 00000000.00000002.1728936111.0000000000414000.00000004.00000001.01000000.00000003.sdmp, Holdem.pif.1.dr, Returned.0.drString found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
                  Source: bRlvBJEl6T.exe, 00000000.00000003.1638072683.0000000002784000.00000004.00000020.00020000.00000000.sdmp, bRlvBJEl6T.exe, 00000000.00000002.1728936111.0000000000414000.00000004.00000001.01000000.00000003.sdmp, Holdem.pif.1.dr, Returned.0.drString found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
                  Source: bRlvBJEl6T.exe, 00000000.00000003.1638072683.0000000002784000.00000004.00000020.00020000.00000000.sdmp, bRlvBJEl6T.exe, 00000000.00000002.1728936111.0000000000414000.00000004.00000001.01000000.00000003.sdmp, Holdem.pif.1.dr, Returned.0.drString found in binary or memory: http://ocsp2.globalsign.com/rootr306
                  Source: bRlvBJEl6T.exeString found in binary or memory: http://s.symcb.com/universal-root.crl0
                  Source: bRlvBJEl6T.exeString found in binary or memory: http://s.symcd.com06
                  Source: bRlvBJEl6T.exe, 00000000.00000003.1638072683.0000000002784000.00000004.00000020.00020000.00000000.sdmp, bRlvBJEl6T.exe, 00000000.00000002.1728936111.0000000000414000.00000004.00000001.01000000.00000003.sdmp, Holdem.pif.1.dr, Returned.0.drString found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
                  Source: bRlvBJEl6T.exe, 00000000.00000003.1638072683.0000000002784000.00000004.00000020.00020000.00000000.sdmp, bRlvBJEl6T.exe, 00000000.00000002.1728936111.0000000000414000.00000004.00000001.01000000.00000003.sdmp, Holdem.pif.1.dr, Returned.0.drString found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
                  Source: Holdem.pif, 0000000A.00000002.4096850193.000000000114F000.00000004.00000800.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4097499400.00000000038D5000.00000040.00001000.00020000.00000000.sdmp, 76561199680449169[1].htm.10.drString found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
                  Source: Holdem.pif, 0000000A.00000002.4096850193.000000000114F000.00000004.00000800.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4097499400.00000000038D5000.00000040.00001000.00020000.00000000.sdmp, 76561199680449169[1].htm.10.drString found in binary or memory: http://store.steampowered.com/privacy_agreement/
                  Source: Holdem.pif, 0000000A.00000002.4096850193.000000000114F000.00000004.00000800.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4097499400.00000000038D5000.00000040.00001000.00020000.00000000.sdmp, 76561199680449169[1].htm.10.drString found in binary or memory: http://store.steampowered.com/subscriber_agreement/
                  Source: bRlvBJEl6T.exeString found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
                  Source: bRlvBJEl6T.exeString found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
                  Source: bRlvBJEl6T.exeString found in binary or memory: http://ts-ocsp.ws.symantec.com0;
                  Source: bRlvBJEl6T.exe, 00000000.00000003.1633480344.00000000027A0000.00000004.00000020.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4096293678.0000000000B69000.00000002.00000001.01000000.00000005.sdmp, Holdem.pif.1.dr, Supervision.0.drString found in binary or memory: http://www.autoitscript.com/autoit3/J
                  Source: Holdem.pif, 0000000A.00000002.4100958828.000000001024D000.00000002.00001000.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4098090275.00000000063C1000.00000004.00000800.00020000.00000000.sdmp, sqlx[1].dll.10.drString found in binary or memory: http://www.sqlite.org/copyright.html.
                  Source: Holdem.pif, 0000000A.00000002.4096850193.0000000001140000.00000004.00000800.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4096850193.000000000114F000.00000004.00000800.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4097499400.00000000038D5000.00000040.00001000.00020000.00000000.sdmp, 76561199680449169[1].htm.10.drString found in binary or memory: http://www.valvesoftware.com/legal.htm
                  Source: Holdem.pif, 0000000A.00000002.4096902193.0000000001205000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://65.108.152.56/
                  Source: 76561199680449169[1].htm.10.drString found in binary or memory: https://65.108.152.56:9000
                  Source: Holdem.pif, 0000000A.00000002.4097018307.000000000131C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://65.108.152.56:9000/
                  Source: Holdem.pif, 0000000A.00000002.4096850193.000000000114F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://65.108.152.56:9000/(
                  Source: Holdem.pif, 0000000A.00000002.4096967324.0000000001273000.00000004.00000800.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4096850193.000000000114F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://65.108.152.56:9000/)
                  Source: Holdem.pif, 0000000A.00000002.4096850193.000000000114F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://65.108.152.56:9000/.152.56:9000/softokn3.dllessionKeyBackwarda_1
                  Source: Holdem.pif, 0000000A.00000002.4097018307.000000000131C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://65.108.152.56:9000/A
                  Source: Holdem.pif, 0000000A.00000002.4097018307.000000000131C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://65.108.152.56:9000/B
                  Source: Holdem.pif, 0000000A.00000002.4097018307.000000000131C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://65.108.152.56:9000/D
                  Source: Holdem.pif, 0000000A.00000002.4097499400.00000000038D5000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: https://65.108.152.56:9000/f35bosoft
                  Source: Holdem.pif, 0000000A.00000002.4096850193.000000000114F000.00000004.00000800.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4097499400.00000000038D5000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: https://65.108.152.56:9000/freebl3.dll
                  Source: Holdem.pif, 0000000A.00000002.4096850193.000000000114F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://65.108.152.56:9000/freebl3.dllB
                  Source: Holdem.pif, 0000000A.00000002.4097499400.00000000038D5000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: https://65.108.152.56:9000/freebl3.dllEdge
                  Source: Holdem.pif, 0000000A.00000002.4096967324.0000000001273000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://65.108.152.56:9000/i
                  Source: Holdem.pif, 0000000A.00000002.4097499400.00000000039C8000.00000040.00001000.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4096850193.000000000114F000.00000004.00000800.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4097499400.00000000038D5000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: https://65.108.152.56:9000/mozglue.dll
                  Source: Holdem.pif, 0000000A.00000002.4097499400.00000000039C8000.00000040.00001000.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4097499400.00000000038D5000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: https://65.108.152.56:9000/mozglue.dllEdge
                  Source: Holdem.pif, 0000000A.00000002.4096850193.000000000114F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://65.108.152.56:9000/msvcp140.dll
                  Source: Holdem.pif, 0000000A.00000002.4097499400.00000000039CE000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: https://65.108.152.56:9000/msvcp140.dlldge
                  Source: Holdem.pif, 0000000A.00000002.4096850193.000000000114F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://65.108.152.56:9000/nss3.dll
                  Source: Holdem.pif, 0000000A.00000002.4096850193.000000000114F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://65.108.152.56:9000/nss3.dll-
                  Source: Holdem.pif, 0000000A.00000002.4096850193.000000000114F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://65.108.152.56:9000/nss3.dll_
                  Source: Holdem.pif, 0000000A.00000002.4096967324.0000000001273000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://65.108.152.56:9000/nss3.dlldll
                  Source: Holdem.pif, 0000000A.00000002.4097499400.00000000039CE000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: https://65.108.152.56:9000/nss3.dllft
                  Source: Holdem.pif, 0000000A.00000002.4096850193.000000000114F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://65.108.152.56:9000/soft
                  Source: Holdem.pif, 0000000A.00000002.4096967324.0000000001273000.00000004.00000800.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4097499400.00000000039CE000.00000040.00001000.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4096850193.000000000114F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://65.108.152.56:9000/softokn3.dll
                  Source: Holdem.pif, 0000000A.00000002.4096850193.000000000114F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://65.108.152.56:9000/softokn3.dll1
                  Source: Holdem.pif, 0000000A.00000002.4096967324.0000000001273000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://65.108.152.56:9000/softokn3.dll?
                  Source: Holdem.pif, 0000000A.00000002.4097499400.00000000039CE000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: https://65.108.152.56:9000/softokn3.dlldge
                  Source: Holdem.pif, 0000000A.00000002.4096902193.0000000001205000.00000004.00000800.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4097499400.00000000039C8000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: https://65.108.152.56:9000/sqlx.dll
                  Source: Holdem.pif, 0000000A.00000002.4096629893.0000000000F32000.00000004.00000020.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4097499400.00000000039CE000.00000040.00001000.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4096850193.000000000114F000.00000004.00000800.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4097180640.00000000013F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://65.108.152.56:9000/vcruntime140.dll
                  Source: Holdem.pif, 0000000A.00000002.4097180640.00000000013F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://65.108.152.56:9000/vcruntime140.dll3
                  Source: Holdem.pif, 0000000A.00000002.4096629893.0000000000F32000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://65.108.152.56:9000/vcruntime140.dll=cv6
                  Source: Holdem.pif, 0000000A.00000002.4097499400.00000000039CE000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: https://65.108.152.56:9000/vcruntime140.dll_7)
                  Source: Holdem.pif, 0000000A.00000002.4097499400.00000000039CE000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: https://65.108.152.56:9000/vcruntime140.dllser
                  Source: Holdem.pif, 0000000A.00000002.4097180640.00000000013F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://65.108.152.56:9000/vcruntime140.dllw
                  Source: Holdem.pif, 0000000A.00000002.4097499400.0000000003A0C000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: https://65.108.152.56:90005f35ble
                  Source: Holdem.pif, 0000000A.00000002.4097499400.0000000003AA6000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: https://65.108.152.56:9000acrosoft
                  Source: Holdem.pif, 0000000A.00000002.4097499400.0000000003A0C000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: https://65.108.152.56:9000el
                  Source: Holdem.pif, 0000000A.00000002.4097499400.00000000038D5000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: https://65.108.152.56:9000ing
                  Source: Holdem.pif, 0000000A.00000002.4097499400.00000000038D5000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: https://65.108.152.56:9000l
                  Source: Holdem.pif, 0000000A.00000002.4097499400.0000000003A0C000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: https://65.108.152.56:9000vcruntime140.dllUser
                  Source: JJJKEHCA.10.drString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                  Source: 76561199680449169[1].htm.10.drString found in binary or memory: https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
                  Source: JJJKEHCA.10.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                  Source: JJJKEHCA.10.drString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                  Source: JJJKEHCA.10.drString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                  Source: Holdem.pif, 0000000A.00000002.4097499400.00000000038D5000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic
                  Source: Holdem.pif, 0000000A.00000002.4097499400.00000000038D5000.00000040.00001000.00020000.00000000.sdmp, 76561199680449169[1].htm.10.drString found in binary or memory: https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=L7WZiiqgcxXO&a
                  Source: Holdem.pif, 0000000A.00000002.4096850193.000000000114F000.00000004.00000800.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4097499400.00000000038D5000.00000040.00001000.00020000.00000000.sdmp, 76561199680449169[1].htm.10.drString found in binary or memory: https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english
                  Source: Holdem.pif, 0000000A.00000002.4096850193.000000000114F000.00000004.00000800.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4097499400.00000000038D5000.00000040.00001000.00020000.00000000.sdmp, 76561199680449169[1].htm.10.drString found in binary or memory: https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp
                  Source: Holdem.pif, 0000000A.00000002.4096850193.000000000114F000.00000004.00000800.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4097499400.00000000038D5000.00000040.00001000.00020000.00000000.sdmp, 76561199680449169[1].htm.10.drString found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english
                  Source: Holdem.pif, 0000000A.00000002.4097499400.00000000038D5000.00000040.00001000.00020000.00000000.sdmp, 76561199680449169[1].htm.10.drString found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.TP5s6TzX6LLh
                  Source: Holdem.pif, 0000000A.00000002.4096850193.000000000114F000.00000004.00000800.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4097499400.00000000038D5000.00000040.00001000.00020000.00000000.sdmp, 76561199680449169[1].htm.10.drString found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis
                  Source: Holdem.pif, 0000000A.00000002.4096850193.0000000001140000.00000004.00000800.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4096850193.000000000114F000.00000004.00000800.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4097499400.00000000038D5000.00000040.00001000.00020000.00000000.sdmp, 76561199680449169[1].htm.10.drString found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
                  Source: Holdem.pif, 0000000A.00000002.4096850193.000000000114F000.00000004.00000800.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4097499400.00000000038D5000.00000040.00001000.00020000.00000000.sdmp, 76561199680449169[1].htm.10.drString found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
                  Source: Holdem.pif, 0000000A.00000002.4096850193.0000000001140000.00000004.00000800.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4096850193.000000000114F000.00000004.00000800.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4097499400.00000000038D5000.00000040.00001000.00020000.00000000.sdmp, 76561199680449169[1].htm.10.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
                  Source: Holdem.pif, 0000000A.00000002.4096850193.0000000001140000.00000004.00000800.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4096850193.000000000114F000.00000004.00000800.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4097499400.00000000038D5000.00000040.00001000.00020000.00000000.sdmp, 76561199680449169[1].htm.10.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=ZQOnBoEs
                  Source: Holdem.pif, 0000000A.00000002.4096850193.0000000001140000.00000004.00000800.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4096850193.000000000114F000.00000004.00000800.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4097499400.00000000038D5000.00000040.00001000.00020000.00000000.sdmp, 76561199680449169[1].htm.10.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=rG2l
                  Source: Holdem.pif, 0000000A.00000002.4096850193.000000000114F000.00000004.00000800.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4097499400.00000000038D5000.00000040.00001000.00020000.00000000.sdmp, 76561199680449169[1].htm.10.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/global.js?v=B7Vsdo1okyaC&l=english
                  Source: Holdem.pif, 0000000A.00000002.4096850193.000000000114F000.00000004.00000800.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4097499400.00000000038D5000.00000040.00001000.00020000.00000000.sdmp, 76561199680449169[1].htm.10.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC
                  Source: Holdem.pif, 0000000A.00000002.4096850193.000000000114F000.00000004.00000800.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4097499400.00000000038D5000.00000040.00001000.00020000.00000000.sdmp, 76561199680449169[1].htm.10.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=L35TrLJDfqtD&l=engl
                  Source: Holdem.pif, 0000000A.00000002.4096850193.000000000114F000.00000004.00000800.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4097499400.00000000038D5000.00000040.00001000.00020000.00000000.sdmp, 76561199680449169[1].htm.10.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english
                  Source: Holdem.pif, 0000000A.00000002.4097499400.00000000038D5000.00000040.00001000.00020000.00000000.sdmp, 76561199680449169[1].htm.10.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/profile.js?v=Iy1ies1ROjUT&l=english
                  Source: Holdem.pif, 0000000A.00000002.4096850193.000000000114F000.00000004.00000800.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4097499400.00000000038D5000.00000040.00001000.00020000.00000000.sdmp, 76561199680449169[1].htm.10.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en
                  Source: Holdem.pif, 0000000A.00000002.4096850193.000000000114F000.00000004.00000800.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4097499400.00000000038D5000.00000040.00001000.00020000.00000000.sdmp, 76561199680449169[1].htm.10.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw
                  Source: Holdem.pif, 0000000A.00000002.4096850193.000000000114F000.00000004.00000800.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4097499400.00000000038D5000.00000040.00001000.00020000.00000000.sdmp, 76561199680449169[1].htm.10.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e
                  Source: Holdem.pif, 0000000A.00000002.4096850193.000000000114F000.00000004.00000800.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4097499400.00000000038D5000.00000040.00001000.00020000.00000000.sdmp, 76561199680449169[1].htm.10.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL
                  Source: Holdem.pif, 0000000A.00000002.4096850193.000000000114F000.00000004.00000800.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4097499400.00000000038D5000.00000040.00001000.00020000.00000000.sdmp, 76561199680449169[1].htm.10.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=yXrh2LzpDwct&l=e
                  Source: Holdem.pif, 0000000A.00000002.4096850193.000000000114F000.00000004.00000800.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4097499400.00000000038D5000.00000040.00001000.00020000.00000000.sdmp, 76561199680449169[1].htm.10.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english
                  Source: 76561199680449169[1].htm.10.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl
                  Source: Holdem.pif, 0000000A.00000002.4096850193.000000000114F000.00000004.00000800.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4097499400.00000000038D5000.00000040.00001000.00020000.00000000.sdmp, 76561199680449169[1].htm.10.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=SPpMitTYp6ku&l=en
                  Source: Holdem.pif, 0000000A.00000002.4096850193.000000000114F000.00000004.00000800.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4097499400.00000000038D5000.00000040.00001000.00020000.00000000.sdmp, 76561199680449169[1].htm.10.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&
                  Source: Holdem.pif, 0000000A.00000002.4096850193.0000000001140000.00000004.00000800.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4096850193.000000000114F000.00000004.00000800.00020000.00000000.sdmp, 76561199680449169[1].htm.10.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
                  Source: Holdem.pif, 0000000A.00000002.4097499400.00000000038D5000.00000040.00001000.00020000.00000000.sdmp, 76561199680449169[1].htm.10.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png
                  Source: Holdem.pif, 0000000A.00000002.4096850193.0000000001140000.00000004.00000800.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4096850193.000000000114F000.00000004.00000800.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4097499400.00000000038D5000.00000040.00001000.00020000.00000000.sdmp, 76561199680449169[1].htm.10.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
                  Source: Holdem.pif, 0000000A.00000002.4096850193.0000000001140000.00000004.00000800.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4096850193.000000000114F000.00000004.00000800.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4097499400.00000000038D5000.00000040.00001000.00020000.00000000.sdmp, 76561199680449169[1].htm.10.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
                  Source: Holdem.pif, 0000000A.00000002.4096850193.000000000114F000.00000004.00000800.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4097499400.00000000038D5000.00000040.00001000.00020000.00000000.sdmp, 76561199680449169[1].htm.10.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am
                  Source: Holdem.pif, 0000000A.00000002.4096850193.000000000114F000.00000004.00000800.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4097499400.00000000038D5000.00000040.00001000.00020000.00000000.sdmp, 76561199680449169[1].htm.10.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv
                  Source: Holdem.pif, 0000000A.00000002.4096850193.000000000114F000.00000004.00000800.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4097499400.00000000038D5000.00000040.00001000.00020000.00000000.sdmp, 76561199680449169[1].htm.10.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0
                  Source: bRlvBJEl6T.exeString found in binary or memory: https://d.symcb.com/cps0%
                  Source: bRlvBJEl6T.exeString found in binary or memory: https://d.symcb.com/rpa0
                  Source: bRlvBJEl6T.exeString found in binary or memory: https://d.symcb.com/rpa0.
                  Source: JJJKEHCA.10.drString found in binary or memory: https://duckduckgo.com/ac/?q=
                  Source: JJJKEHCA.10.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
                  Source: JJJKEHCA.10.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                  Source: Holdem.pif, 0000000A.00000002.4097499400.00000000038D5000.00000040.00001000.00020000.00000000.sdmp, 76561199680449169[1].htm.10.drString found in binary or memory: https://help.steampowered.com/en/
                  Source: bRlvBJEl6T.exeString found in binary or memory: https://sectigo.com/CPS0
                  Source: 76561199680449169[1].htm.10.drString found in binary or memory: https://steamcommunity.com/
                  Source: Holdem.pif, 0000000A.00000002.4097499400.00000000038D5000.00000040.00001000.00020000.00000000.sdmp, 76561199680449169[1].htm.10.drString found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
                  Source: Holdem.pif, 0000000A.00000002.4096786614.00000000010DF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/A
                  Source: Holdem.pif, 0000000A.00000002.4096850193.0000000001140000.00000004.00000800.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4096850193.000000000114F000.00000004.00000800.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4097499400.00000000038D5000.00000040.00001000.00020000.00000000.sdmp, 76561199680449169[1].htm.10.drString found in binary or memory: https://steamcommunity.com/discussions/
                  Source: Holdem.pif, 0000000A.00000002.4096850193.000000000114F000.00000004.00000800.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4097499400.00000000038D5000.00000040.00001000.00020000.00000000.sdmp, 76561199680449169[1].htm.10.drString found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
                  Source: 76561199680449169[1].htm.10.drString found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199680449169
                  Source: Holdem.pif, 0000000A.00000002.4096850193.0000000001140000.00000004.00000800.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4096850193.000000000114F000.00000004.00000800.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4097499400.00000000038D5000.00000040.00001000.00020000.00000000.sdmp, 76561199680449169[1].htm.10.drString found in binary or memory: https://steamcommunity.com/market/
                  Source: Holdem.pif, 0000000A.00000002.4096850193.0000000001140000.00000004.00000800.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4096850193.000000000114F000.00000004.00000800.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4097499400.00000000038D5000.00000040.00001000.00020000.00000000.sdmp, 76561199680449169[1].htm.10.drString found in binary or memory: https://steamcommunity.com/my/wishlist/
                  Source: Holdem.pif, 0000000A.00000002.4096629893.0000000000F32000.00000004.00000020.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4096902193.00000000011D6000.00000004.00000800.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000003.3135450130.00000000038AB000.00000004.00000800.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000003.3135086350.00000000011D7000.00000004.00000800.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4096786614.00000000010B0000.00000004.00000020.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000003.3135223602.0000000001141000.00000004.00000800.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4097499400.00000000038A1000.00000040.00001000.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4096629893.0000000001006000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199680449169
                  Source: Holdem.pif, 0000000A.00000002.4096850193.0000000001140000.00000004.00000800.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4096850193.000000000114F000.00000004.00000800.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4097499400.00000000038D5000.00000040.00001000.00020000.00000000.sdmp, 76561199680449169[1].htm.10.drString found in binary or memory: https://steamcommunity.com/profiles/76561199680449169/badges
                  Source: Holdem.pif, 0000000A.00000002.4096850193.0000000001140000.00000004.00000800.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4096850193.000000000114F000.00000004.00000800.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4097499400.00000000038D5000.00000040.00001000.00020000.00000000.sdmp, 76561199680449169[1].htm.10.drString found in binary or memory: https://steamcommunity.com/profiles/76561199680449169/inventory/
                  Source: Holdem.pif, 0000000A.00000002.4096629893.0000000000F32000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199680449169I~
                  Source: Holdem.pif, 0000000A.00000002.4096786614.00000000010DF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/q
                  Source: Holdem.pif, 0000000A.00000002.4096850193.0000000001140000.00000004.00000800.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4096850193.000000000114F000.00000004.00000800.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4097499400.00000000038D5000.00000040.00001000.00020000.00000000.sdmp, 76561199680449169[1].htm.10.drString found in binary or memory: https://steamcommunity.com/workshop/
                  Source: 76561199680449169[1].htm.10.drString found in binary or memory: https://store.steampowered.com/
                  Source: 76561199680449169[1].htm.10.drString found in binary or memory: https://store.steampowered.com/about/
                  Source: Holdem.pif, 0000000A.00000002.4096850193.0000000001140000.00000004.00000800.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4096850193.000000000114F000.00000004.00000800.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4097499400.00000000038D5000.00000040.00001000.00020000.00000000.sdmp, 76561199680449169[1].htm.10.drString found in binary or memory: https://store.steampowered.com/explore/
                  Source: Holdem.pif, 0000000A.00000002.4096850193.000000000114F000.00000004.00000800.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4097499400.00000000038D5000.00000040.00001000.00020000.00000000.sdmp, 76561199680449169[1].htm.10.drString found in binary or memory: https://store.steampowered.com/legal/
                  Source: Holdem.pif, 0000000A.00000002.4096850193.0000000001140000.00000004.00000800.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4096850193.000000000114F000.00000004.00000800.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4097499400.00000000038D5000.00000040.00001000.00020000.00000000.sdmp, 76561199680449169[1].htm.10.drString found in binary or memory: https://store.steampowered.com/mobile
                  Source: Holdem.pif, 0000000A.00000002.4096850193.0000000001140000.00000004.00000800.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4096850193.000000000114F000.00000004.00000800.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4097499400.00000000038D5000.00000040.00001000.00020000.00000000.sdmp, 76561199680449169[1].htm.10.drString found in binary or memory: https://store.steampowered.com/news/
                  Source: Holdem.pif, 0000000A.00000002.4096850193.0000000001140000.00000004.00000800.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4096850193.000000000114F000.00000004.00000800.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4097499400.00000000038D5000.00000040.00001000.00020000.00000000.sdmp, 76561199680449169[1].htm.10.drString found in binary or memory: https://store.steampowered.com/points/shop/
                  Source: Holdem.pif, 0000000A.00000002.4096850193.0000000001140000.00000004.00000800.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4096850193.000000000114F000.00000004.00000800.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4097499400.00000000038D5000.00000040.00001000.00020000.00000000.sdmp, 76561199680449169[1].htm.10.drString found in binary or memory: https://store.steampowered.com/privacy_agreement/
                  Source: Holdem.pif, 0000000A.00000002.4096850193.0000000001140000.00000004.00000800.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4096850193.000000000114F000.00000004.00000800.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4097499400.00000000038D5000.00000040.00001000.00020000.00000000.sdmp, 76561199680449169[1].htm.10.drString found in binary or memory: https://store.steampowered.com/stats/
                  Source: Holdem.pif, 0000000A.00000002.4097499400.00000000038D5000.00000040.00001000.00020000.00000000.sdmp, 76561199680449169[1].htm.10.drString found in binary or memory: https://store.steampowered.com/steam_refunds/
                  Source: Holdem.pif, 0000000A.00000002.4096850193.0000000001140000.00000004.00000800.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4096850193.000000000114F000.00000004.00000800.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4097499400.00000000038D5000.00000040.00001000.00020000.00000000.sdmp, 76561199680449169[1].htm.10.drString found in binary or memory: https://store.steampowered.com/subscriber_agreement/
                  Source: Holdem.pif, 0000000A.00000002.4097499400.00000000039CE000.00000040.00001000.00020000.00000000.sdmp, FIJKEHJJ.10.drString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
                  Source: FIJKEHJJ.10.drString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
                  Source: Holdem.pif, 0000000A.00000002.4097499400.00000000039CE000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016ost.exe
                  Source: Holdem.pif, 0000000A.00000002.4097499400.00000000039CE000.00000040.00001000.00020000.00000000.sdmp, FIJKEHJJ.10.drString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
                  Source: FIJKEHJJ.10.drString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
                  Source: Holdem.pif, 0000000A.00000002.4097499400.00000000039CE000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17rer.exe
                  Source: Holdem.pif, 0000000A.00000002.4096902193.00000000011D6000.00000004.00000800.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000003.3135450130.00000000038AB000.00000004.00000800.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000003.3135086350.00000000011D7000.00000004.00000800.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4096786614.00000000010B0000.00000004.00000020.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000003.3135223602.0000000001141000.00000004.00000800.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4097499400.00000000038A1000.00000040.00001000.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4096629893.0000000001006000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/r1g1o
                  Source: bRlvBJEl6T.exe, 00000000.00000003.1638072683.0000000002784000.00000004.00000020.00020000.00000000.sdmp, bRlvBJEl6T.exe, 00000000.00000002.1728936111.0000000000414000.00000004.00000001.01000000.00000003.sdmp, Holdem.pif.1.dr, Returned.0.drString found in binary or memory: https://www.autoitscript.com/autoit3/
                  Source: JJJKEHCA.10.drString found in binary or memory: https://www.ecosia.org/newtab/
                  Source: Returned.0.drString found in binary or memory: https://www.globalsign.com/repository/0
                  Source: bRlvBJEl6T.exe, 00000000.00000003.1638072683.0000000002784000.00000004.00000020.00020000.00000000.sdmp, bRlvBJEl6T.exe, 00000000.00000002.1728936111.0000000000414000.00000004.00000001.01000000.00000003.sdmp, Holdem.pif.1.dr, Returned.0.drString found in binary or memory: https://www.globalsign.com/repository/06
                  Source: JJJKEHCA.10.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                  Source: Holdem.pif, 0000000A.00000002.4097499400.00000000038D5000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=T
                  Source: Holdem.pif, 0000000A.00000002.4096850193.000000000114F000.00000004.00000800.00020000.00000000.sdmp, 76561199680449169[1].htm.10.drString found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49743
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 443
                  Source: unknownHTTPS traffic detected: 23.195.238.96:443 -> 192.168.2.4:49743 version: TLS 1.2
                  Source: C:\Users\user\Desktop\bRlvBJEl6T.exeCode function: 0_2_00405705 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifCode function: 10_2_00B14830 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifCode function: 10_2_00B14632 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifCode function: 10_2_00B00508 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifCode function: 10_2_00B2D164 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 10.2.Holdem.pif.1025bd8.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
                  Source: 10.2.Holdem.pif.1025bd8.1.unpack, type: UNPACKEDPEMatched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
                  Source: 10.2.Holdem.pif.38a0000.2.unpack, type: UNPACKEDPEMatched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifProcess Stats: CPU usage > 49%
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifCode function: 10_2_00B042D5: CreateFileW,DeviceIoControl,CloseHandle,
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifCode function: 10_2_00AF8F2E _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,
                  Source: C:\Users\user\Desktop\bRlvBJEl6T.exeCode function: 0_2_0040351C EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrlenW,wsprintfW,GetFileAttributesW,DeleteFileW,SetCurrentDirectoryW,CopyFileW,ExitProcess,OleUninitialize,ExitProcess,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,InitOnceBeginInitialize,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifCode function: 10_2_00B05778 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,
                  Source: C:\Users\user\Desktop\bRlvBJEl6T.exeCode function: 0_2_00406C5F
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifCode function: 10_2_00AAB020
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifCode function: 10_2_00AA94E0
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifCode function: 10_2_00AA9C80
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifCode function: 10_2_00AC23F5
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifCode function: 10_2_00B28400
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifCode function: 10_2_00AD6502
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifCode function: 10_2_00AAE6F0
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifCode function: 10_2_00AD265E
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifCode function: 10_2_00AC282A
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifCode function: 10_2_00AD89BF
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifCode function: 10_2_00B20A3A
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifCode function: 10_2_00AD6A74
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifCode function: 10_2_00AB0BE0
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifCode function: 10_2_00AFEDB2
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifCode function: 10_2_00ACCD51
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifCode function: 10_2_00B20EB7
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifCode function: 10_2_00B08E44
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifCode function: 10_2_00AD6FE6
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifCode function: 10_2_00AC33B7
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifCode function: 10_2_00ACF409
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifCode function: 10_2_00ABD45D
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifCode function: 10_2_00AAF6A0
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifCode function: 10_2_00AC16B4
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifCode function: 10_2_00ABF628
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifCode function: 10_2_00AA1663
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifCode function: 10_2_00AC78C3
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifCode function: 10_2_00AC1BA8
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifCode function: 10_2_00ACDBA5
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifCode function: 10_2_00AD9CE5
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifCode function: 10_2_00ABDD28
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifCode function: 10_2_00AC1FC0
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifCode function: 10_2_00ACBFD6
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifCode function: 10_2_1000174E
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifCode function: 10_2_101DD209
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifCode function: 10_2_10001C9E
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifCode function: 10_2_1000251D
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifCode function: 10_2_10002018
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifCode function: 10_2_1000292D
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifCode function: 10_2_1000290A
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifCode function: 10_2_100012A8
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifCode function: 10_2_10002AA9
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifCode function: 10_2_1000209F
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifCode function: 10_2_10002C98
                  Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pif 865347471135BB5459AD0E647E75A14AD91424B6F13A5C05D9ECD9183A8A1CF4
                  Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\sqlx[1].dll 036A57102385D7F0D7B2DEACF932C1C372AE30D924365B7A88F8A26657DD7550
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifCode function: String function: 00AC8B30 appears 42 times
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifCode function: String function: 00AB1A36 appears 34 times
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifCode function: String function: 00AC0D17 appears 70 times
                  Source: bRlvBJEl6T.exeStatic PE information: invalid certificate
                  Source: bRlvBJEl6T.exe, 00000000.00000003.1633480344.00000000027A0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAutoIt3.exeB vs bRlvBJEl6T.exe
                  Source: bRlvBJEl6T.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                  Source: 10.2.Holdem.pif.1025bd8.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
                  Source: 10.2.Holdem.pif.1025bd8.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
                  Source: 10.2.Holdem.pif.38a0000.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
                  Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@22/22@2/3
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifCode function: 10_2_00B0A6AD GetLastError,FormatMessageW,
                  Source: C:\Users\user\Desktop\bRlvBJEl6T.exeCode function: 0_2_0040351C EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrlenW,wsprintfW,GetFileAttributesW,DeleteFileW,SetCurrentDirectoryW,CopyFileW,ExitProcess,OleUninitialize,ExitProcess,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,InitOnceBeginInitialize,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifCode function: 10_2_00AF8DE9 AdjustTokenPrivileges,CloseHandle,
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifCode function: 10_2_00AF9399 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,
                  Source: C:\Users\user\Desktop\bRlvBJEl6T.exeCode function: 0_2_004049B1 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifCode function: 10_2_00B04148 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,FindCloseChangeNotification,
                  Source: C:\Users\user\Desktop\bRlvBJEl6T.exeCode function: 0_2_004021CF CoCreateInstance,
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifCode function: 10_2_00B0443D __swprintf,__swprintf,FindResourceW,LoadResource,LockResource,FindResourceW,LoadResource,SizeofResource,LockResource,CreateIconFromResourceEx,
                  Source: C:\Users\user\Desktop\bRlvBJEl6T.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\OilJump to behavior
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7188:120:WilError_03
                  Source: C:\Users\user\Desktop\bRlvBJEl6T.exeFile created: C:\Users\user\AppData\Local\Temp\nspC981.tmpJump to behavior
                  Source: bRlvBJEl6T.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
                  Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
                  Source: C:\Users\user\Desktop\bRlvBJEl6T.exeFile read: C:\Users\desktop.iniJump to behavior
                  Source: C:\Users\user\Desktop\bRlvBJEl6T.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                  Source: Holdem.pif, 0000000A.00000002.4098090275.00000000063C1000.00000004.00000800.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4100893997.0000000010218000.00000002.00001000.00020000.00000000.sdmp, sqlx[1].dll.10.drBinary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
                  Source: Holdem.pif, 0000000A.00000002.4098090275.00000000063C1000.00000004.00000800.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4100893997.0000000010218000.00000002.00001000.00020000.00000000.sdmp, sqlx[1].dll.10.drBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
                  Source: Holdem.pif, 0000000A.00000002.4098090275.00000000063C1000.00000004.00000800.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4100893997.0000000010218000.00000002.00001000.00020000.00000000.sdmp, sqlx[1].dll.10.drBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
                  Source: Holdem.pif, 0000000A.00000002.4098090275.00000000063C1000.00000004.00000800.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4100893997.0000000010218000.00000002.00001000.00020000.00000000.sdmp, sqlx[1].dll.10.drBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
                  Source: Holdem.pif, 0000000A.00000002.4098090275.00000000063C1000.00000004.00000800.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4100893997.0000000010218000.00000002.00001000.00020000.00000000.sdmp, sqlx[1].dll.10.drBinary or memory string: INSERT INTO "%w"."%w"("%w") VALUES('integrity-check');
                  Source: Holdem.pif, 0000000A.00000002.4098090275.00000000063C1000.00000004.00000800.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4100893997.0000000010218000.00000002.00001000.00020000.00000000.sdmp, sqlx[1].dll.10.drBinary or memory string: CREATE TABLE IF NOT EXISTS %s.'rbu_tmp_%q' AS SELECT *%s FROM '%q' WHERE 0;
                  Source: Holdem.pif, 0000000A.00000002.4098090275.00000000063C1000.00000004.00000800.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4100893997.0000000010218000.00000002.00001000.00020000.00000000.sdmp, sqlx[1].dll.10.drBinary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
                  Source: Holdem.pif, 0000000A.00000002.4098090275.00000000063C1000.00000004.00000800.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4100893997.0000000010218000.00000002.00001000.00020000.00000000.sdmp, sqlx[1].dll.10.drBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
                  Source: Holdem.pif, 0000000A.00000002.4098090275.00000000063C1000.00000004.00000800.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4100893997.0000000010218000.00000002.00001000.00020000.00000000.sdmp, sqlx[1].dll.10.drBinary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,nexec INT,ncycle INT,stmt HIDDEN);
                  Source: JJECAAEHCFIEBGCBGHIE.10.drBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                  Source: Holdem.pif, 0000000A.00000002.4098090275.00000000063C1000.00000004.00000800.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4100893997.0000000010218000.00000002.00001000.00020000.00000000.sdmp, sqlx[1].dll.10.drBinary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
                  Source: Holdem.pif, 0000000A.00000002.4098090275.00000000063C1000.00000004.00000800.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4100893997.0000000010218000.00000002.00001000.00020000.00000000.sdmp, sqlx[1].dll.10.drBinary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
                  Source: bRlvBJEl6T.exeVirustotal: Detection: 56%
                  Source: bRlvBJEl6T.exeReversingLabs: Detection: 39%
                  Source: C:\Users\user\Desktop\bRlvBJEl6T.exeFile read: C:\Users\user\Desktop\bRlvBJEl6T.exeJump to behavior
                  Source: unknownProcess created: C:\Users\user\Desktop\bRlvBJEl6T.exe "C:\Users\user\Desktop\bRlvBJEl6T.exe"
                  Source: C:\Users\user\Desktop\bRlvBJEl6T.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k move Classics Classics.cmd & Classics.cmd & exit
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa.exe opssvc.exe"
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 334343
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V "BbcAdvisorsAndaleNowhere" Lease
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b Pharmacy + Experiences + Creating 334343\e
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pif 334343\Holdem.pif 334343\e
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping -n 5 127.0.0.1
                  Source: C:\Users\user\Desktop\bRlvBJEl6T.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k move Classics Classics.cmd & Classics.cmd & exit
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa.exe opssvc.exe"
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 334343
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V "BbcAdvisorsAndaleNowhere" Lease
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b Pharmacy + Experiences + Creating 334343\e
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pif 334343\Holdem.pif 334343\e
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping -n 5 127.0.0.1
                  Source: C:\Users\user\Desktop\bRlvBJEl6T.exeSection loaded: uxtheme.dll
                  Source: C:\Users\user\Desktop\bRlvBJEl6T.exeSection loaded: userenv.dll
                  Source: C:\Users\user\Desktop\bRlvBJEl6T.exeSection loaded: apphelp.dll
                  Source: C:\Users\user\Desktop\bRlvBJEl6T.exeSection loaded: propsys.dll
                  Source: C:\Users\user\Desktop\bRlvBJEl6T.exeSection loaded: dwmapi.dll
                  Source: C:\Users\user\Desktop\bRlvBJEl6T.exeSection loaded: cryptbase.dll
                  Source: C:\Users\user\Desktop\bRlvBJEl6T.exeSection loaded: oleacc.dll
                  Source: C:\Users\user\Desktop\bRlvBJEl6T.exeSection loaded: ntmarta.dll
                  Source: C:\Users\user\Desktop\bRlvBJEl6T.exeSection loaded: version.dll
                  Source: C:\Users\user\Desktop\bRlvBJEl6T.exeSection loaded: shfolder.dll
                  Source: C:\Users\user\Desktop\bRlvBJEl6T.exeSection loaded: kernel.appcore.dll
                  Source: C:\Users\user\Desktop\bRlvBJEl6T.exeSection loaded: windows.storage.dll
                  Source: C:\Users\user\Desktop\bRlvBJEl6T.exeSection loaded: wldp.dll
                  Source: C:\Users\user\Desktop\bRlvBJEl6T.exeSection loaded: riched20.dll
                  Source: C:\Users\user\Desktop\bRlvBJEl6T.exeSection loaded: usp10.dll
                  Source: C:\Users\user\Desktop\bRlvBJEl6T.exeSection loaded: msls31.dll
                  Source: C:\Users\user\Desktop\bRlvBJEl6T.exeSection loaded: textinputframework.dll
                  Source: C:\Users\user\Desktop\bRlvBJEl6T.exeSection loaded: coreuicomponents.dll
                  Source: C:\Users\user\Desktop\bRlvBJEl6T.exeSection loaded: coremessaging.dll
                  Source: C:\Users\user\Desktop\bRlvBJEl6T.exeSection loaded: wintypes.dll
                  Source: C:\Users\user\Desktop\bRlvBJEl6T.exeSection loaded: wintypes.dll
                  Source: C:\Users\user\Desktop\bRlvBJEl6T.exeSection loaded: wintypes.dll
                  Source: C:\Users\user\Desktop\bRlvBJEl6T.exeSection loaded: textshaping.dll
                  Source: C:\Users\user\Desktop\bRlvBJEl6T.exeSection loaded: profapi.dll
                  Source: C:\Users\user\Desktop\bRlvBJEl6T.exeSection loaded: edputil.dll
                  Source: C:\Users\user\Desktop\bRlvBJEl6T.exeSection loaded: urlmon.dll
                  Source: C:\Users\user\Desktop\bRlvBJEl6T.exeSection loaded: iertutil.dll
                  Source: C:\Users\user\Desktop\bRlvBJEl6T.exeSection loaded: srvcli.dll
                  Source: C:\Users\user\Desktop\bRlvBJEl6T.exeSection loaded: netutils.dll
                  Source: C:\Users\user\Desktop\bRlvBJEl6T.exeSection loaded: windows.staterepositoryps.dll
                  Source: C:\Users\user\Desktop\bRlvBJEl6T.exeSection loaded: sspicli.dll
                  Source: C:\Users\user\Desktop\bRlvBJEl6T.exeSection loaded: appresolver.dll
                  Source: C:\Users\user\Desktop\bRlvBJEl6T.exeSection loaded: bcp47langs.dll
                  Source: C:\Users\user\Desktop\bRlvBJEl6T.exeSection loaded: slc.dll
                  Source: C:\Users\user\Desktop\bRlvBJEl6T.exeSection loaded: sppc.dll
                  Source: C:\Users\user\Desktop\bRlvBJEl6T.exeSection loaded: onecorecommonproxystub.dll
                  Source: C:\Users\user\Desktop\bRlvBJEl6T.exeSection loaded: onecoreuapcommonproxystub.dll
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dll
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dll
                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dll
                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dll
                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dll
                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dll
                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dll
                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dll
                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dll
                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dll
                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dll
                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dll
                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dll
                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dll
                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dll
                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dll
                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dll
                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dll
                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dll
                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dll
                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dll
                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dll
                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dll
                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dll
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifSection loaded: wsock32.dll
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifSection loaded: version.dll
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifSection loaded: winmm.dll
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifSection loaded: mpr.dll
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifSection loaded: wininet.dll
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifSection loaded: iphlpapi.dll
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifSection loaded: userenv.dll
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifSection loaded: uxtheme.dll
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifSection loaded: kernel.appcore.dll
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifSection loaded: windows.storage.dll
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifSection loaded: wldp.dll
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifSection loaded: napinsp.dll
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifSection loaded: pnrpnsp.dll
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifSection loaded: wshbth.dll
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifSection loaded: nlaapi.dll
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifSection loaded: mswsock.dll
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifSection loaded: dnsapi.dll
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifSection loaded: winrnr.dll
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifSection loaded: rasadhlp.dll
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifSection loaded: sspicli.dll
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifSection loaded: rstrtmgr.dll
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifSection loaded: ncrypt.dll
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifSection loaded: ntasn1.dll
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifSection loaded: dbghelp.dll
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifSection loaded: iertutil.dll
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifSection loaded: profapi.dll
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifSection loaded: ondemandconnroutehelper.dll
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifSection loaded: winhttp.dll
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifSection loaded: winnsi.dll
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifSection loaded: urlmon.dll
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifSection loaded: srvcli.dll
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifSection loaded: netutils.dll
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifSection loaded: fwpuclnt.dll
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifSection loaded: schannel.dll
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifSection loaded: mskeyprotect.dll
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifSection loaded: msasn1.dll
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifSection loaded: dpapi.dll
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifSection loaded: cryptsp.dll
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifSection loaded: rsaenh.dll
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifSection loaded: cryptbase.dll
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifSection loaded: gpapi.dll
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifSection loaded: ncryptsslp.dll
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifSection loaded: wbemcomn.dll
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifSection loaded: amsi.dll
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifSection loaded: ntmarta.dll
                  Source: C:\Windows\SysWOW64\PING.EXESection loaded: iphlpapi.dll
                  Source: C:\Windows\SysWOW64\PING.EXESection loaded: winnsi.dll
                  Source: C:\Windows\SysWOW64\PING.EXESection loaded: mswsock.dll
                  Source: C:\Users\user\Desktop\bRlvBJEl6T.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
                  Source: Window RecorderWindow detected: More than 3 window changes detected
                  Source: bRlvBJEl6T.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: Holdem.pif, 0000000A.00000002.4098090275.00000000063C1000.00000004.00000800.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4100893997.0000000010218000.00000002.00001000.00020000.00000000.sdmp, sqlx[1].dll.10.dr

                  Data Obfuscation

                  barindex
                  Detected unpacking (creates a PE file in dynamic memory)
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifUnpacked PE file: 10.2.Holdem.pif.10000000.3.unpack
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifCode function: 10_2_00B1C6D9 LoadLibraryA,GetProcAddress,
                  Source: sqlx[1].dll.10.drStatic PE information: section name: .00cfg
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifCode function: 10_2_00AC8B75 push ecx; ret
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifCode function: 10_2_100010C8 push ecx; ret

                  Persistence and Installation Behavior

                  barindex
                  Drops PE files with a suspicious file extension
                  Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifJump to dropped file
                  Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifJump to dropped file
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\sqlx[1].dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifCode function: 10_2_00B259B3 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifCode function: 10_2_00AB5EDA GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifCode function: 10_2_00AC33B7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
                  Source: C:\Users\user\Desktop\bRlvBJEl6T.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\bRlvBJEl6T.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\bRlvBJEl6T.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\bRlvBJEl6T.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\bRlvBJEl6T.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\bRlvBJEl6T.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\bRlvBJEl6T.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\bRlvBJEl6T.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\bRlvBJEl6T.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\bRlvBJEl6T.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\bRlvBJEl6T.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\bRlvBJEl6T.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX

                  Malware Analysis System Evasion

                  barindex
                  Yara detected AntiVM3
                  Source: Yara matchFile source: Process Memory Space: Holdem.pif PID: 7388, type: MEMORYSTR
                  Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                  Source: Holdem.pif, 0000000A.00000002.4097499400.00000000038A1000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: HAL9THJOHNDOEAVGHOOKX.DLLAVGHOOKA.DLLSNXHK.DLLSBIEDLL.DLLAPI_LOG.DLLDIR_WATCH.DLLPSTOREC.DLLVMCHECK.DLLWPESPY.DLLCMDVRT32.DLLCMDVRT64.DLL
                  Source: Holdem.pif, 0000000A.00000002.4096629893.0000000001006000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: AHAL9THJOHNDOEAVGHOOKX.DLLAVGHOOKA.DLLSNXHK.DLLSBIEDLL.DLLAPI_LOG.DLLDIR_WATCH.DLLPSTOREC.DLLVMCHECK.DLLWPESPY.DLLCMDVRT32.DLLCMDVRT64.DLL
                  Uses ping.exe to sleep
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping -n 5 127.0.0.1
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping -n 5 127.0.0.1
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\sqlx[1].dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifAPI coverage: 4.0 %
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Users\user\Desktop\bRlvBJEl6T.exeCode function: 0_2_0040689E FindFirstFileW,FindClose,
                  Source: C:\Users\user\Desktop\bRlvBJEl6T.exeCode function: 0_2_00405C4D GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,
                  Source: C:\Users\user\Desktop\bRlvBJEl6T.exeCode function: 0_2_00402930 FindFirstFileW,
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifCode function: 10_2_00B04005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifCode function: 10_2_00B0494A GetFileAttributesW,FindFirstFileW,FindClose,
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifCode function: 10_2_00B0C2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifCode function: 10_2_00B0CD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifCode function: 10_2_00B0CD14 FindFirstFileW,FindClose,
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifCode function: 10_2_00B0F5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifCode function: 10_2_00B0F735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifCode function: 10_2_00B0FA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifCode function: 10_2_00B03CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifCode function: 10_2_00AB5D13 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,
                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Microsoft\
                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\
                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Windows\
                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\
                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\
                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\
                  Source: Holdem.pif, 0000000A.00000002.4096850193.0000000001140000.00000004.00000800.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4096902193.000000000121C000.00000004.00000800.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4096629893.0000000001006000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                  Source: Holdem.pif, 0000000A.00000002.4096348440.0000000000D25000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                  Source: bRlvBJEl6T.exe, 00000000.00000002.1729149028.00000000006B8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:==,
                  Source: C:\Users\user\Desktop\bRlvBJEl6T.exeAPI call chain: ExitProcess graph end node
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifProcess information queried: ProcessInformation
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifCode function: 10_2_00B145D5 BlockInput,
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifCode function: 10_2_00AB5240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifCode function: 10_2_00AD5CAC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifCode function: 10_2_00B1C6D9 LoadLibraryA,GetProcAddress,
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifCode function: 10_2_00AF88CD GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,
                  Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: Debug
                  Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: Debug
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifCode function: 10_2_00ACA385 SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifCode function: 10_2_00ACA354 SetUnhandledExceptionFilter,
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifCode function: 10_2_00AF9369 LogonUserW,
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifCode function: 10_2_00AB5240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifCode function: 10_2_00B01AC6 SendInput,keybd_event,
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifCode function: 10_2_00B051E2 mouse_event,
                  Source: C:\Users\user\Desktop\bRlvBJEl6T.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k move Classics Classics.cmd & Classics.cmd & exit
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa.exe opssvc.exe"
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 334343
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V "BbcAdvisorsAndaleNowhere" Lease
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b Pharmacy + Experiences + Creating 334343\e
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pif 334343\Holdem.pif 334343\e
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping -n 5 127.0.0.1
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifCode function: 10_2_00AF88CD GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifCode function: 10_2_00B04F1C AllocateAndInitializeSid,CheckTokenMembership,FreeSid,
                  Source: bRlvBJEl6T.exe, 00000000.00000003.1633480344.0000000002792000.00000004.00000020.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4096226694.0000000000B56000.00000002.00000001.01000000.00000005.sdmp, Holdem.pif.1.dr, Supervision.0.drBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
                  Source: Holdem.pifBinary or memory string: Shell_TrayWnd
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifCode function: 10_2_00AC885B cpuid
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifCode function: EnumSystemLocalesW,
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifQueries volume information: C:\ VolumeInformation
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifQueries volume information: C:\ VolumeInformation
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifCode function: 10_2_00AE0030 GetLocalTime,__swprintf,
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifCode function: 10_2_00AE0722 GetUserNameW,
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifCode function: 10_2_00AD416A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,
                  Source: C:\Users\user\Desktop\bRlvBJEl6T.exeCode function: 0_2_0040351C EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrlenW,wsprintfW,GetFileAttributesW,DeleteFileW,SetCurrentDirectoryW,CopyFileW,ExitProcess,OleUninitialize,ExitProcess,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,InitOnceBeginInitialize,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,
                  Source: Holdem.pif, 0000000A.00000002.4096629893.0000000001055000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct

                  Stealing of Sensitive Information

                  barindex
                  Yara detected Vidar stealer
                  Source: Yara matchFile source: 10.2.Holdem.pif.1025bd8.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 10.2.Holdem.pif.1025bd8.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 10.2.Holdem.pif.38a0000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000A.00000003.3135450130.00000000038AB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000002.4096902193.00000000011D6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000003.3135086350.00000000011D7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000002.4096786614.00000000010B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000003.3135223602.0000000001141000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000003.3135523275.00000000013A5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000002.4097499400.00000000038A1000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000003.3135596733.0000000001141000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000003.3135031847.00000000013A5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000002.4096629893.0000000001006000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: Holdem.pif PID: 7388, type: MEMORYSTR
                  Tries to harvest and steal browser information (history, passwords, etc)
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
                  Source: Holdem.pifBinary or memory string: WIN_81
                  Source: Holdem.pifBinary or memory string: WIN_XP
                  Source: Holdem.pifBinary or memory string: WIN_XPe
                  Source: Holdem.pifBinary or memory string: WIN_VISTA
                  Source: Holdem.pifBinary or memory string: WIN_7
                  Source: Holdem.pifBinary or memory string: WIN_8
                  Source: Supervision.0.drBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 4USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte
                  Source: Yara matchFile source: Process Memory Space: Holdem.pif PID: 7388, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected Vidar stealer
                  Source: Yara matchFile source: 10.2.Holdem.pif.1025bd8.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 10.2.Holdem.pif.1025bd8.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 10.2.Holdem.pif.38a0000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000A.00000003.3135450130.00000000038AB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000002.4096902193.00000000011D6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000003.3135086350.00000000011D7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000002.4096786614.00000000010B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000003.3135223602.0000000001141000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000003.3135523275.00000000013A5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000002.4097499400.00000000038A1000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000003.3135596733.0000000001141000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000003.3135031847.00000000013A5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000002.4096629893.0000000001006000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: Holdem.pif PID: 7388, type: MEMORYSTR
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifCode function: 10_2_00B1696E socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pifCode function: 10_2_00B16E32 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire Infrastructure2
                  Valid Accounts                  		11
                  Windows Management Instrumentation                  		1
                  DLL Side-Loading                  		1
                  Exploitation for Privilege Escalation                  		1
                  Disable or Modify Tools                  		1
                  OS Credential Dumping                  		2
                  System Time Discovery                  		Remote Services1
                  Archive Collected Data                  		2
                  Ingress Tool Transfer                  		Exfiltration Over Other Network Medium1
                  System Shutdown/Reboot
                  CredentialsDomainsDefault Accounts1
                  Native API                  		2
                  Valid Accounts                  		1
                  DLL Side-Loading                  		1
                  Deobfuscate/Decode Files or Information                  		21
                  Input Capture                  		1
                  Account Discovery                  		Remote Desktop Protocol1
                  Data from Local System                  		11
                  Encrypted Channel                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)2
                  Valid Accounts                  		2
                  Obfuscated Files or Information                  		Security Account Manager3
                  File and Directory Discovery                  		SMB/Windows Admin Shares21
                  Input Capture                  		1
                  Non-Standard Port                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook21
                  Access Token Manipulation                  		1
                  Software Packing                  		NTDS36
                  System Information Discovery                  		Distributed Component Object Model3
                  Clipboard Data                  		2
                  Non-Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script12
                  Process Injection                  		1
                  DLL Side-Loading                  		LSA Secrets151
                  Security Software Discovery                  		SSHKeylogging13
                  Application Layer Protocol                  		Scheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts11
                  Masquerading                  		Cached Domain Credentials4
                  Process Discovery                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
                  Valid Accounts                  		DCSync1
                  Application Window Discovery                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
                  Access Token Manipulation                  		Proc Filesystem1
                  System Owner/User Discovery                  		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt12
                  Process Injection                  		/etc/passwd and /etc/shadow1
                  Remote System Discovery                  		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                  IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
                  System Network Configuration Discovery                  		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1437978 Sample: bRlvBJEl6T.exe Startdate: 08/05/2024 Architecture: WINDOWS Score: 100 29 steamcommunity.com 2->29 31 ekyLBwoLvc.ekyLBwoLvc 2->31 47 Multi AV Scanner detection for domain / URL 2->47 49 Found malware configuration 2->49 51 Malicious sample detected (through community Yara rule) 2->51 53 5 other signatures 2->53 8 bRlvBJEl6T.exe 35 2->8         started        signatures3 process4 process5 10 cmd.exe 2 8->10         started        file6 25 C:\Users\user\AppData\Local\...\Holdem.pif, PE32 10->25 dropped 55 Uses ping.exe to sleep 10->55 57 Drops PE files with a suspicious file extension 10->57 59 Uses ping.exe to check the status of other devices and networks 10->59 14 Holdem.pif 29 10->14         started        19 PING.EXE 1 10->19         started        21 cmd.exe 2 10->21         started        23 7 other processes 10->23 signatures7 process8 dnsIp9 33 65.108.152.56, 49744, 49745, 49746 ALABANZA-BALTUS United States 14->33 35 steamcommunity.com 23.195.238.96, 443, 49743 AKAMAI-ASUS United States 14->35 27 C:\Users\user\AppData\Local\...\sqlx[1].dll, PE32 14->27 dropped 39 Detected unpacking (creates a PE file in dynamic memory) 14->39 41 Machine Learning detection for dropped file 14->41 43 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 14->43 45 Tries to harvest and steal browser information (history, passwords, etc) 14->45 37 127.0.0.1 unknown unknown 19->37 file10 signatures11

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  bRlvBJEl6T.exe56%VirustotalBrowse
                  bRlvBJEl6T.exe39%ReversingLabsWin32.Trojan.Nekark

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pif100%Joe Sandbox ML
                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pif7%ReversingLabs
                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\sqlx[1].dll0%ReversingLabs

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s0%URL Reputationsafe
                  https://65.108.152.56:9000/(0%Avira URL Cloudsafe
                  https://65.108.152.56:9000/mozglue.dll0%Avira URL Cloudsafe
                  https://65.108.152.56:90000%Avira URL Cloudsafe
                  https://65.108.152.56:9000/)0%Avira URL Cloudsafe
                  https://65.108.152.56:9000/softokn3.dlldge0%Avira URL Cloudsafe
                  http://ocsp.sectigo.com00%URL Reputationsafe
                  http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#0%URL Reputationsafe
                  https://65.108.152.56:9000/nss3.dll_0%Avira URL Cloudsafe
                  https://65.108.152.56:90000%VirustotalBrowse
                  https://65.108.152.56:9000/vcruntime140.dll0%Avira URL Cloudsafe
                  https://65.108.152.56:9000/(11%VirustotalBrowse
                  https://65.108.152.56:9000/vcruntime140.dllw0%Avira URL Cloudsafe
                  https://65.108.152.56:9000/nss3.dll0%Avira URL Cloudsafe
                  https://65.108.152.56:9000/nss3.dllft0%Avira URL Cloudsafe
                  https://65.108.152.56:9000el0%Avira URL Cloudsafe
                  https://65.108.152.56:9000/freebl3.dll0%Avira URL Cloudsafe
                  https://65.108.152.56:9000/i0%Avira URL Cloudsafe
                  https://65.108.152.56:9000/f35bosoft0%Avira URL Cloudsafe
                  https://65.108.152.56:9000/D0%Avira URL Cloudsafe
                  https://community.akamai.steamstatic0%Avira URL Cloudsafe
                  https://65.108.152.56:9000/soft0%Avira URL Cloudsafe
                  https://65.108.152.56:9000/softokn3.dll0%Avira URL Cloudsafe
                  https://65.108.152.56:9000/0%Avira URL Cloudsafe
                  https://65.108.152.56:9000/mozglue.dllEdge0%Avira URL Cloudsafe
                  https://65.108.152.56:9000/B0%Avira URL Cloudsafe
                  https://65.108.152.56:9000/D7%VirustotalBrowse
                  https://65.108.152.56:9000/vcruntime140.dllser0%Avira URL Cloudsafe
                  https://65.108.152.56:9000ing0%Avira URL Cloudsafe
                  https://65.108.152.56:9000/A0%Avira URL Cloudsafe
                  https://65.108.152.56/0%Avira URL Cloudsafe
                  https://65.108.152.56:9000/vcruntime140.dll_7)0%Avira URL Cloudsafe
                  https://65.108.152.56:9000/vcruntime140.dll=cv60%Avira URL Cloudsafe
                  https://65.108.152.56:9000/freebl3.dllB0%Avira URL Cloudsafe
                  https://65.108.152.56:9000/.152.56:9000/softokn3.dllessionKeyBackwarda_10%Avira URL Cloudsafe
                  https://65.108.152.56:9000l0%Avira URL Cloudsafe
                  https://65.108.152.56:9000/msvcp140.dll0%Avira URL Cloudsafe
                  https://65.108.152.56:9000/0%VirustotalBrowse

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  steamcommunity.com
                  		23.195.238.96
                  		truefalse
                    		high
                    ekyLBwoLvc.ekyLBwoLvc
                    		unknown
                    		unknownfalse
                      		unknown

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      https://steamcommunity.com/profiles/76561199680449169false
                        		high

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        https://duckduckgo.com/chrome_newtabJJJKEHCA.10.drfalse
                          		high
                          https://65.108.152.56:9000/(Holdem.pif, 0000000A.00000002.4096850193.000000000114F000.00000004.00000800.00020000.00000000.sdmpfalse
                          • 11%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          https://65.108.152.56:9000/)Holdem.pif, 0000000A.00000002.4096967324.0000000001273000.00000004.00000800.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4096850193.000000000114F000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://duckduckgo.com/ac/?q=JJJKEHCA.10.drfalse
                            		high
                            https://steamcommunity.com/?subsection=broadcastsHoldem.pif, 0000000A.00000002.4097499400.00000000038D5000.00000040.00001000.00020000.00000000.sdmp, 76561199680449169[1].htm.10.drfalse
                              		high
                              https://65.108.152.56:9000/mozglue.dllHoldem.pif, 0000000A.00000002.4097499400.00000000039C8000.00000040.00001000.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4096850193.000000000114F000.00000004.00000800.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4097499400.00000000038D5000.00000040.00001000.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://65.108.152.56:9000/softokn3.dlldgeHoldem.pif, 0000000A.00000002.4097499400.00000000039CE000.00000040.00001000.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://65.108.152.56:900076561199680449169[1].htm.10.drfalse
                              • 0%, Virustotal, Browse
                              • Avira URL Cloud: safe
                              		unknown
                              https://store.steampowered.com/subscriber_agreement/Holdem.pif, 0000000A.00000002.4096850193.0000000001140000.00000004.00000800.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4096850193.000000000114F000.00000004.00000800.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4097499400.00000000038D5000.00000040.00001000.00020000.00000000.sdmp, 76561199680449169[1].htm.10.drfalse
                                		high
                                https://65.108.152.56:9000/vcruntime140.dllHoldem.pif, 0000000A.00000002.4096629893.0000000000F32000.00000004.00000020.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4097499400.00000000039CE000.00000040.00001000.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4096850193.000000000114F000.00000004.00000800.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4097180640.00000000013F5000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6Holdem.pif, 0000000A.00000002.4096850193.0000000001140000.00000004.00000800.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4096850193.000000000114F000.00000004.00000800.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4097499400.00000000038D5000.00000040.00001000.00020000.00000000.sdmp, 76561199680449169[1].htm.10.drfalse
                                  		high
                                  https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=L35TrLJDfqtD&amp;l=englHoldem.pif, 0000000A.00000002.4096850193.000000000114F000.00000004.00000800.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4097499400.00000000038D5000.00000040.00001000.00020000.00000000.sdmp, 76561199680449169[1].htm.10.drfalse
                                    		high
                                    https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=ZQOnBoEsHoldem.pif, 0000000A.00000002.4096850193.0000000001140000.00000004.00000800.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4096850193.000000000114F000.00000004.00000800.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4097499400.00000000038D5000.00000040.00001000.00020000.00000000.sdmp, 76561199680449169[1].htm.10.drfalse
                                      		high
                                      https://www.autoitscript.com/autoit3/bRlvBJEl6T.exe, 00000000.00000003.1638072683.0000000002784000.00000004.00000020.00020000.00000000.sdmp, bRlvBJEl6T.exe, 00000000.00000002.1728936111.0000000000414000.00000004.00000001.01000000.00000003.sdmp, Holdem.pif.1.dr, Returned.0.drfalse
                                        		high
                                        http://www.valvesoftware.com/legal.htmHoldem.pif, 0000000A.00000002.4096850193.0000000001140000.00000004.00000800.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4096850193.000000000114F000.00000004.00000800.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4097499400.00000000038D5000.00000040.00001000.00020000.00000000.sdmp, 76561199680449169[1].htm.10.drfalse
                                          		high
                                          https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&ampHoldem.pif, 0000000A.00000002.4096850193.000000000114F000.00000004.00000800.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4097499400.00000000038D5000.00000040.00001000.00020000.00000000.sdmp, 76561199680449169[1].htm.10.drfalse
                                            		high
                                            https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.pngHoldem.pif, 0000000A.00000002.4096850193.0000000001140000.00000004.00000800.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4096850193.000000000114F000.00000004.00000800.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4097499400.00000000038D5000.00000040.00001000.00020000.00000000.sdmp, 76561199680449169[1].htm.10.drfalse
                                              		high
                                              https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=rG2lHoldem.pif, 0000000A.00000002.4096850193.0000000001140000.00000004.00000800.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4096850193.000000000114F000.00000004.00000800.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4097499400.00000000038D5000.00000040.00001000.00020000.00000000.sdmp, 76561199680449169[1].htm.10.drfalse
                                                		high
                                                https://65.108.152.56:9000/nss3.dll_Holdem.pif, 0000000A.00000002.4096850193.000000000114F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://65.108.152.56:9000/vcruntime140.dllwHoldem.pif, 0000000A.00000002.4097180640.00000000013F5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.pngHoldem.pif, 0000000A.00000002.4096850193.0000000001140000.00000004.00000800.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4096850193.000000000114F000.00000004.00000800.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4097499400.00000000038D5000.00000040.00001000.00020000.00000000.sdmp, 76561199680449169[1].htm.10.drfalse
                                                  		high
                                                  https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17rer.exeHoldem.pif, 0000000A.00000002.4097499400.00000000039CE000.00000040.00001000.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://65.108.152.56:9000/nss3.dllHoldem.pif, 0000000A.00000002.4096850193.000000000114F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://65.108.152.56:9000/nss3.dllftHoldem.pif, 0000000A.00000002.4097499400.00000000039CE000.00000040.00001000.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://community.akamai.steamstatic.com/public/javascript/global.js?v=B7Vsdo1okyaC&amp;l=englishHoldem.pif, 0000000A.00000002.4096850193.000000000114F000.00000004.00000800.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4097499400.00000000038D5000.00000040.00001000.00020000.00000000.sdmp, 76561199680449169[1].htm.10.drfalse
                                                      		high
                                                      https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&amp;Holdem.pif, 0000000A.00000002.4096850193.000000000114F000.00000004.00000800.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4097499400.00000000038D5000.00000040.00001000.00020000.00000000.sdmp, 76561199680449169[1].htm.10.drfalse
                                                        		high
                                                        https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20FeedbackHoldem.pif, 0000000A.00000002.4096850193.000000000114F000.00000004.00000800.00020000.00000000.sdmp, 76561199680449169[1].htm.10.drfalse
                                                          		high
                                                          https://community.akamai.steamstatic.com/public/javascript/profile.js?v=Iy1ies1ROjUT&amp;l=englishHoldem.pif, 0000000A.00000002.4097499400.00000000038D5000.00000040.00001000.00020000.00000000.sdmp, 76561199680449169[1].htm.10.drfalse
                                                            		high
                                                            https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=SPpMitTYp6ku&amp;l=enHoldem.pif, 0000000A.00000002.4096850193.000000000114F000.00000004.00000800.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4097499400.00000000038D5000.00000040.00001000.00020000.00000000.sdmp, 76561199680449169[1].htm.10.drfalse
                                                              		high
                                                              https://65.108.152.56:9000elHoldem.pif, 0000000A.00000002.4097499400.0000000003A0C000.00000040.00001000.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		low
                                                              https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tLHoldem.pif, 0000000A.00000002.4096850193.000000000114F000.00000004.00000800.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4097499400.00000000038D5000.00000040.00001000.00020000.00000000.sdmp, 76561199680449169[1].htm.10.drfalse
                                                                		high
                                                                https://65.108.152.56:9000/freebl3.dllHoldem.pif, 0000000A.00000002.4096850193.000000000114F000.00000004.00000800.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4097499400.00000000038D5000.00000040.00001000.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://www.autoitscript.com/autoit3/JbRlvBJEl6T.exe, 00000000.00000003.1633480344.00000000027A0000.00000004.00000020.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4096293678.0000000000B69000.00000002.00000001.01000000.00000005.sdmp, Holdem.pif.1.dr, Supervision.0.drfalse
                                                                  		high
                                                                  https://65.108.152.56:9000/iHoldem.pif, 0000000A.00000002.4096967324.0000000001273000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&amp;l=englishHoldem.pif, 0000000A.00000002.4096850193.000000000114F000.00000004.00000800.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4097499400.00000000038D5000.00000040.00001000.00020000.00000000.sdmp, 76561199680449169[1].htm.10.drfalse
                                                                    		high
                                                                    https://steamcommunity.com/qHoldem.pif, 0000000A.00000002.4096786614.00000000010DF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://store.steampowered.com/privacy_agreement/Holdem.pif, 0000000A.00000002.4096850193.000000000114F000.00000004.00000800.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4097499400.00000000038D5000.00000040.00001000.00020000.00000000.sdmp, 76561199680449169[1].htm.10.drfalse
                                                                        		high
                                                                        https://store.steampowered.com/points/shop/Holdem.pif, 0000000A.00000002.4096850193.0000000001140000.00000004.00000800.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4096850193.000000000114F000.00000004.00000800.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4097499400.00000000038D5000.00000040.00001000.00020000.00000000.sdmp, 76561199680449169[1].htm.10.drfalse
                                                                          		high
                                                                          https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=JJJKEHCA.10.drfalse
                                                                            		high
                                                                            http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0sbRlvBJEl6T.exefalse
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Holdem.pif, 0000000A.00000002.4097499400.00000000039CE000.00000040.00001000.00020000.00000000.sdmp, FIJKEHJJ.10.drfalse
                                                                              		high
                                                                              http://nsis.sf.net/NSIS_ErrorErrorbRlvBJEl6T.exefalse
                                                                                		high
                                                                                https://steamcommunity.com/profiles/76561199680449169/badgesHoldem.pif, 0000000A.00000002.4096850193.0000000001140000.00000004.00000800.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4096850193.000000000114F000.00000004.00000800.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4097499400.00000000038D5000.00000040.00001000.00020000.00000000.sdmp, 76561199680449169[1].htm.10.drfalse
                                                                                  		high
                                                                                  https://www.ecosia.org/newtab/JJJKEHCA.10.drfalse
                                                                                    		high
                                                                                    https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg76561199680449169[1].htm.10.drfalse
                                                                                      		high
                                                                                      https://store.steampowered.com/privacy_agreement/Holdem.pif, 0000000A.00000002.4096850193.0000000001140000.00000004.00000800.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4096850193.000000000114F000.00000004.00000800.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4097499400.00000000038D5000.00000040.00001000.00020000.00000000.sdmp, 76561199680449169[1].htm.10.drfalse
                                                                                        		high
                                                                                        https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0Holdem.pif, 0000000A.00000002.4096850193.000000000114F000.00000004.00000800.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4097499400.00000000038D5000.00000040.00001000.00020000.00000000.sdmp, 76561199680449169[1].htm.10.drfalse
                                                                                          		high
                                                                                          https://65.108.152.56:9000/f35bosoftHoldem.pif, 0000000A.00000002.4097499400.00000000038D5000.00000040.00001000.00020000.00000000.sdmpfalse
                                                                                          • Avira URL Cloud: safe
                                                                                          		unknown
                                                                                          https://65.108.152.56:9000/DHoldem.pif, 0000000A.00000002.4097018307.000000000131C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          • 7%, Virustotal, Browse
                                                                                          • Avira URL Cloud: safe
                                                                                          		unknown
                                                                                          https://steamcommunity.com/profiles/76561199680449169I~Holdem.pif, 0000000A.00000002.4096629893.0000000000F32000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            https://community.akamai.steamstaticHoldem.pif, 0000000A.00000002.4097499400.00000000038D5000.00000040.00001000.00020000.00000000.sdmpfalse
                                                                                            • Avira URL Cloud: safe
                                                                                            		unknown
                                                                                            https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&amHoldem.pif, 0000000A.00000002.4096850193.000000000114F000.00000004.00000800.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4097499400.00000000038D5000.00000040.00001000.00020000.00000000.sdmp, 76561199680449169[1].htm.10.drfalse
                                                                                              		high
                                                                                              https://65.108.152.56:9000/softHoldem.pif, 0000000A.00000002.4096850193.000000000114F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              • Avira URL Cloud: safe
                                                                                              		unknown
                                                                                              https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&amp;l=englishHoldem.pif, 0000000A.00000002.4096850193.000000000114F000.00000004.00000800.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4097499400.00000000038D5000.00000040.00001000.00020000.00000000.sdmp, 76561199680449169[1].htm.10.drfalse
                                                                                                		high
                                                                                                https://65.108.152.56:9000/softokn3.dllHoldem.pif, 0000000A.00000002.4096967324.0000000001273000.00000004.00000800.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4097499400.00000000039CE000.00000040.00001000.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4096850193.000000000114F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                • Avira URL Cloud: safe
                                                                                                		unknown
                                                                                                https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&amp;l=englishHoldem.pif, 0000000A.00000002.4096850193.000000000114F000.00000004.00000800.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4097499400.00000000038D5000.00000040.00001000.00020000.00000000.sdmp, 76561199680449169[1].htm.10.drfalse
                                                                                                  		high
                                                                                                  https://65.108.152.56:9000/Holdem.pif, 0000000A.00000002.4097018307.000000000131C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  • 0%, Virustotal, Browse
                                                                                                  • Avira URL Cloud: safe
                                                                                                  		unknown
                                                                                                  https://65.108.152.56:9000/mozglue.dllEdgeHoldem.pif, 0000000A.00000002.4097499400.00000000039C8000.00000040.00001000.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4097499400.00000000038D5000.00000040.00001000.00020000.00000000.sdmpfalse
                                                                                                  • Avira URL Cloud: safe
                                                                                                  		unknown
                                                                                                  https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.pngHoldem.pif, 0000000A.00000002.4097499400.00000000038D5000.00000040.00001000.00020000.00000000.sdmp, 76561199680449169[1].htm.10.drfalse
                                                                                                    		high
                                                                                                    https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016ExamplesFIJKEHJJ.10.drfalse
                                                                                                      		high
                                                                                                      https://www.valvesoftware.com/en/contact?contact-person=THoldem.pif, 0000000A.00000002.4097499400.00000000038D5000.00000040.00001000.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        https://65.108.152.56:9000/BHoldem.pif, 0000000A.00000002.4097018307.000000000131C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        • Avira URL Cloud: safe
                                                                                                        		unknown
                                                                                                        https://65.108.152.56:9000/vcruntime140.dllserHoldem.pif, 0000000A.00000002.4097499400.00000000039CE000.00000040.00001000.00020000.00000000.sdmpfalse
                                                                                                        • Avira URL Cloud: safe
                                                                                                        		unknown
                                                                                                        https://65.108.152.56:9000ingHoldem.pif, 0000000A.00000002.4097499400.00000000038D5000.00000040.00001000.00020000.00000000.sdmpfalse
                                                                                                        • Avira URL Cloud: safe
                                                                                                        		low
                                                                                                        https://65.108.152.56:9000/AHoldem.pif, 0000000A.00000002.4097018307.000000000131C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        • Avira URL Cloud: safe
                                                                                                        		unknown
                                                                                                        https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&amp;l=englisHoldem.pif, 0000000A.00000002.4096850193.000000000114F000.00000004.00000800.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4097499400.00000000038D5000.00000040.00001000.00020000.00000000.sdmp, 76561199680449169[1].htm.10.drfalse
                                                                                                          		high
                                                                                                          https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhCHoldem.pif, 0000000A.00000002.4096850193.000000000114F000.00000004.00000800.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4097499400.00000000038D5000.00000040.00001000.00020000.00000000.sdmp, 76561199680449169[1].htm.10.drfalse
                                                                                                            		high
                                                                                                            https://store.steampowered.com/about/76561199680449169[1].htm.10.drfalse
                                                                                                              		high
                                                                                                              https://steamcommunity.com/my/wishlist/Holdem.pif, 0000000A.00000002.4096850193.0000000001140000.00000004.00000800.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4096850193.000000000114F000.00000004.00000800.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4097499400.00000000038D5000.00000040.00001000.00020000.00000000.sdmp, 76561199680449169[1].htm.10.drfalse
                                                                                                                		high
                                                                                                                http://ocsp.sectigo.com0bRlvBJEl6T.exefalse
                                                                                                                • URL Reputation: safe
                                                                                                                		unknown
                                                                                                                https://65.108.152.56/Holdem.pif, 0000000A.00000002.4096902193.0000000001205000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                • Avira URL Cloud: safe
                                                                                                                		unknown
                                                                                                                https://65.108.152.56:9000/vcruntime140.dll_7)Holdem.pif, 0000000A.00000002.4097499400.00000000039CE000.00000040.00001000.00020000.00000000.sdmpfalse
                                                                                                                • Avira URL Cloud: safe
                                                                                                                		unknown
                                                                                                                https://help.steampowered.com/en/Holdem.pif, 0000000A.00000002.4097499400.00000000038D5000.00000040.00001000.00020000.00000000.sdmp, 76561199680449169[1].htm.10.drfalse
                                                                                                                  		high
                                                                                                                  https://steamcommunity.com/market/Holdem.pif, 0000000A.00000002.4096850193.0000000001140000.00000004.00000800.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4096850193.000000000114F000.00000004.00000800.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4097499400.00000000038D5000.00000040.00001000.00020000.00000000.sdmp, 76561199680449169[1].htm.10.drfalse
                                                                                                                    		high
                                                                                                                    https://store.steampowered.com/news/Holdem.pif, 0000000A.00000002.4096850193.0000000001140000.00000004.00000800.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4096850193.000000000114F000.00000004.00000800.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4097499400.00000000038D5000.00000040.00001000.00020000.00000000.sdmp, 76561199680449169[1].htm.10.drfalse
                                                                                                                      		high
                                                                                                                      https://65.108.152.56:9000/vcruntime140.dll=cv6Holdem.pif, 0000000A.00000002.4096629893.0000000000F32000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                      • Avira URL Cloud: safe
                                                                                                                      		unknown
                                                                                                                      https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=JJJKEHCA.10.drfalse
                                                                                                                        		high
                                                                                                                        http://store.steampowered.com/subscriber_agreement/Holdem.pif, 0000000A.00000002.4096850193.000000000114F000.00000004.00000800.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4097499400.00000000038D5000.00000040.00001000.00020000.00000000.sdmp, 76561199680449169[1].htm.10.drfalse
                                                                                                                          		high
                                                                                                                          https://steamcommunity.com/login/home/?goto=profiles%2F7656119968044916976561199680449169[1].htm.10.drfalse
                                                                                                                            		high
                                                                                                                            https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.orgHoldem.pif, 0000000A.00000002.4096850193.000000000114F000.00000004.00000800.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4097499400.00000000038D5000.00000040.00001000.00020000.00000000.sdmp, 76561199680449169[1].htm.10.drfalse
                                                                                                                              		high
                                                                                                                              https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Holdem.pif, 0000000A.00000002.4097499400.00000000039CE000.00000040.00001000.00020000.00000000.sdmp, FIJKEHJJ.10.drfalse
                                                                                                                                		high
                                                                                                                                http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#bRlvBJEl6T.exefalse
                                                                                                                                • URL Reputation: safe
                                                                                                                                		unknown
                                                                                                                                https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&amp;l=enHoldem.pif, 0000000A.00000002.4096850193.000000000114F000.00000004.00000800.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4097499400.00000000038D5000.00000040.00001000.00020000.00000000.sdmp, 76561199680449169[1].htm.10.drfalse
                                                                                                                                  		high
                                                                                                                                  https://steamcommunity.com/discussions/Holdem.pif, 0000000A.00000002.4096850193.0000000001140000.00000004.00000800.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4096850193.000000000114F000.00000004.00000800.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4097499400.00000000038D5000.00000040.00001000.00020000.00000000.sdmp, 76561199680449169[1].htm.10.drfalse
                                                                                                                                    		high
                                                                                                                                    https://65.108.152.56:9000/freebl3.dllBHoldem.pif, 0000000A.00000002.4096850193.000000000114F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                    • Avira URL Cloud: safe
                                                                                                                                    		unknown
                                                                                                                                    https://t.me/r1g1oHoldem.pif, 0000000A.00000002.4096902193.00000000011D6000.00000004.00000800.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000003.3135450130.00000000038AB000.00000004.00000800.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000003.3135086350.00000000011D7000.00000004.00000800.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4096786614.00000000010B0000.00000004.00000020.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000003.3135223602.0000000001141000.00000004.00000800.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4097499400.00000000038A1000.00000040.00001000.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4096629893.0000000001006000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      https://store.steampowered.com/stats/Holdem.pif, 0000000A.00000002.4096850193.0000000001140000.00000004.00000800.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4096850193.000000000114F000.00000004.00000800.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4097499400.00000000038D5000.00000040.00001000.00020000.00000000.sdmp, 76561199680449169[1].htm.10.drfalse
                                                                                                                                        		high
                                                                                                                                        https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1Holdem.pif, 0000000A.00000002.4096850193.000000000114F000.00000004.00000800.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4097499400.00000000038D5000.00000040.00001000.00020000.00000000.sdmp, 76561199680449169[1].htm.10.drfalse
                                                                                                                                          		high
                                                                                                                                          https://store.steampowered.com/steam_refunds/Holdem.pif, 0000000A.00000002.4097499400.00000000038D5000.00000040.00001000.00020000.00000000.sdmp, 76561199680449169[1].htm.10.drfalse
                                                                                                                                            		high
                                                                                                                                            https://65.108.152.56:9000/.152.56:9000/softokn3.dllessionKeyBackwarda_1Holdem.pif, 0000000A.00000002.4096850193.000000000114F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                            • Avira URL Cloud: safe
                                                                                                                                            		unknown
                                                                                                                                            https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=yXrh2LzpDwct&amp;l=eHoldem.pif, 0000000A.00000002.4096850193.000000000114F000.00000004.00000800.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4097499400.00000000038D5000.00000040.00001000.00020000.00000000.sdmp, 76561199680449169[1].htm.10.drfalse
                                                                                                                                              		high
                                                                                                                                              https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17InstallFIJKEHJJ.10.drfalse
                                                                                                                                                		high
                                                                                                                                                https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchJJJKEHCA.10.drfalse
                                                                                                                                                  		high
                                                                                                                                                  https://65.108.152.56:9000lHoldem.pif, 0000000A.00000002.4097499400.00000000038D5000.00000040.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                  • Avira URL Cloud: safe
                                                                                                                                                  		low
                                                                                                                                                  https://65.108.152.56:9000/msvcp140.dllHoldem.pif, 0000000A.00000002.4096850193.000000000114F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                  • Avira URL Cloud: safe
                                                                                                                                                  		unknown
                                                                                                                                                  https://steamcommunity.com/AHoldem.pif, 0000000A.00000002.4096786614.00000000010DF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                    		high
                                                                                                                                                    https://steamcommunity.com/workshop/Holdem.pif, 0000000A.00000002.4096850193.0000000001140000.00000004.00000800.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4096850193.000000000114F000.00000004.00000800.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4097499400.00000000038D5000.00000040.00001000.00020000.00000000.sdmp, 76561199680449169[1].htm.10.drfalse
                                                                                                                                                      		high
                                                                                                                                                      https://store.steampowered.com/legal/Holdem.pif, 0000000A.00000002.4096850193.000000000114F000.00000004.00000800.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4097499400.00000000038D5000.00000040.00001000.00020000.00000000.sdmp, 76561199680449169[1].htm.10.drfalse
                                                                                                                                                        		high
                                                                                                                                                        https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&amp;l=eHoldem.pif, 0000000A.00000002.4096850193.000000000114F000.00000004.00000800.00020000.00000000.sdmp, Holdem.pif, 0000000A.00000002.4097499400.00000000038D5000.00000040.00001000.00020000.00000000.sdmp, 76561199680449169[1].htm.10.drfalse
                                                                                                                                                          		high

                                                                                                                                                          World Map of Contacted IPs

                                                                                                                                                          • No. of IPs < 25%
                                                                                                                                                          • 25% < No. of IPs < 50%
                                                                                                                                                          • 50% < No. of IPs < 75%
                                                                                                                                                          • 75% < No. of IPs

                                                                                                                                                          Public IPs

                                                                                                                                                          IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                          65.108.152.56
                                                                                                                                                          		unknownUnited States
                                                                                                                                                          		11022ALABANZA-BALTUSfalse
                                                                                                                                                          23.195.238.96
                                                                                                                                                          		steamcommunity.comUnited States
                                                                                                                                                          		16625AKAMAI-ASUSfalse

                                                                                                                                                          Private

                                                                                                                                                          IP
                                                                                                                                                          127.0.0.1

                                                                                                                                                          General Information

                                                                                                                                                          Joe Sandbox version:40.0.0 Tourmaline
                                                                                                                                                          Analysis ID:1437978
                                                                                                                                                          Start date and time:2024-05-08 09:28:08 +02:00
                                                                                                                                                          Joe Sandbox product:CloudBasic
                                                                                                                                                          Overall analysis duration:0h 9m 47s
                                                                                                                                                          Hypervisor based Inspection enabled:false
                                                                                                                                                          Report type:light
                                                                                                                                                          Cookbook file name:default.jbs
                                                                                                                                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                          Number of analysed new started processes analysed:16
                                                                                                                                                          Number of new started drivers analysed:0
                                                                                                                                                          Number of existing processes analysed:0
                                                                                                                                                          Number of existing drivers analysed:0
                                                                                                                                                          Number of injected processes analysed:0
                                                                                                                                                          Technologies:
                                                                                                                                                          • HCA enabled
                                                                                                                                                          • EGA enabled
                                                                                                                                                          • AMSI enabled
                                                                                                                                                          Analysis Mode:default
                                                                                                                                                          Analysis stop reason:Timeout
                                                                                                                                                          Sample name:bRlvBJEl6T.exe
                                                                                                                                                          renamed because original name is a hash value
                                                                                                                                                          Original Sample Name:4efb38b934e4247c49ac1de662b4fe2c.exe
                                                                                                                                                          Detection:MAL
                                                                                                                                                          Classification:mal100.troj.spyw.evad.winEXE@22/22@2/3
                                                                                                                                                          EGA Information:
                                                                                                                                                          • Successful, ratio: 100%
                                                                                                                                                          HCA Information:
                                                                                                                                                          • Successful, ratio: 99%
                                                                                                                                                          • Number of executed functions: 0
                                                                                                                                                          • Number of non-executed functions: 0
                                                                                                                                                          Cookbook Comments:
                                                                                                                                                          • Found application associated with file extension: .exe
                                                                                                                                                          • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                                                                                                                          Warnings

                                                                                                                                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                                                                                                                          • TCP Packets have been reduced to 100
                                                                                                                                                          • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                                                          • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                          • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                          • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                          • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                                                                                                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                          • Report size getting too big, too many NtSetInformationFile calls found.

                                                                                                                                                          Simulations

                                                                                                                                                          Behavior and APIs

                                                                                                                                                          TimeTypeDescription
                                                                                                                                                          09:28:59API Interceptor4630x Sleep call for process: Holdem.pif modified

                                                                                                                                                          Joe Sandbox View / Context

                                                                                                                                                          IPs

                                                                                                                                                          No context

                                                                                                                                                          Domains

                                                                                                                                                          No context

                                                                                                                                                          ASNs

                                                                                                                                                          No context

                                                                                                                                                          JA3 Fingerprints

                                                                                                                                                          No context

                                                                                                                                                          Dropped Files

                                                                                                                                                          No context

                                                                                                                                                          Created / dropped Files

                                                                                                                                                          C:\ProgramData\FIJKEHJJ

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pif
                                                                                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):159744
                                                                                                                                                          Entropy (8bit):0.7873599747470391
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
                                                                                                                                                          MD5:6A6BAD38068B0F6F2CADC6464C4FE8F0
                                                                                                                                                          SHA1:4E3B235898D8E900548613DDB6EA59CDA5EB4E68
                                                                                                                                                          SHA-256:0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
                                                                                                                                                          SHA-512:BFE41E5AB5851C92308A097FE9DA4F215875AC2C7D7A483B066585071EE6086B5A7BE6D80CEC18027A3B88AA5C0A477730B22A41406A6AB344FCD9C659B9CB0A
                                                                                                                                                          Malicious:false
                                                                                                                                                          Reputation:high, very likely benign file
                                                                                                                                                          Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                          C:\ProgramData\GHJDGDBFCBKFHJKFHCBK

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pif
                                                                                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):49152
                                                                                                                                                          Entropy (8bit):0.8180424350137764
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
                                                                                                                                                          MD5:349E6EB110E34A08924D92F6B334801D
                                                                                                                                                          SHA1:BDFB289DAFF51890CC71697B6322AA4B35EC9169
                                                                                                                                                          SHA-256:C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
                                                                                                                                                          SHA-512:2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
                                                                                                                                                          Malicious:false
                                                                                                                                                          Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                          C:\ProgramData\IIIJECAEGDHIDHJKKKKFIEGIJK

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pif
                                                                                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):28672
                                                                                                                                                          Entropy (8bit):2.5793180405395284
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
                                                                                                                                                          MD5:41EA9A4112F057AE6BA17E2838AEAC26
                                                                                                                                                          SHA1:F2B389103BFD1A1A050C4857A995B09FEAFE8903
                                                                                                                                                          SHA-256:CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
                                                                                                                                                          SHA-512:29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
                                                                                                                                                          Malicious:false
                                                                                                                                                          Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                          C:\ProgramData\JEBKJDAF

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pif
                                                                                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):126976
                                                                                                                                                          Entropy (8bit):0.47147045728725767
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:96:/WU+bDoYysX0uhnyTpvVjN9DLjGQLBE3u:/l+bDo3irhnyTpvVj3XBBE3u
                                                                                                                                                          MD5:A2D1F4CF66465F9F0CAC61C4A95C7EDE
                                                                                                                                                          SHA1:BA6A845E247B221AAEC96C4213E1FD3744B10A27
                                                                                                                                                          SHA-256:B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
                                                                                                                                                          SHA-512:C571E5125C005EAC0F0B72B5F132AE03783AF8D621BFA32B366B0E8A825EF8F65E33CD330E42BDC722BFA012E3447A7218F05FDD4A5AD855C1CA22DFA2F79838
                                                                                                                                                          Malicious:false
                                                                                                                                                          Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                          C:\ProgramData\JJECAAEHCFIEBGCBGHIE

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pif
                                                                                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):40960
                                                                                                                                                          Entropy (8bit):0.8553638852307782
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                                                                          MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                                                                          SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                                                                          SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                                                                          SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                                                                          Malicious:false
                                                                                                                                                          Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                          C:\ProgramData\JJJKEHCA

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pif
                                                                                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):106496
                                                                                                                                                          Entropy (8bit):1.1358696453229276
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                                                                          MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                                                                          SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                                                                          SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                                                                          SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                                                                          Malicious:false
                                                                                                                                                          Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                          C:\ProgramData\KKJJEBFC

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pif
                                                                                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                          Category:modified
                                                                                                                                                          Size (bytes):114688
                                                                                                                                                          Entropy (8bit):0.9746603542602881
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                                                                          MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                                                                          SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                                                                          SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                                                                          SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                                                                          Malicious:false
                                                                                                                                                          Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pif

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                          Category:modified
                                                                                                                                                          Size (bytes):893608
                                                                                                                                                          Entropy (8bit):6.620254876639106
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:12288:DpVWeOV7GtINsegA/hMyyzlcqikvAfcN9b2MyZa31troPTdFqgaAV2M0L:DT3E53Myyzl0hMf1te7xaA8M0L
                                                                                                                                                          MD5:6EE7DDEBFF0A2B78C7AC30F6E00D1D11
                                                                                                                                                          SHA1:F2F57024C7CC3F9FF5F999EE20C4F5C38BFC20A2
                                                                                                                                                          SHA-256:865347471135BB5459AD0E647E75A14AD91424B6F13A5C05D9ECD9183A8A1CF4
                                                                                                                                                          SHA-512:57D56DE2BB882F491E633972003D7C6562EF2758C3731B913FF4D15379ADA575062F4DE2A48CA6D6D9241852A5B8A007F52792753FD8D8FEE85B9A218714EFD0
                                                                                                                                                          Malicious:true
                                                                                                                                                          Antivirus:
                                                                                                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 7%
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........sD.R.*.R.*.R.*..C..P.*....S.*._@..a.*._@....*._@..g.*.[j..[.*.[j..w.*.R.+.r.*......*....S.*._@..S.*.R...P.*....S.*.RichR.*.........................PE..L......Z.........."...............................@.................................Jo....@...@.......@.........................|.......P....................p...q...;.............................. [..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...P............<..............@..@.reloc...q...p...r..................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\e

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                          File Type:data
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):311820
                                                                                                                                                          Entropy (8bit):7.99945664422248
                                                                                                                                                          Encrypted:true
                                                                                                                                                          SSDEEP:6144:umgBywAo0a8WsSp1uOUF2BlfoIiq0xzMDa9PQ/K9mZJ/uBwDLQq0:aTt8Wsg19tHfobq0xqoYJWBeLs
                                                                                                                                                          MD5:6A9A08A897FD2567F2BE8A37AF9409C7
                                                                                                                                                          SHA1:D5905D73D5113BF28E95E387F5A885F2DC4DF670
                                                                                                                                                          SHA-256:58F7AEDBF5B73B0AD71FCFDDE89E30BF4F6CF5F1A4AA8EDCCC7DA92A81300235
                                                                                                                                                          SHA-512:841F7BBEF006D50E97D7B068A45F11E9F5DF7CA75A9C23C7C7B0DB2867B13AF01C3195A7972EF450C25FB9493CD09D0AF4C858DF0ACEB3397B851134AFAA11E3
                                                                                                                                                          Malicious:false
                                                                                                                                                          Preview:.)..G..C..xn.k.d..z.Q..)@...~./.......`;.Eu...9..ep....%.....J(H.dP..,.%?...w8Y..."...B.n.!q...M......9._......j...2..@..Yl......#....K.u|..\e".F"..y....:...$..SnR^*....WZ.G..N"..H...B..$7.u..v.C...S..u.Xrp......u^.... vh.......MI.D..o.(O.k8..+d4.z.3(w.....<w.Y.d+s..@.2.&.fw..mm..6<.!s............)..;..=...j.3#PJ...}O.T.O.T.......h.. .c...s.H}.Zo....N/......+.7..k.L.yL.....fq|6...{rK.m.{F.P..wE3...l<240l?.2.K...Z..Hk.|U.3Kv$..B2.xU...GA.o....{......7Gd.#..GA..N}.5,..t..L...9."h.H.0.vp.^.....|n.............%.F7...D.V.......s.` L...c.5F.l.E~qU_....K y..d.......>L..............'..+ ...7Y.$...........NZ...d.........2..ML...Dj......u..F.x........^....*..Aa>..S....y...{(......n.G.......&...l.U......I.>.}......}..h.!.F.....K.X......mA..;.E.@..F..&t.J.H!H].Cl...@....k...*....[F.,w<c;...l?..5C..........H.5)"..C.?...?..l+.K..EG..hK......$z.J..Fc...F...S...zI.......'.".....".,....@..RJr-&!....<.BNb...?.qn..Zu..i.?H.....h......92.Z.

                                                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Classics

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Users\user\Desktop\bRlvBJEl6T.exe
                                                                                                                                                          File Type:ASCII text, with very long lines (1426), with CRLF line terminators
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):28159
                                                                                                                                                          Entropy (8bit):5.022030688278114
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:768:JE/QndS3hiWIS+e57WB3hvghsNIfuj1mGBqGBBWYt6:JJdSQ7S+epWLvEkIGxJt6
                                                                                                                                                          MD5:8F7F76574B4EA462583D058F32D53442
                                                                                                                                                          SHA1:F09D455F80917CFFB3AFAE4DC7918E70F22FA62F
                                                                                                                                                          SHA-256:DBB0AB5B95732C6704495DF674A66D09B69638F1F6DC96CD4A6B02D98D678224
                                                                                                                                                          SHA-512:5607A45B3197BE7F590920247F1701B2631B77AF97CED09B28A744306E089527E5E84E95B3F4D3B9E1C48CE1E5440A98034510E4099501A821AD0469CAB7D641
                                                                                                                                                          Malicious:false
                                                                                                                                                          Preview:Set Become=i..EKMedian Mercury Cups Prague ..JDIMeditation Nato Mutual Suspected Mardi Developing Taught Lil Absent ..rTTrEntities Gl ..JCHMouth Conditioning Ho Tolerance Committee Villa Criterion Workshops Broke ..BMMVCulture Accurate Pixel Contribute Council ..KGPokemon Know Apps Generators Alike ..UyPair Actively Gross ..HrWAdjusted Roller Description ..ushCitizen Guru Ae Flow Http Timber Talks Merchant ..Set Tanzania= ..VRXSHeroes Kenya Bleeding Tn Billing Routines Fundamental Nepal Drive ..qWxlClient Screensavers Millennium Summary Suit ..NRMuMissile Hammer Gifts Advert Instances Arrived Transparency Eur ..HkaLAlphabetical Holder Bandwidth Lighter ..XoJJBrutal Dover Bids Wma Ate ..IaOContinuous War Cottage ..Set Disciplinary=t..qrgUIde Stat Janet Spanking Indigenous Ppc Establish Soon Competition ..ULSComparisons Voices Uncertainty Developmental Divisions Wichita Suck Monster Interpreted ..rlAsks Violent Type Bloggers Halfcom Scales Motherboard Postage ..GiFFla Machines Nations Na

                                                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Classics.cmd (copy)

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                          File Type:ASCII text, with very long lines (1426), with CRLF line terminators
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):28159
                                                                                                                                                          Entropy (8bit):5.022030688278114
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:768:JE/QndS3hiWIS+e57WB3hvghsNIfuj1mGBqGBBWYt6:JJdSQ7S+epWLvEkIGxJt6
                                                                                                                                                          MD5:8F7F76574B4EA462583D058F32D53442
                                                                                                                                                          SHA1:F09D455F80917CFFB3AFAE4DC7918E70F22FA62F
                                                                                                                                                          SHA-256:DBB0AB5B95732C6704495DF674A66D09B69638F1F6DC96CD4A6B02D98D678224
                                                                                                                                                          SHA-512:5607A45B3197BE7F590920247F1701B2631B77AF97CED09B28A744306E089527E5E84E95B3F4D3B9E1C48CE1E5440A98034510E4099501A821AD0469CAB7D641
                                                                                                                                                          Malicious:false
                                                                                                                                                          Preview:Set Become=i..EKMedian Mercury Cups Prague ..JDIMeditation Nato Mutual Suspected Mardi Developing Taught Lil Absent ..rTTrEntities Gl ..JCHMouth Conditioning Ho Tolerance Committee Villa Criterion Workshops Broke ..BMMVCulture Accurate Pixel Contribute Council ..KGPokemon Know Apps Generators Alike ..UyPair Actively Gross ..HrWAdjusted Roller Description ..ushCitizen Guru Ae Flow Http Timber Talks Merchant ..Set Tanzania= ..VRXSHeroes Kenya Bleeding Tn Billing Routines Fundamental Nepal Drive ..qWxlClient Screensavers Millennium Summary Suit ..NRMuMissile Hammer Gifts Advert Instances Arrived Transparency Eur ..HkaLAlphabetical Holder Bandwidth Lighter ..XoJJBrutal Dover Bids Wma Ate ..IaOContinuous War Cottage ..Set Disciplinary=t..qrgUIde Stat Janet Spanking Indigenous Ppc Establish Soon Competition ..ULSComparisons Voices Uncertainty Developmental Divisions Wichita Suck Monster Interpreted ..rlAsks Violent Type Bloggers Halfcom Scales Motherboard Postage ..GiFFla Machines Nations Na

                                                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Creating

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Users\user\Desktop\bRlvBJEl6T.exe
                                                                                                                                                          File Type:data
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):104972
                                                                                                                                                          Entropy (8bit):7.998384885619153
                                                                                                                                                          Encrypted:true
                                                                                                                                                          SSDEEP:1536:CPxRRKh5gbmwTTIdDNXVAXZe0+TvwHEkP/ey0FEUruz1GGkO/Uweef2eYSAZoaa0:k/K7cuVVmZJEvEuyKZslMgDLQXa0
                                                                                                                                                          MD5:3174E5C547EC44D9E422845F62E95B6B
                                                                                                                                                          SHA1:B02BE201156CD93436BFEE9B1D8E363B14C51707
                                                                                                                                                          SHA-256:8145F63CCC2C07ED746DB82F8421E629735F6E69A4F605ABB5CF1212EDE8FCBD
                                                                                                                                                          SHA-512:80134B58FE675194BED7E9F493ABCFC804DD596C0C2EF7CB93B81A9FD1CFEB9461BFE6023B25883006A320AE49B341D8A3B0EF7618E994139AA76162CBC3498A
                                                                                                                                                          Malicious:false
                                                                                                                                                          Preview:...n>...U|9..'y=q1.7"W.h..+.,J.h...K..6R..W..Z..[.....tN.q.EG.{...Q&h....h.O5..U.....1.)..].5^.D.......?.......H......R..K\QZ..A..g..E.....i..?h...D.N.....G,..v..|/..,.....&.'......h..B|7g9_^}..P.s..7c..6+.8..;?~@.b....iR....A^.*..T......v..>......;...tW......{..c.o.M`......,..N.R...QO.E.......:..zHS....&.pZz.hf.zL.cm.T..C.(z.O.l7.0a.go1.D..B.:.n$.....`...By...4hz.Vs...w.V8..cj......~O3].$......[..@F)OK.....k>{M....D...v.>........$...<%.3;.....".f...'6.T....'.D>.........}km..k....i=?.Qy.&%C....s@..M.....R&?,....Q....8....F...|.....gY.8wA...f......B....n..K..J.K.I.*..eu[c5...{..b6,|.^Lk....}..&k...\.....N.V.....?....I.L..y.....*..AS....[...i$.7..*.:./..}...v.. i5.n|/n._wD.Q.. .$]X-..3[v...0 .6.s.UQU>.s....7.P..:....PO!!Pm.L.l...u......f..-..P.b}&..$...".....k..V...x...(..T.d...?...R...w..}2...u...{RYR.nB.[..^.L.Y`8......G...^...!.9.e.]..D....v..G.#u..v.B.n..l....h.....H{F.....F..u...H4..6..;...;....5.Z...hm..-(#..F..h|.,..B$....x.Wgd.Q..{.

                                                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Experiences

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Users\user\Desktop\bRlvBJEl6T.exe
                                                                                                                                                          File Type:data
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):181248
                                                                                                                                                          Entropy (8bit):7.999061896550611
                                                                                                                                                          Encrypted:true
                                                                                                                                                          SSDEEP:3072:IzAfkCB1op89a8YnYH7f+PpHVufdUULRuTBlfEVpmiqlqkEfA+MTf8rz5UfLqL:4Ao0a8WsSp1uOUF2BlfoIiq0xzMDa9PL
                                                                                                                                                          MD5:0131A04280608465EF6A189301961FCE
                                                                                                                                                          SHA1:3E0A81F593CBE518C96D675917922F3A1D20309D
                                                                                                                                                          SHA-256:43A07113368DEAF916127480450B1B19C22EED4F367CF73B20B6BF6685D014DD
                                                                                                                                                          SHA-512:039AB3FCF9DAABEED49CE654F43CB5A7AD3CB51DCFB2293C3C028C5DF4DA29F9D2491DD69594F7F3A6C9C45106FE5240F16D5F7AA68CF19993333606BF7BDFC8
                                                                                                                                                          Malicious:false
                                                                                                                                                          Preview:._(....e..0....H.....w..uJ...j...w...KN..]4G;....$'..;....1.r.1gu....T.>.a/.:...Z.?..E....... G..a.thr..l..w.2. cY.1.q..L.^-..H.D.n..j.....m.*.......j;..B.2^b_..!C2.w.5..0.)...noK...9..a.I.z"l....)?......8..W+......h.....~[.".E&..I.V5..u9x40.?D..S.l.B..g.y....}..2...B(j.[0iRC.S-@hT.0...1.D>..a......f:.z.FO..n]Q.......<....Mb.W.I..[/...W.d.V..i.@Y.t;..Q..GO7e..h..y..J>.{.......c.(.up.7m..Z..E[.A....}..;.\4|...)....^M....w..Z....v.U........."N#..<.T5.6.WJ0i...eM.K..h......%..4..`..J....7.M...q.D..#m.C.;.h.....I...g,.5R..+!N...U.m...k....C......_...v1...r....[...K..1.5Wp..n;~.....I...L)69..[5.-.#ukZ."....I#.".1..*.."sW3...kg..0.~_w.s'/..M...6.M.6MQ...=2....e....n..G..].) ..........$..J..........._..[o*N.....#=...(.....F.r...=>.8<KJ..{.xf.....ab'Z...Z.G..ZR..{........L.%.+.w.<r......2. ..nrsM..@U.|<9.B..B..+c.|........va./' ..*w......'LOHv.H...{.$.s..c.....> .t*./...j.....X..0.3?...u..z.L...D.un~..tf. .N4<=...{v7i.a:.4......cVLW...R.?

                                                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\76561199680449169[1].htm

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pif
                                                                                                                                                          File Type:HTML document, Unicode text, UTF-8 text, with very long lines (2969), with CRLF, LF line terminators
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):34791
                                                                                                                                                          Entropy (8bit):5.385516925635591
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:768:Tdpqm+0Ih3YAA9CWGI+fcDAGPzzgiJmDzJtxvrfJkPVoEAdmPzzgiJmDzJtxvJ2E:Td8m+0Ih3YAA9CWGI+FGPzzgiJmDzJt3
                                                                                                                                                          MD5:8040A93DFD9A45D15AD3B7F63F66BB21
                                                                                                                                                          SHA1:81893F5C3BC08407441CA79FCED36A428342B7DC
                                                                                                                                                          SHA-256:A813D344FA3863810AD75CFC863CAFE246CF8C4912D14C3D3580EF3EE843D6B6
                                                                                                                                                          SHA-512:5E2346AAD0C70BA503BE86FB410E81BA4E418A34102F4B5AFC1C47E04A8FEB973B868201C7BA938D1D4F5DC855DE392483FB72E67E23785A6BDFD65E8EC5304D
                                                                                                                                                          Malicious:false
                                                                                                                                                          Preview:<!DOCTYPE html>..<html class=" responsive" lang="en">..<head>...<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.....<meta name="viewport" content="width=device-width,initial-scale=1">....<meta name="theme-color" content="#171a21">....<title>Steam Community :: p__o https://65.108.152.56:9000|</title>...<link rel="shortcut icon" href="/favicon.ico" type="image/x-icon">...........<link href="https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&amp;l=english" rel="stylesheet" type="text/css" >.<link href="https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&amp;l=english" rel="stylesheet" type="text/css" >.<link href="https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=SPpMitTYp6ku&amp;l=english" rel="stylesheet" type="text/css" >.<link href="https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&amp;l=english" rel="stylesheet" type="text/css" >.<lin

                                                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\sqlx[1].dll

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pif
                                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):2459136
                                                                                                                                                          Entropy (8bit):6.052474106868353
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:49152:WHoJ9zGioiMjW2RrL9B8SSpiCH7cuez9A:WHoJBGqabRnj8JY/9
                                                                                                                                                          MD5:90E744829865D57082A7F452EDC90DE5
                                                                                                                                                          SHA1:833B178775F39675FA4E55EAB1032353514E1052
                                                                                                                                                          SHA-256:036A57102385D7F0D7B2DEACF932C1C372AE30D924365B7A88F8A26657DD7550
                                                                                                                                                          SHA-512:0A2D112FF7CB806A74F5EC17FE097D28107BB497D6ED5AD28EA47E6795434BA903CDB49AAF97A9A99C08CD0411F1969CAD93031246DC107C26606A898E570323
                                                                                                                                                          Malicious:true
                                                                                                                                                          Antivirus:
                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........7.Z.Y.Z.Y.Z.Y...Z.n.Y...\..Y...]...Y...X.Y.Y.Z.X..Y.O.\.E.Y.O.].U.Y.O.Z.L.Y.l3].[.Y.l3Y.[.Y.l3..[.Y.l3[.[.Y.RichZ.Y.................PE..L...i.`e...........!...%.. .........{D........ ...............................%...........@...........................#..6....$.(.....$.......................$.....`.#.8...........................x.#.@.............$..............................text...G. ....... ................. ..`.rdata...".... ..$.... .............@..@.data...4|... $..b....#.............@....idata........$......^$.............@..@.00cfg........$......p$.............@..@.rsrc.........$......r$.............@..@.reloc..5.....$.......$.............@..B................................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Lease

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Users\user\Desktop\bRlvBJEl6T.exe
                                                                                                                                                          File Type:data
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):123
                                                                                                                                                          Entropy (8bit):3.9361447888719114
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:3:BMWXjQoucUqt/vllpfrYZcFTSn:BXTsHqjvVS
                                                                                                                                                          MD5:98E87874165393607B54818EA0CC0813
                                                                                                                                                          SHA1:DDDEDD925A309CB2B359EB08E678F4829EE26632
                                                                                                                                                          SHA-256:C0D3B1DBBBF02073B0E60D6CA6294C97134D13017E6332D1EE49918A4FF94A1B
                                                                                                                                                          SHA-512:127C1F7978F6C8CF321B62B5F45766A81807CEC5F778231950CA3362201CEEB914D6A84D97D1F57FF14AA34BA12C83E29B1A51B564649D0754E692EBA2DD7F8A
                                                                                                                                                          Malicious:false
                                                                                                                                                          Preview:BbcAdvisorsAndaleNowhere..MZ......................@...............................................!..L.!This program cannot

                                                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Oil

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Users\user\Desktop\bRlvBJEl6T.exe
                                                                                                                                                          File Type:data
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):221184
                                                                                                                                                          Entropy (8bit):6.688977511438296
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:6144:5/12vk6AQzyMfA+eyVPlcBgtoTqnvAfcaGM:5/hMyyzlcqikvAfcNM
                                                                                                                                                          MD5:CCFF4D45B31B96AD3BFDAEE364B88C66
                                                                                                                                                          SHA1:8594F9FCD10C3BA98529175EEEB7F00B17F17F17
                                                                                                                                                          SHA-256:C1E5F515F73058A6A4AB02C95B7111001A10F933F51542258B97A53A3E56B354
                                                                                                                                                          SHA-512:DC18CAAEEA264DA603BA77C4878F260F84AC60908D41360D3DB131687C210C67AF22E77675C9ECF0C253F59386D8D0BE6CAEAA0C80D88BBADE7445939E54591C
                                                                                                                                                          Malicious:false
                                                                                                                                                          Preview:....t....G..j0Z..@I....U......x..?5|.....0H.89t....>1u..B...S....@PSV.c......3.[_^].U..QQ.E.SVW..x.......P..........................}...E...t.......t....<...%......!..u...u..E.!P.!.f.x..X...<..3.....M................E..]..s.....x&......................y.}..}..E..s...f.{._^[..].U...0.P.L.3.E..E.S.].V.E.E.WP.E.P.....YY.E.Pj.j.....u....f.."....u.C...E....E..C..E.P.u.V.......$..u..M..._.s.3.^[.*2....].3.PPPPP.........WVU3.3.D$...}.GE.T$........D$..T$..D$...}.G.T$........D$..T$...u(.L$..D$.3....D$.......d$.....d$....G..L$..T$..D$...........u.....d$...D$.....r.;T$.w.r.;D$.v.N+D$..T$.3.+D$..T$.My.............Ou.......]^_...U..M..E.......#.V.u......t$..t.j.j..J...YY...7...j.^.0........Q.u...t..&............YY3.^].U...$.M..u..H....E...t..M....E.SVW..t..}...t....|...$~.............R.........}.p.3.]....t.~..E.P...j.P..&...}.................H.....t...F..E..]...-u......F.M.....+t.M..}..].E.....C........:.....$..1.....u...0t.j._.0..<xt.<Xt.j...j._.....u...0u..

                                                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Pharmacy

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Users\user\Desktop\bRlvBJEl6T.exe
                                                                                                                                                          File Type:data
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):25600
                                                                                                                                                          Entropy (8bit):7.99391195789994
                                                                                                                                                          Encrypted:true
                                                                                                                                                          SSDEEP:768:NPteSp4vUNy+Cy73dv6tamehP+JkMtXCU9y:uvyt73V6A9+JkcyU9y
                                                                                                                                                          MD5:A47F571CA70AD97D1EA1435F098A3E6C
                                                                                                                                                          SHA1:DA0F173DBF68004BF0B101A7F1B044144F707C52
                                                                                                                                                          SHA-256:EB99BFA316742ED21FA831B87DEADE8DBCD28337C6DDC77682A3E93F97B2F47E
                                                                                                                                                          SHA-512:EAB604201412F6440CD091ADF83A1E85C98BA712E61B037107A70D49D4BEBF7D60F4CD375009F8E3F1671A2D7ADF17757A04F4B6B58B401E142AC3F73BCE0858
                                                                                                                                                          Malicious:false
                                                                                                                                                          Preview:.)..G..C..xn.k.d..z.Q..)@...~./.......`;.Eu...9..ep....%.....J(H.dP..,.%?...w8Y..."...B.n.!q...M......9._......j...2..@..Yl......#....K.u|..\e".F"..y....:...$..SnR^*....WZ.G..N"..H...B..$7.u..v.C...S..u.Xrp......u^.... vh.......MI.D..o.(O.k8..+d4.z.3(w.....<w.Y.d+s..@.2.&.fw..mm..6<.!s............)..;..=...j.3#PJ...}O.T.O.T.......h.. .c...s.H}.Zo....N/......+.7..k.L.yL.....fq|6...{rK.m.{F.P..wE3...l<240l?.2.K...Z..Hk.|U.3Kv$..B2.xU...GA.o....{......7Gd.#..GA..N}.5,..t..L...9."h.H.0.vp.^.....|n.............%.F7...D.V.......s.` L...c.5F.l.E~qU_....K y..d.......>L..............'..+ ...7Y.$...........NZ...d.........2..ML...Dj......u..F.x........^....*..Aa>..S....y...{(......n.G.......&...l.U......I.>.}......}..h.!.F.....K.X......mA..;.E.@..F..&t.J.H!H].Cl...@....k...*....[F.,w<c;...l?..5C..........H.5)"..C.?...?..l+.K..EG..hK......$z.J..Fc...F...S...zI.......'.".....".,....@..RJr-&!....<.BNb...?.qn..Zu..i.?H.....h......92.Z.

                                                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Relatives

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Users\user\Desktop\bRlvBJEl6T.exe
                                                                                                                                                          File Type:data
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):256000
                                                                                                                                                          Entropy (8bit):6.5083855315988846
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:3072:CDqeb2Xo2IkVvh8p65Nu+dVtqi/x4Rqf21Rgat0g/bZaUAg0FuPOKBNEBNUGXEyc:8b2M8JTDD/xcq21R1p/rAOPOei7TdFU
                                                                                                                                                          MD5:CD818EE7F8BD1F1BAE4E1822C4E41541
                                                                                                                                                          SHA1:5CC00D959325F119B026ED0E330D57FDFEE543A2
                                                                                                                                                          SHA-256:421E5FCF6246FAAE145237DAA2A0542E7A45AEA01BE75C5070770DE93CB1644F
                                                                                                                                                          SHA-512:87C34F4AD54B139DD4312C598E155A534AAFE2F408D20C13805764CB1D4AB641E300A6145E4CA2E2919D883C89600E567DF377C9C9A52DDD7438A6A1FCC66794
                                                                                                                                                          Malicious:false
                                                                                                                                                          Preview:..H...[....t........G..H..[....t........}....$......$....P..........I...........$.................d9..Y..$.....L$\...[%....$.......3..2P.=9...L$\..$..K.....#....$.....L$\..#....$.........p..$....f9.u..M..D$XP..Z...L$X.v'...,....I...t...$.....M..=Z....3.P..j..H.....{...D$...u.P.....Y.t$......Y.D$0..u.P.....Y.t$,....Y.L$8..'...L$...'...L$h..&...L$H..&...L$x..&.._^3.[..]...U...\...SVW.=..I.......P.u..M.2.......tq......h..I.P.iA..YY..tH......hx.K.P.RA..YY..t1......P....I...E..M...#......QP....I.................PV....I...u.V....I..}..............Php.K.......ty.=..I..]........tU......h..I.P..@..YY..t>......hx.K.P.@..YY..t'......P...u....u..u..u........t8hx.K........PV....I...u...V....I..._^[..]...V....I.2...3...U...\...SVW.=..I.......P.u..M.2.......t\......h..I.P..@..YY..t3......hx.K.P..?..YY..t..u..U.........P..Y................PV....I...u.V....I..}..............Php.K.......ty.=..I..]........tU......h..I.P.x?..YY..t>......hx.K.P.a?..YY..t'......P...u....u..u..u........t8hx.K...

                                                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Returned

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Users\user\Desktop\bRlvBJEl6T.exe
                                                                                                                                                          File Type:data
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):44615
                                                                                                                                                          Entropy (8bit):6.996943182721781
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:768:09BSCVoyO15DuOKHnrxbxZiUCu2iPaLTQ7Q1tCwqVLwQVn8qT4O:09BBVgCOa1ZBPaPQaEwo0yv
                                                                                                                                                          MD5:F791D2356005E6538629B3BDE88B0BDC
                                                                                                                                                          SHA1:EC5EECB9515DDA66CEC06D81B2595906E5454A1A
                                                                                                                                                          SHA-256:B27657C27B957B8794EC2A6644D75578A620A0EC413E1BE8B961D0152E12BC48
                                                                                                                                                          SHA-512:0BE50D77EA1920052734BCC7319DECE0C4A741556BE621BF41B7CAC88C03497C8ADE3DF1582CDFC479AAE48278FB9DCC28EC1CF619ABE1F8F12175586229136A
                                                                                                                                                          Malicious:false
                                                                                                                                                          Preview:..............................................................................................................$.....................................|...|.......................................$.......................................0.........................e...]...]...]...]...]...]...]...]...e...........................0...............................%.....................g...]...]...]...]...]...]...]...]...]...]...]...]...f.......................%.............................................]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...].............................................................]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...................................%.................]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...................%.........................g...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...f.....................................

                                                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Rolled

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Users\user\Desktop\bRlvBJEl6T.exe
                                                                                                                                                          File Type:data
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):231424
                                                                                                                                                          Entropy (8bit):6.583065790073281
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:3072:GCV26MqgQTc5F446iYNpK5SB7BJBzLZDKJtIs8di/37EM/j2xQeixW:Gi2VWTyFsJ8gNJBnGtINsegW
                                                                                                                                                          MD5:0FA84A1591EF7ED70FB17E1701CE0E8C
                                                                                                                                                          SHA1:3E2E21E13F1CDFA6684063BA1150251B5B2AFB0D
                                                                                                                                                          SHA-256:95DD465FA97618639D0D11556DBAA8A5F50484ADA6CF46D82B6B832CC6C2E81D
                                                                                                                                                          SHA-512:FFA3C5F8EF264CFFE1552CFD7A0BF5775E308B3392BD7E175580EA3C66FD7B508EE9D8FDE9FEBA1708172BF33B36E2AF8D5952E81B66713D7A513C3FC53E262C
                                                                                                                                                          Malicious:false
                                                                                                                                                          Preview: be run in DOS mode....$........sD.R.*.R.*.R.*..C..P.*....S.*._@..a.*._@....*._@..g.*.[j..[.*.[j..w.*.R.+.r.*......*....S.*._@..S.*.R...P.*....S.*.RichR.*.........................PE..L......Z.........."...............................@.................................Jo....@...@.......@.........................|.......P....................p...q...;.............................. [..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...P............<..............@..@.reloc...q...p...r..................@..B.........................................................................................................................................................................................................................................................................................................DaL.....h..C..\...Y...L..h..C..K...Y..N..h..C..:...Y.h..C......Y..<C..

                                                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Supervision

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Users\user\Desktop\bRlvBJEl6T.exe
                                                                                                                                                          File Type:data
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):140288
                                                                                                                                                          Entropy (8bit):5.233137662978611
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:1536:K+l6JPTcUNx6/xhgariwYLTN3EfrDWyu0uZo2x:n6i/xhgariwYLTNaWy4ZNx
                                                                                                                                                          MD5:9F30E95A4B07C6DE10CBD2361B682751
                                                                                                                                                          SHA1:D01CD024A1AC849E97A5217368AC6C1EB4FE6CDD
                                                                                                                                                          SHA-256:B4873B854CD42B8E5CF792C368043BB24427045FC41B22C6AE977CC342CEC1CF
                                                                                                                                                          SHA-512:A0249A4106CBE0C087906ADB6402B5AD5A536B83676D5AF10258B76A0E64935A3483A988DFA0FC221DAA681E815D2B118A2F094BDBD4E7426B785BA0DA116A90
                                                                                                                                                          Malicious:false
                                                                                                                                                          Preview:...........................................................................................................................................r.r.....................................................................................................................................................................................................................r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.!.!.!.!.!.!.!.r.r.r.r.r.r.r.r.r.r.r.r...........r.r.r.r.r.........................)...........................r...........r...r.....r.....r.........................................................................................................................................................................................................................*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r....................................................................................................................................................

                                                                                                                                                          Static File Info

                                                                                                                                                          General

                                                                                                                                                          File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                                                          Entropy (8bit):7.978295271509072
                                                                                                                                                          TrID:
                                                                                                                                                          • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                                          • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                          • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                          File name:bRlvBJEl6T.exe
                                                                                                                                                          File size:784'214 bytes
                                                                                                                                                          MD5:4efb38b934e4247c49ac1de662b4fe2c
                                                                                                                                                          SHA1:121fe04be542a55b4ce6716d792e9ce4e8a5c0ae
                                                                                                                                                          SHA256:46b8ec4f65622595233743e8277a2980f69f866e6edd3a2ec610d0f2872a1e5f
                                                                                                                                                          SHA512:8ced1adc480693b2d5daf4013317118c2794c8840d617aa4e30a50fa0b1d8ab5aa3bb2bb2b241c672debb477ee756afcda48e9dc163a5cbb362a5d95f73c50ed
                                                                                                                                                          SSDEEP:12288:AXyWGSXbu0jblSgRI4/8Xg/38hMK6JZB2L7IflVlkKWm9A/Hu5ya/8p/ryr:AXyubu0jbIg8Q8t0yElkKWUGHu5yYoyr
                                                                                                                                                          TLSH:4AF423522200B983EC239A31B5E55BF2BE92B95003C467E72390754C7FB5792EE5F683
                                                                                                                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1 ..PN..PN..PN.*_...PN..PO.JPN.*_...PN..s~..PN..VH..PN.Rich.PN.........................PE..L....C.f.................f...".....

                                                                                                                                                          File Icon

                                                                                                                                                          Icon Hash:c610f8e6f8f803c8

                                                                                                                                                          Static PE Info

                                                                                                                                                          General

                                                                                                                                                          Entrypoint:0x40351c
                                                                                                                                                          Entrypoint Section:.text
                                                                                                                                                          Digitally signed:true
                                                                                                                                                          Imagebase:0x400000
                                                                                                                                                          Subsystem:windows gui
                                                                                                                                                          Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                                                                                                                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                                                                          Time Stamp:0x660843F3 [Sat Mar 30 16:55:15 2024 UTC]
                                                                                                                                                          TLS Callbacks:
                                                                                                                                                          CLR (.Net) Version:
                                                                                                                                                          OS Version Major:4
                                                                                                                                                          OS Version Minor:0
                                                                                                                                                          File Version Major:4
                                                                                                                                                          File Version Minor:0
                                                                                                                                                          Subsystem Version Major:4
                                                                                                                                                          Subsystem Version Minor:0
                                                                                                                                                          Import Hash:f4639a0b3116c2cfc71144b88a929cfd

                                                                                                                                                          Authenticode Signature

                                                                                                                                                          Signature Valid:false
                                                                                                                                                          Signature Issuer:CN=Sectigo RSA Code Signing CA, O=Sectigo Limited, L=Salford, S=Greater Manchester, C=GB
                                                                                                                                                          Signature Validation Error:The digital signature of the object did not verify
                                                                                                                                                          Error Number:-2146869232
                                                                                                                                                          Not Before, Not After
                                                                                                                                                          • 25/03/2021 00:00:00 24/03/2024 23:59:59
                                                                                                                                                          Subject Chain
                                                                                                                                                          • CN="IObit CO., LTD", O="IObit CO., LTD", STREET=45 Renmin South Road, STREET="No. 605, 6th Floor, Unit 1, Building 1", L=Chengdu Shi, S=Sichuan Sheng, PostalCode=610042, C=CN
                                                                                                                                                          Version:3
                                                                                                                                                          Thumbprint MD5:8AD2A09EBDD6E8444414E1FFE7FC9683
                                                                                                                                                          Thumbprint SHA-1:145D90AD3134C665246DC1C93CD3E2D8C69E9231
                                                                                                                                                          Thumbprint SHA-256:12DBEE7AA5DBB550CEEDC6172E5C34BA577759D8926AAFF08A781552B7FABDE9
                                                                                                                                                          Serial:008BA1F172FD50BA8D4C11B74FFAC8A282

                                                                                                                                                          Entrypoint Preview

                                                                                                                                                          Instruction
                                                                                                                                                          sub esp, 000003F8h
                                                                                                                                                          push ebp
                                                                                                                                                          push esi
                                                                                                                                                          push edi
                                                                                                                                                          push 00000020h
                                                                                                                                                          pop edi
                                                                                                                                                          xor ebp, ebp
                                                                                                                                                          push 00008001h
                                                                                                                                                          mov dword ptr [esp+20h], ebp
                                                                                                                                                          mov dword ptr [esp+18h], 0040A2D8h
                                                                                                                                                          mov dword ptr [esp+14h], ebp
                                                                                                                                                          call dword ptr [004080A4h]
                                                                                                                                                          mov esi, dword ptr [004080A8h]
                                                                                                                                                          lea eax, dword ptr [esp+34h]
                                                                                                                                                          push eax
                                                                                                                                                          mov dword ptr [esp+4Ch], ebp
                                                                                                                                                          mov dword ptr [esp+0000014Ch], ebp
                                                                                                                                                          mov dword ptr [esp+00000150h], ebp
                                                                                                                                                          mov dword ptr [esp+38h], 0000011Ch
                                                                                                                                                          call esi
                                                                                                                                                          test eax, eax
                                                                                                                                                          jne 00007FC54C50550Ah
                                                                                                                                                          lea eax, dword ptr [esp+34h]
                                                                                                                                                          mov dword ptr [esp+34h], 00000114h
                                                                                                                                                          push eax
                                                                                                                                                          call esi
                                                                                                                                                          mov ax, word ptr [esp+48h]
                                                                                                                                                          mov ecx, dword ptr [esp+62h]
                                                                                                                                                          sub ax, 00000053h
                                                                                                                                                          add ecx, FFFFFFD0h
                                                                                                                                                          neg ax
                                                                                                                                                          sbb eax, eax
                                                                                                                                                          mov byte ptr [esp+0000014Eh], 00000004h
                                                                                                                                                          not eax
                                                                                                                                                          and eax, ecx
                                                                                                                                                          mov word ptr [esp+00000148h], ax
                                                                                                                                                          cmp dword ptr [esp+38h], 0Ah
                                                                                                                                                          jnc 00007FC54C5054D8h
                                                                                                                                                          and word ptr [esp+42h], 0000h
                                                                                                                                                          mov eax, dword ptr [esp+40h]
                                                                                                                                                          movzx ecx, byte ptr [esp+3Ch]
                                                                                                                                                          mov dword ptr [00429AD8h], eax
                                                                                                                                                          xor eax, eax
                                                                                                                                                          mov ah, byte ptr [esp+38h]
                                                                                                                                                          movzx eax, ax
                                                                                                                                                          or eax, ecx
                                                                                                                                                          xor ecx, ecx
                                                                                                                                                          mov ch, byte ptr [esp+00000148h]
                                                                                                                                                          movzx ecx, cx
                                                                                                                                                          shl eax, 10h
                                                                                                                                                          or eax, ecx
                                                                                                                                                          movzx ecx, byte ptr [esp+0000004Eh]

                                                                                                                                                          Rich Headers

                                                                                                                                                          Programming Language:
                                                                                                                                                          • [EXP] VC++ 6.0 SP5 build 8804

                                                                                                                                                          Data Directories

                                                                                                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x84fc0xa0.rdata
                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x3a0000x1890.rsrc
                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0xbab6e0x4be8
                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x80000x2a8.rdata
                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                          Sections

                                                                                                                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                          .text0x10000x65760x66001e4066ed6e7440cc449c401dfd9ca64fFalse0.6663219975490197data6.461246686118911IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                          .rdata0x80000x13580x1400f0b500ff912dda10f31f36da3efc8a1eFalse0.44296875data5.102094016108248IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                          .data0xa0000x1fb380x6002e1d49b2855a89e6218e118f0c182b81False0.5026041666666666data4.044293204800279IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                          .ndata0x2a0000x100000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                          .rsrc0x3a0000x18900x1a00717af41bcb52dc6df2fff9551871a540False0.34314903846153844data3.878406451504744IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                                                                          Resources

                                                                                                                                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                          RT_ICON0x3a1900x1128Device independent bitmap graphic, 32 x 64 x 32, image size 4352EnglishUnited States0.3035063752276867
                                                                                                                                                          RT_DIALOG0x3b2b80x100dataEnglishUnited States0.5234375
                                                                                                                                                          RT_DIALOG0x3b3b80x11cdataEnglishUnited States0.6056338028169014
                                                                                                                                                          RT_DIALOG0x3b4d80x60dataEnglishUnited States0.7291666666666666
                                                                                                                                                          RT_GROUP_ICON0x3b5380x14dataEnglishUnited States1.05
                                                                                                                                                          RT_MANIFEST0x3b5500x33eXML 1.0 document, ASCII text, with very long lines (830), with no line terminatorsEnglishUnited States0.5542168674698795

                                                                                                                                                          Imports

                                                                                                                                                          DLLImport
                                                                                                                                                          ADVAPI32.dllRegEnumValueW, RegEnumKeyW, RegQueryValueExW, RegSetValueExW, RegCloseKey, RegDeleteValueW, RegDeleteKeyW, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, RegOpenKeyExW, RegCreateKeyExW
                                                                                                                                                          SHELL32.dllSHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, SHFileOperationW, ShellExecuteExW
                                                                                                                                                          ole32.dllCoCreateInstance, OleUninitialize, OleInitialize, IIDFromString, CoTaskMemFree
                                                                                                                                                          COMCTL32.dllImageList_Destroy, ImageList_AddMasked, ImageList_Create
                                                                                                                                                          USER32.dllMessageBoxIndirectW, GetDlgItemTextW, SetDlgItemTextW, CreatePopupMenu, AppendMenuW, TrackPopupMenu, OpenClipboard, EmptyClipboard, SetClipboardData, CloseClipboard, IsWindowVisible, CallWindowProcW, GetMessagePos, CheckDlgButton, LoadCursorW, SetCursor, GetSysColor, SetWindowPos, GetWindowLongW, IsWindowEnabled, SetClassLongW, GetSystemMenu, EnableMenuItem, GetWindowRect, ScreenToClient, EndDialog, RegisterClassW, SystemParametersInfoW, CharPrevW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, FindWindowExW, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndPaint, CharNextA, wsprintfA, DispatchMessageW, CreateWindowExW, PeekMessageW, GetSystemMetrics
                                                                                                                                                          GDI32.dllGetDeviceCaps, SetBkColor, SelectObject, DeleteObject, CreateBrushIndirect, CreateFontIndirectW, SetBkMode, SetTextColor
                                                                                                                                                          KERNEL32.dlllstrcmpiA, CreateFileW, GetTempFileNameW, RemoveDirectoryW, CreateProcessW, CreateDirectoryW, GetLastError, CreateThread, GlobalLock, GlobalUnlock, GetDiskFreeSpaceW, WideCharToMultiByte, lstrcpynW, lstrlenW, SetErrorMode, GetVersionExW, GetCommandLineW, GetTempPathW, GetWindowsDirectoryW, WriteFile, CopyFileW, ExitProcess, GetCurrentProcess, GetModuleFileNameW, GetFileSize, GetTickCount, Sleep, SetFileAttributesW, GetFileAttributesW, SetCurrentDirectoryW, MoveFileW, GetFullPathNameW, GetShortPathNameW, SearchPathW, CompareFileTime, SetFileTime, CloseHandle, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalFree, GlobalAlloc, GetModuleHandleW, LoadLibraryExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, lstrlenA, MultiByteToWideChar, ReadFile, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW, MulDiv, lstrcpyA, MoveFileExW, lstrcatW, GetSystemDirectoryW, GetProcAddress, GetModuleHandleA, GetExitCodeProcess, WaitForSingleObject, SetEnvironmentVariableW

                                                                                                                                                          Possible Origin

                                                                                                                                                          Language of compilation systemCountry where language is spokenMap
                                                                                                                                                          EnglishUnited States

                                                                                                                                                          Network Behavior

                                                                                                                                                          Network Port Distribution

                                                                                                                                                          TCP Packets

                                                                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                          May 8, 2024 09:31:29.344923973 CEST49743443192.168.2.423.195.238.96
                                                                                                                                                          May 8, 2024 09:31:29.344953060 CEST4434974323.195.238.96192.168.2.4
                                                                                                                                                          May 8, 2024 09:31:29.345041990 CEST49743443192.168.2.423.195.238.96
                                                                                                                                                          May 8, 2024 09:31:29.357156992 CEST49743443192.168.2.423.195.238.96
                                                                                                                                                          May 8, 2024 09:31:29.357173920 CEST4434974323.195.238.96192.168.2.4
                                                                                                                                                          May 8, 2024 09:31:29.691910982 CEST4434974323.195.238.96192.168.2.4
                                                                                                                                                          May 8, 2024 09:31:29.691982985 CEST49743443192.168.2.423.195.238.96
                                                                                                                                                          May 8, 2024 09:31:29.744905949 CEST49743443192.168.2.423.195.238.96
                                                                                                                                                          May 8, 2024 09:31:29.744923115 CEST4434974323.195.238.96192.168.2.4
                                                                                                                                                          May 8, 2024 09:31:29.745232105 CEST4434974323.195.238.96192.168.2.4
                                                                                                                                                          May 8, 2024 09:31:29.745434046 CEST49743443192.168.2.423.195.238.96
                                                                                                                                                          May 8, 2024 09:31:29.748830080 CEST49743443192.168.2.423.195.238.96
                                                                                                                                                          May 8, 2024 09:31:29.792121887 CEST4434974323.195.238.96192.168.2.4
                                                                                                                                                          May 8, 2024 09:31:30.250761032 CEST4434974323.195.238.96192.168.2.4
                                                                                                                                                          May 8, 2024 09:31:30.250787973 CEST4434974323.195.238.96192.168.2.4
                                                                                                                                                          May 8, 2024 09:31:30.250804901 CEST4434974323.195.238.96192.168.2.4
                                                                                                                                                          May 8, 2024 09:31:30.250895023 CEST49743443192.168.2.423.195.238.96
                                                                                                                                                          May 8, 2024 09:31:30.250910044 CEST4434974323.195.238.96192.168.2.4
                                                                                                                                                          May 8, 2024 09:31:30.251010895 CEST49743443192.168.2.423.195.238.96
                                                                                                                                                          May 8, 2024 09:31:30.411726952 CEST4434974323.195.238.96192.168.2.4
                                                                                                                                                          May 8, 2024 09:31:30.411777973 CEST4434974323.195.238.96192.168.2.4
                                                                                                                                                          May 8, 2024 09:31:30.411787987 CEST49743443192.168.2.423.195.238.96
                                                                                                                                                          May 8, 2024 09:31:30.411798954 CEST4434974323.195.238.96192.168.2.4
                                                                                                                                                          May 8, 2024 09:31:30.411823034 CEST49743443192.168.2.423.195.238.96
                                                                                                                                                          May 8, 2024 09:31:30.411837101 CEST49743443192.168.2.423.195.238.96
                                                                                                                                                          May 8, 2024 09:31:30.440304995 CEST4434974323.195.238.96192.168.2.4
                                                                                                                                                          May 8, 2024 09:31:30.440342903 CEST4434974323.195.238.96192.168.2.4
                                                                                                                                                          May 8, 2024 09:31:30.440376997 CEST49743443192.168.2.423.195.238.96
                                                                                                                                                          May 8, 2024 09:31:30.440385103 CEST4434974323.195.238.96192.168.2.4
                                                                                                                                                          May 8, 2024 09:31:30.440401077 CEST4434974323.195.238.96192.168.2.4
                                                                                                                                                          May 8, 2024 09:31:30.440401077 CEST49743443192.168.2.423.195.238.96
                                                                                                                                                          May 8, 2024 09:31:30.440413952 CEST49743443192.168.2.423.195.238.96
                                                                                                                                                          May 8, 2024 09:31:30.440440893 CEST49743443192.168.2.423.195.238.96
                                                                                                                                                          May 8, 2024 09:31:30.440788984 CEST49743443192.168.2.423.195.238.96
                                                                                                                                                          May 8, 2024 09:31:30.440802097 CEST4434974323.195.238.96192.168.2.4
                                                                                                                                                          May 8, 2024 09:31:30.451261997 CEST497449000192.168.2.465.108.152.56
                                                                                                                                                          May 8, 2024 09:31:30.779889107 CEST90004974465.108.152.56192.168.2.4
                                                                                                                                                          May 8, 2024 09:31:30.780081034 CEST497449000192.168.2.465.108.152.56
                                                                                                                                                          May 8, 2024 09:31:30.780483961 CEST497449000192.168.2.465.108.152.56
                                                                                                                                                          May 8, 2024 09:31:31.110310078 CEST90004974465.108.152.56192.168.2.4
                                                                                                                                                          May 8, 2024 09:31:31.135783911 CEST90004974465.108.152.56192.168.2.4
                                                                                                                                                          May 8, 2024 09:31:31.135798931 CEST90004974465.108.152.56192.168.2.4
                                                                                                                                                          May 8, 2024 09:31:31.135839939 CEST497449000192.168.2.465.108.152.56
                                                                                                                                                          May 8, 2024 09:31:31.164895058 CEST497449000192.168.2.465.108.152.56
                                                                                                                                                          May 8, 2024 09:31:31.494023085 CEST90004974465.108.152.56192.168.2.4
                                                                                                                                                          May 8, 2024 09:31:31.494112015 CEST497449000192.168.2.465.108.152.56
                                                                                                                                                          May 8, 2024 09:31:31.497009993 CEST497449000192.168.2.465.108.152.56
                                                                                                                                                          May 8, 2024 09:31:31.865464926 CEST90004974465.108.152.56192.168.2.4
                                                                                                                                                          May 8, 2024 09:31:32.162692070 CEST90004974465.108.152.56192.168.2.4
                                                                                                                                                          May 8, 2024 09:31:32.162776947 CEST497449000192.168.2.465.108.152.56
                                                                                                                                                          May 8, 2024 09:31:32.392467022 CEST497459000192.168.2.465.108.152.56
                                                                                                                                                          May 8, 2024 09:31:32.721417904 CEST90004974565.108.152.56192.168.2.4
                                                                                                                                                          May 8, 2024 09:31:32.721541882 CEST497459000192.168.2.465.108.152.56
                                                                                                                                                          May 8, 2024 09:31:33.069592953 CEST497459000192.168.2.465.108.152.56
                                                                                                                                                          May 8, 2024 09:31:33.398488998 CEST90004974565.108.152.56192.168.2.4
                                                                                                                                                          May 8, 2024 09:31:33.398776054 CEST90004974565.108.152.56192.168.2.4
                                                                                                                                                          May 8, 2024 09:31:33.398850918 CEST497459000192.168.2.465.108.152.56
                                                                                                                                                          May 8, 2024 09:31:33.536468029 CEST497459000192.168.2.465.108.152.56
                                                                                                                                                          May 8, 2024 09:31:33.538692951 CEST497459000192.168.2.465.108.152.56
                                                                                                                                                          May 8, 2024 09:31:33.867552042 CEST90004974565.108.152.56192.168.2.4
                                                                                                                                                          May 8, 2024 09:31:34.242244005 CEST90004974565.108.152.56192.168.2.4
                                                                                                                                                          May 8, 2024 09:31:34.242360115 CEST497459000192.168.2.465.108.152.56
                                                                                                                                                          May 8, 2024 09:31:34.274626970 CEST497449000192.168.2.465.108.152.56
                                                                                                                                                          May 8, 2024 09:31:34.275043964 CEST497469000192.168.2.465.108.152.56
                                                                                                                                                          May 8, 2024 09:31:34.602979898 CEST90004974465.108.152.56192.168.2.4
                                                                                                                                                          May 8, 2024 09:31:34.603096008 CEST497449000192.168.2.465.108.152.56
                                                                                                                                                          May 8, 2024 09:31:34.603509903 CEST90004974665.108.152.56192.168.2.4
                                                                                                                                                          May 8, 2024 09:31:34.603609085 CEST497469000192.168.2.465.108.152.56
                                                                                                                                                          May 8, 2024 09:31:34.603969097 CEST497469000192.168.2.465.108.152.56
                                                                                                                                                          May 8, 2024 09:31:34.932466030 CEST90004974665.108.152.56192.168.2.4
                                                                                                                                                          May 8, 2024 09:31:34.932687998 CEST90004974665.108.152.56192.168.2.4
                                                                                                                                                          May 8, 2024 09:31:34.932756901 CEST497469000192.168.2.465.108.152.56
                                                                                                                                                          May 8, 2024 09:31:34.933145046 CEST497469000192.168.2.465.108.152.56
                                                                                                                                                          May 8, 2024 09:31:34.934863091 CEST497469000192.168.2.465.108.152.56
                                                                                                                                                          May 8, 2024 09:31:35.263421059 CEST90004974665.108.152.56192.168.2.4
                                                                                                                                                          May 8, 2024 09:31:35.644841909 CEST90004974665.108.152.56192.168.2.4
                                                                                                                                                          May 8, 2024 09:31:35.644865036 CEST90004974665.108.152.56192.168.2.4
                                                                                                                                                          May 8, 2024 09:31:35.644906998 CEST497469000192.168.2.465.108.152.56
                                                                                                                                                          May 8, 2024 09:31:35.644948006 CEST497469000192.168.2.465.108.152.56
                                                                                                                                                          May 8, 2024 09:31:35.646229029 CEST497459000192.168.2.465.108.152.56
                                                                                                                                                          May 8, 2024 09:31:35.646677017 CEST497479000192.168.2.465.108.152.56
                                                                                                                                                          May 8, 2024 09:31:35.976767063 CEST90004974565.108.152.56192.168.2.4
                                                                                                                                                          May 8, 2024 09:31:35.976846933 CEST90004974765.108.152.56192.168.2.4
                                                                                                                                                          May 8, 2024 09:31:35.976958036 CEST497479000192.168.2.465.108.152.56
                                                                                                                                                          May 8, 2024 09:31:35.976959944 CEST497459000192.168.2.465.108.152.56
                                                                                                                                                          May 8, 2024 09:31:35.977267027 CEST497479000192.168.2.465.108.152.56
                                                                                                                                                          May 8, 2024 09:31:36.305816889 CEST90004974765.108.152.56192.168.2.4
                                                                                                                                                          May 8, 2024 09:31:36.306113005 CEST90004974765.108.152.56192.168.2.4
                                                                                                                                                          May 8, 2024 09:31:36.306220055 CEST497479000192.168.2.465.108.152.56
                                                                                                                                                          May 8, 2024 09:31:36.306579113 CEST497479000192.168.2.465.108.152.56
                                                                                                                                                          May 8, 2024 09:31:36.308301926 CEST497479000192.168.2.465.108.152.56
                                                                                                                                                          May 8, 2024 09:31:36.636828899 CEST90004974765.108.152.56192.168.2.4
                                                                                                                                                          May 8, 2024 09:31:37.033458948 CEST90004974765.108.152.56192.168.2.4
                                                                                                                                                          May 8, 2024 09:31:37.033477068 CEST90004974765.108.152.56192.168.2.4
                                                                                                                                                          May 8, 2024 09:31:37.033488035 CEST90004974765.108.152.56192.168.2.4
                                                                                                                                                          May 8, 2024 09:31:37.033513069 CEST90004974765.108.152.56192.168.2.4
                                                                                                                                                          May 8, 2024 09:31:37.033524990 CEST90004974765.108.152.56192.168.2.4
                                                                                                                                                          May 8, 2024 09:31:37.033541918 CEST497479000192.168.2.465.108.152.56
                                                                                                                                                          May 8, 2024 09:31:37.033597946 CEST497479000192.168.2.465.108.152.56
                                                                                                                                                          May 8, 2024 09:31:37.091283083 CEST497469000192.168.2.465.108.152.56

                                                                                                                                                          UDP Packets

                                                                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                          May 8, 2024 09:29:00.342344046 CEST6512953192.168.2.41.1.1.1
                                                                                                                                                          May 8, 2024 09:29:00.540509939 CEST53651291.1.1.1192.168.2.4
                                                                                                                                                          May 8, 2024 09:31:29.171299934 CEST5210153192.168.2.41.1.1.1
                                                                                                                                                          May 8, 2024 09:31:29.334323883 CEST53521011.1.1.1192.168.2.4

                                                                                                                                                          DNS Queries

                                                                                                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                          May 8, 2024 09:29:00.342344046 CEST192.168.2.41.1.1.10x423cStandard query (0)ekyLBwoLvc.ekyLBwoLvcA (IP address)IN (0x0001)false
                                                                                                                                                          May 8, 2024 09:31:29.171299934 CEST192.168.2.41.1.1.10x48afStandard query (0)steamcommunity.comA (IP address)IN (0x0001)false

                                                                                                                                                          DNS Answers

                                                                                                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                          May 8, 2024 09:29:00.540509939 CEST1.1.1.1192.168.2.40x423cName error (3)ekyLBwoLvc.ekyLBwoLvcnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                          May 8, 2024 09:31:29.334323883 CEST1.1.1.1192.168.2.40x48afNo error (0)steamcommunity.com23.195.238.96A (IP address)IN (0x0001)false

                                                                                                                                                          HTTP Request Dependency Graph

                                                                                                                                                          • steamcommunity.com

                                                                                                                                                          Statistics

                                                                                                                                                          Behavior

                                                                                                                                                          Click to jump to process

                                                                                                                                                          System Behavior

                                                                                                                                                          General

                                                                                                                                                          Target ID:0
                                                                                                                                                          Start time:09:28:54
                                                                                                                                                          Start date:08/05/2024
                                                                                                                                                          Path:C:\Users\user\Desktop\bRlvBJEl6T.exe
                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                          Commandline:"C:\Users\user\Desktop\bRlvBJEl6T.exe"
                                                                                                                                                          Imagebase:0x400000
                                                                                                                                                          File size:784'214 bytes
                                                                                                                                                          MD5 hash:4EFB38B934E4247C49AC1DE662B4FE2C
                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Reputation:low
                                                                                                                                                          Has exited:true

                                                                                                                                                          General

                                                                                                                                                          Target ID:1
                                                                                                                                                          Start time:09:28:56
                                                                                                                                                          Start date:08/05/2024
                                                                                                                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                          Commandline:"C:\Windows\System32\cmd.exe" /k move Classics Classics.cmd & Classics.cmd & exit
                                                                                                                                                          Imagebase:0x240000
                                                                                                                                                          File size:236'544 bytes
                                                                                                                                                          MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Reputation:high
                                                                                                                                                          Has exited:true

                                                                                                                                                          General

                                                                                                                                                          Target ID:2
                                                                                                                                                          Start time:09:28:56
                                                                                                                                                          Start date:08/05/2024
                                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                          Imagebase:0x7ff7699e0000
                                                                                                                                                          File size:862'208 bytes
                                                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Reputation:high
                                                                                                                                                          Has exited:true

                                                                                                                                                          General

                                                                                                                                                          Target ID:3
                                                                                                                                                          Start time:09:28:57
                                                                                                                                                          Start date:08/05/2024
                                                                                                                                                          Path:C:\Windows\SysWOW64\tasklist.exe
                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                          Commandline:tasklist
                                                                                                                                                          Imagebase:0xd30000
                                                                                                                                                          File size:79'360 bytes
                                                                                                                                                          MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Reputation:moderate
                                                                                                                                                          Has exited:true

                                                                                                                                                          General

                                                                                                                                                          Target ID:4
                                                                                                                                                          Start time:09:28:57
                                                                                                                                                          Start date:08/05/2024
                                                                                                                                                          Path:C:\Windows\SysWOW64\findstr.exe
                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                          Commandline:findstr /I "wrsa.exe opssvc.exe"
                                                                                                                                                          Imagebase:0x410000
                                                                                                                                                          File size:29'696 bytes
                                                                                                                                                          MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Reputation:moderate
                                                                                                                                                          Has exited:true

                                                                                                                                                          General

                                                                                                                                                          Target ID:5
                                                                                                                                                          Start time:09:28:58
                                                                                                                                                          Start date:08/05/2024
                                                                                                                                                          Path:C:\Windows\SysWOW64\tasklist.exe
                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                          Commandline:tasklist
                                                                                                                                                          Imagebase:0xd30000
                                                                                                                                                          File size:79'360 bytes
                                                                                                                                                          MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Reputation:moderate
                                                                                                                                                          Has exited:true

                                                                                                                                                          General

                                                                                                                                                          Target ID:6
                                                                                                                                                          Start time:09:28:58
                                                                                                                                                          Start date:08/05/2024
                                                                                                                                                          Path:C:\Windows\SysWOW64\findstr.exe
                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                          Commandline:findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
                                                                                                                                                          Imagebase:0x410000
                                                                                                                                                          File size:29'696 bytes
                                                                                                                                                          MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Reputation:moderate
                                                                                                                                                          Has exited:true

                                                                                                                                                          General

                                                                                                                                                          Target ID:7
                                                                                                                                                          Start time:09:28:58
                                                                                                                                                          Start date:08/05/2024
                                                                                                                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                          Commandline:cmd /c md 334343
                                                                                                                                                          Imagebase:0x240000
                                                                                                                                                          File size:236'544 bytes
                                                                                                                                                          MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Reputation:high
                                                                                                                                                          Has exited:true

                                                                                                                                                          General

                                                                                                                                                          Target ID:8
                                                                                                                                                          Start time:09:28:58
                                                                                                                                                          Start date:08/05/2024
                                                                                                                                                          Path:C:\Windows\SysWOW64\findstr.exe
                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                          Commandline:findstr /V "BbcAdvisorsAndaleNowhere" Lease
                                                                                                                                                          Imagebase:0x410000
                                                                                                                                                          File size:29'696 bytes
                                                                                                                                                          MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Reputation:moderate
                                                                                                                                                          Has exited:true

                                                                                                                                                          General

                                                                                                                                                          Target ID:9
                                                                                                                                                          Start time:09:28:58
                                                                                                                                                          Start date:08/05/2024
                                                                                                                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                          Commandline:cmd /c copy /b Pharmacy + Experiences + Creating 334343\e
                                                                                                                                                          Imagebase:0x240000
                                                                                                                                                          File size:236'544 bytes
                                                                                                                                                          MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Reputation:high
                                                                                                                                                          Has exited:true

                                                                                                                                                          General

                                                                                                                                                          Target ID:10
                                                                                                                                                          Start time:09:28:58
                                                                                                                                                          Start date:08/05/2024
                                                                                                                                                          Path:C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\334343\Holdem.pif
                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                          Commandline:334343\Holdem.pif 334343\e
                                                                                                                                                          Imagebase:0xaa0000
                                                                                                                                                          File size:893'608 bytes
                                                                                                                                                          MD5 hash:6EE7DDEBFF0A2B78C7AC30F6E00D1D11
                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Yara matches:
                                                                                                                                                          • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 0000000A.00000003.3135450130.00000000038AB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                          • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 0000000A.00000002.4096902193.00000000011D6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                          • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 0000000A.00000003.3135086350.00000000011D7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                          • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 0000000A.00000002.4096786614.00000000010B0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                          • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 0000000A.00000003.3135223602.0000000001141000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                          • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 0000000A.00000003.3135523275.00000000013A5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                          • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 0000000A.00000002.4097499400.00000000038A1000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                          • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 0000000A.00000003.3135596733.0000000001141000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                          • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 0000000A.00000003.3135031847.00000000013A5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                          • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 0000000A.00000002.4096629893.0000000001006000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                          Antivirus matches:
                                                                                                                                                          • Detection: 100%, Joe Sandbox ML
                                                                                                                                                          • Detection: 7%, ReversingLabs
                                                                                                                                                          Reputation:moderate
                                                                                                                                                          Has exited:false

                                                                                                                                                          General

                                                                                                                                                          Target ID:11
                                                                                                                                                          Start time:09:28:58
                                                                                                                                                          Start date:08/05/2024
                                                                                                                                                          Path:C:\Windows\SysWOW64\PING.EXE
                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                          Commandline:ping -n 5 127.0.0.1
                                                                                                                                                          Imagebase:0xe70000
                                                                                                                                                          File size:18'944 bytes
                                                                                                                                                          MD5 hash:B3624DD758CCECF93A1226CEF252CA12
                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Reputation:moderate
                                                                                                                                                          Has exited:true

                                                                                                                                                          Disassembly

                                                                                                                                                          No disassembly